Gmail to Reject DMARC Fails: What Authentication Means for Email Marketing
With Google’s announcement that by June 2016 Gmail will reject messages that fail DMARC checks, Domain-based Message Authentication, Reporting and Conformance (DMARC) is likely to become the new norm in deliverability authentication.
Because email scammers are becoming more sophisticated in their spoofing, phishing, spamming and other abuse techniques, it’s important to have an effective authentication mechanism that isolates bad emails, so that legitimate emails can reach their intended inbox.
By relying on existing SPF and DKIM authentication processes to establish the legitimacy of an email, DMARC adds a layer of scrutiny to messages before they reach the receiver, and gives senders the chance to tell the receiver what to do if the email fails part of the authentication process.
DMARC works by enforcing a policy of one out of three possible outcomes (none, quarantine, reject) that relies upon the alignment between DKIM, SPF and its own records. In the case of SPF records, DMARC has to match (be aligned with) exactly the RFC5222.From domain present in the message. In DKIM’s case, the d= value in the signature must be aligned with (match) that of the RFC5222.From domain.
Alignment — There are two kinds of alignment: Relaxed or Strict.
Strict alignment requires the records to be an exact match of one another. Relaxed alignment will, for example, accept sub-domains of the given RFC5322.From domain present in the records as aligned.
Let’s say in DKIM we have a d= domain of “domain.com.” The sub-domain “sub.domain.com” would be considered in alignment under a Relaxed setup. For SPF, “In relaxed mode, the [SPF]-authenticated domain and RFC5322.From domain must have the same Organizational Domain. In strict mode, only an exact DNS domain match is considered to produce Identifier Alignment, as specified by DMARC.org.
DMARC policies are published as text in the DNS records, and dictate what the receiver should do with messages that fail authentication. As mentioned previously, senders can choose one of three possible outcomes: do nothing, quarantine or, like Gmail, reject.
Consider the following example where we have reports sent to domain.com:
“v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org; adkim=r; aspf=r; pct=100; rf=afrf”
In the example, we set our policy (p=reject) to filter (pct=100) 100 percent of the messages that fail relaxed DKIM and SPF authentications (adkim=r/aspf=r), and we’ll receive reports at email@example.com in afrf format. Here are a few of the most common tags:
Of course that’s just an example. There are different ways to set up your DMARC policy, alignment and reporting.
So fear not, friends. DMARC is here to stay and it’ll help good senders get their messages across, whilst blocking all of that undesired spam.
Related story: 2 More Gmail Hurdles for Marketers