Why not having DMARC can still hurt your deliverability

In theory, having no DMARC record should have no impact on deliverability, but not everyone got that memo.

You may be among the majority of companies that, according to Return Path, do not publish a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy. You may also know that with DMARC, it is the domain owner who defines how a receiver should treat a message that fails DMARC.

Therefore, you may believe that DMARC cannot affect your deliverability – “no policy, no problem” – but that isn’t necessarily true.

First, a quick refresher. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) provide mechanisms for someone to prove that they sent a given message – or in the case of SPF, that the IP is permitted to do so. However, neither system says what an ISP should do if they receive an email that is either unauthenticated or fails authentication.

Enter DMARC, which enables a domain to tell a receiving site what to do with unauthenticated email. The options are accept, quarantine or reject and who to notify of failures.

In addition to authentication, DMARC requires “alignment,” which is about consistency between the domain used in an email’s headers and those in the authentication. To pass DMARC, a message must not only pass authentication, but its headers must be aligned.

For SPF this means the From: header must match the domain used for the SPF MAIL FROM. For DKIM, it means the domain in the signature must match the domain in the From: header of the email.

While a few major ISPs have adopted DMARC to protect their outbound email – Yahoo and AOL both publish reject records – many more honor DMARC when receiving email. Despite this, only 22 percent of companies publish DMARC records. With such a low adoption rate, ISPs are receiving an awful lot of email for which there is no DMARC policy.

In the absence of a policy, ISPs must still make delivery decisions. While authentication has generally been used as a positive sign, rather than lack of authentication being a negative, it’s probably no surprise that failing authentication may harm delivery. However, ISPs are increasingly looking at alignment even for domains that do not publish a DMARC policy. Alignment failure may still hurt your deliverability.

What this means it that only having third-party DKIM signatures or mismatched MAIL FROM and From: headers may cause deliverability problems. Exactly how much effect this will have is difficult to determine due to the complexities of filtering decisions, and will change depending on how strong a spam signal it proves to be over time.

What is clear is that as ISPs work to block phishing and other illegitimate messages, poorly-authenticated email may get caught in the net.

The result is, if you’ve been holding off on DMARC and trusting that not having it is doing no harm, or if you’ve just been relying on your ESP for authentication, it’s time to make a change. In time, authentication and DMARC will effectively become mandatory.

Contrary to what some have reported, Gmail isn’t going to start rejecting all email that fails DMARC. However, ensuring your messages are signed with your own keys, aligning your headers, and having your own DMARC policy will be an increasingly important part of ensuring your emails are successfully delivered.

Sorry to put another job on your already loaded plate, but it’s time to get your ducks in a row. Aligned, if you will.