With Google and Yahoo’s new requirements for email security protocols, most people can easily understand how SPF and DKIM records authenticate legitimate email from your organization. But here’s a quick reminder:
- SPF (Sender Policy Framework) is a protocol for letting the world know what outgoing mail servers are allowed to send email on behalf of your domain.
- DKIM (Domain Keys Identified Mail) is a protocol that proves an email that says it came from your outgoing mail server really did.
But the other email security policy we recommend, DMARC, seems, at first, less straightforward. But a recent example from a client’s implementation provided quick and clear evidence of DMARC’s benefits.
DMARC (Domain-based Message Authentication Reporting and Conformance) enables collection of email deliverability reports from mail servers all over the world about mail that is, or appears to be, sent from your domain. The reports list all emails that passed or failed SPF or DKIM authentication — that is, did it really come from someone at your organization? — and what the source of the email was.
Our client uses email for basic business correspondence and nothing else — no email marketing, CRM, or online sales. So we set up SPF and DKIM records that applied to Microsoft email services, and assumed that would be it. Strictly speaking, a DMARC record wasn’t even required by Google and Yahoo because of the low volume of email this client sends on a daily basis. But we set up DMARC anyway.
Why? Without DMARC, we can’t confirm that SPF and DKIM records are complete. Without email deliverability reports that DMARC provides, we don’t have confirmation that the SPF and DKIM records we added are the only ones needed for this domain.
Case in point: When we reviewed deliverability reports after two weeks we saw a dozen messages failing SPF and DKIM that were all coming from the same source: a popular web host for WordPress sites. Checking these findings with our client, we discovered together that the Contact form on their website was the source — the form was sending email using the client’s domain name but from the web host’s mail servers.
The remedy was easy: add the web host’s mail servers to the domain’s SPF record. On our next check of email deliverability, the Contact form emails all passed DMARC.
It’s easy for any organization to fall into a similar trap — maybe someone on the sales team is experimenting with a new CRM tool, or server alerts were set up years ago through an SMTP service like Mailgun or Sendgrid. DMARC reports reveal what’s missing. Without DMARC, some of these emails that fail authentication will soon start getting rejected.
Of course, if your business does depend on email for marketing, purchasing, or customer service, ongoing DMARC monitoring and adjustments are an essential tool for protecting your domain’s reputation and guaranteeing deliverability. Read how we helped a retail client deliver 3-5 million emails a month from multiple platforms without getting tagged as spam.
Macktez Domain Management
Macktez has been managing domain health and security for decades, and can help your organization as well. Our Domain Management subscription was designed for email and domain security, and includes all the protocols and ongoing maintenance described above. In addition to setting up and monitoring SPF, DKIM, and DMARC, we’ll make sure your domain is registered at a reputable registrar, and that your DNS is hosted with a secure and reliable service — all of which will minimize the ability of criminals to use your domain for phishing, while providing email recipients greater confidence that messages from you are authentic. We monitor DMARC reports and gradually tighten your DMARC policy, making DNS adjustments as needed.