deliverability letter

DMARC: What is it and why is it important?

Thoughts by Gracija Atanasovska • Writer Bento

You don’t have to be a cyber security expert to work as a marketer or to run an ecommerce venture, however, if you are one of those two, sooner rather than later, you will soon have to upskill your knowledge to master email marketing!

Let's talk about DMARC today.

If you have no clue what that is, this text can help you become familiar with the basics of email authentication. And if you already have some knowledge on the matter, you can take this opportunity to get a better understanding of the subject and learn some ways to boost the performance of your next email campaign.

First up: Internet service providers (ISP) can block your emails if you don’t satisfy DMARC requirements.

This is one of the worst possible outcomes of any email marketing campaign because your message will not even reach its target audience. Especially since you can easily keep your email authentication up to date to significantly reduce deliverability issues.

So, what is DMARC?

The acronym stands for Domain-based Message Authentication, Reporting, and Conformance. Yes, it’s a mouthful, but it refers to the most advanced authentication protocol used by commercial entities and ISPs to determine whether a message is potentially malicious or constitutes spam.

DMARC builds upon already established email validation technologies (DKIM and SPF, more on them below) to make sure the recipient's provider gets as much info on the sender as possible before deciding how to process the message in the mailbox. In essence, both sender and receiver exchange information with each other to validate whether the traffic is legitimate.

The primary application of DMARC is to prevent spoofing (sending a message on behalf of someone else), phishing attempts, and other instances of virtual impersonation with the intent to commit a cyber crime. As such, it's mostly used to protect clients from someone who tries to steal personal information or credit card details and it affects ecommerce.

These are legitimate cyber threats with real consequences. Email marketers are affected by DMARC because those messages that can’t be authenticated are excluded from traffic (either quarantined or rejected), so you can’t expect to avoid deliverability issues just because your campaign is virus-free and spam-free.

One such scenario is when you send marketing messages on behalf of a client but you are not using their registered devices. The system might recognize your activity as similar to what a spammer or a shady actor would do and reroute your message.

Cyber threats and systems that protect from them are in constant flux, and the rules change all the time to keep up with the latest developments. The most important aspect of DMARC for marketers is that it allows receivers to determine whether a message originates from your domain or someone is impersonating you. But, there are other useful benefits of running these checks, and the DKIM, SPF, and DNS are central to the way all of this is put together.

What are DKIM and SPF?

Both DKIM and SPF are email authentication methods essential to the proper functioning of the DMARC protocol.

DKIM

DomainKeys Identified Mail (DKIM) is used to determine whether someone has altered the content of a message to deceive the receiver. It’s a signature-based email authentication technique that operates by checking the compatibility of a private and a public key. The message is signed by a private key (Identified Internet Mail Specification) and is extracted as a DKIM signature from the email header.

The recipients’ server (practically an ISP) validates the message if the key is congruent with the public key included in DNS (Domain Keys). If these two DKIM signatures don’t match, then you have a suspicious email on your hands.

DKIM allows an email provider to check if the message was intercepted and someone has added fraudulent information. They not only protect their clients in this manner, but they also use this feedback to set domain reputation within their ISP framework.

SPF

Sender Policy Framework (SPF) is used to validate whether a server is authorized to send an email for a certain domain. It’s a path-based email authentication technique that determines whether the return path address domain email is valid.

Active SPF is a great tool for domain owners – they can have an idea of IP addresses that are used to send messages on their behalf. If someone is trying to forge the origin of the message in the email envelope (email spoofing), the SPF will “catch them”. It’s as simple as checking legitimate IP addresses and hosts in the DNS records of a given domain.

Keep in mind that issues with SPF can also relate to any message sent on your behalf, and these entities are not always would-be criminals. As a marketer, you can be part of a marketing campaign for a given client. In such a case, you need to ask the domain owner to include your marketing email as a trusted source along with their regular email. Another example is customer support – if the company uses another platform to sort that kind of traffic out.

How do DKIM and SPF enable DMARC?

For starters, you have to have active DKIM and SPF to implement DMARC. In most cases, the incoming message has to comply with either DKIM or SPF to pass DMARC. The receiving server will extract the DKIM signature domain from the email header and will also extract a return-path address for the domain email. If either one of those is valid, the message is delivered; otherwise, the message is processed according to the DMARC record. These records are explained below.

What can DMARC do?

Apart from authenticating a sender, the DMARC protocol also provides feedback on the registered activity and determines further action.

This style of authentication method requires a sender to include their DMARC policy in the Domain Name System (DNS) server. Domain name is translated into an IP address via the DNS records and it serves to identify the domain name in the “From” header.

This is a sort of a beacon, informing all receiving servers about the DMARC template – how to identify the sender and how to proceed if there is an issue.

Once the server receives the DMARC policy of a given DNS, it proceeds by checking DKIM and SPF. The message has to “align” with either one of those to be delivered.

If the “From” domain and the DKIM d=domain match, then the DKIM aligns. If the “From” domain and the return address of the message (or “envelope from”) match, then the SPF aligns.

When the receiver successfully verifies the identity of the sender, your email will be delivered, but what if the validation check fails?

Going deeper

DMARC records keep track of activity and these reports include data on all emails. So if a message could not be validated, the DMARC policy will dictate what happens next. This is why the method is considered an authentication protocol; it initiates processing based on predetermined policy. There are three available policies: none, quarantine, and reject.

Obviously, the first policy treats all messages in the same manner, regardless of whether they have passed the validation check successfully or not. It’s most useful for monitoring trends before you actually enact one of the remaining policies. So if a message doesn’t have DMARC validation, the sender receives a report and that’s it until the sender takes additional action.

Quarantine DMARC policy instructs the receiver to treat messages that failed validation as spam. When this policy is activated, authenticated messages go into the recipients’ inbox, and the unauthenticated emails go into the spam folder. The server has protected its client, and if the recipient doesn't open the spam folder, they will never know that someone tried to send them a message from an invalidated source.

The most strict policy is – “reject”. When a message fails to authenticate, DMARC will reject the message straight away. This eliminates the opportunity to phish and scam the recipient or introduce malicious software to their computer.

Implementation of the DMARC protocol is useful for domain owners too. It’s one of the rare tools in the digital marketing industry that allows you to discover whether someone is trying to impersonate you and contacts your clients without your permission. You have a proactive role in maintaining a solid sender reputation and prevent anyone from using your domain identity to attack your customers. DMARC Record vs DMARC Report

Your DMARC record contains the policy and is meant for the receiving end (ISP), while the DMARC report is addressed to the domain owner and serves to track activity from your domain. Let’s examine them in greater detail.

What does the DMARC record include?

v=DMARC1; p=none; pct=100; rua=mailto:[email protected];

In essence, we are talking about a version of a standard DNS TXT record that will share data with ISPs regarding how your domain is used and its policy so that a server can follow the instructions.

“v=” stands for the version of the protocol and almost invariably is: DMARC1;

“p=” stands for policy, the value in the example above is: none. As mentioned above, the other possible values are “quarantine” and “reject”;

“pct=” stands for the percentage of emails you want to follow the policy, most often the value is: 100;

“rua=” stands for the address that will receive aggregate reports; of course you can use any address to check the reports as long as you keep in mind that such reports can contain an extensive number of items.

Apart from the basic elements of a DMARC record, the txt can contain information on subdomains (sp), forensic reports (ruf, and they are optional), DKIM (adkim), SPF (aspf) and they can be configured based on your requirements.

What does the DMARC report include?

There are two types of DMARC reports: aggregate and forensic. The respective reports contain different kinds of data.

Aggregate reports come in a XML file and are machine-readable. All the activity from your domain is emailed to an address specified in the DMARC record (rua), where incidents are listed.

Forensic reports come in a format known as AFRF and they are sent to the administrator in real time. Failures (in validation) are reported and they are separate email messages which can be used to further investigate problems with authentication or attacks.

The best way forward is to have DMARC authentication in place to gather insight about your activity. By far the most popular policy in DMARC records, almost two-thirds of it, is “none” as everyone starts by monitoring. You can analyze the feedback and get a grip on IP addresses that use your domain.

Now, not everyone is technical (great if you are!), and sifting through endless lines of a DMARC report might not be your cup of tea. You can grasp the importance of email authentication without actually mastering all aspects of it. Work on protecting your sender reputation – hire outside help if needed, but keep up with such protocols to make sure your message gets across.

Final Thoughts

DMARC offers you the means to identify and fix any authentication issues your campaigns might face. It should serve as a model on how ISPs and marketers can ensure the integrity of the email channel by working together. Not only will the instances of spoofing, spamming and similar frauds concerning regular email users reduce, but your deliverability will also improve. And we all know how good sender reputation reflects on your email campaigns.