Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
  • Blog
    How to use DMARC to help you implement DMARC
Valimail blog

DMARC authentication gets you the deliverability you deserve

Author: Todd Herr
hand holding mobile phone that has just received an email

Ever since the release of RFC 4408, the first revision of the SPF specification, there’s been a misconception in email that “authentication will get you to the inbox.” While it’s not a universally held belief, it’s widespread enough that we feel it’s worth discussing the topic.

Whether an email is successfully delivered — and the folder that it’s ultimately delivered to — depends on a number of factors, but the primary driver is the reputation associated with the sender of the message. A sender’s reputation, in turn, is determined by its willingness to follow best practices and by its impact (positive or negative) on the systems to which it sends mail. Each mail system employs its own formula to assign a reputation, so what works for one receiver may not work exactly the same with another.

A sender that ensures that its email is authenticated, using SPF, DKIM, and DMARC, is certainly following a best practice for sending email, but that practice by itself is not enough to ensure a good reputation. Successful authentication of email means that the receiving system can trust that responsibility and accountability for the message in question can be credited to the identifier(s) associated with that authentication, which could be the sending IP address, the sending network, and/or any domain associated with the message.

In turn, the receiving system can reliably update accumulated reputation information for those authenticated identifiers based on its other measures for mail coming into its system, such as whether or not the recipients engage with the message and how they do so (e.g., opening it, clicking on links in it, reporting it as spam, etc.).

Without a comprehensive authentication plan in place for its email, a sender cannot build up a reputation based solely on mail that it and it alone has sent. In the worst case scenario, where a sender has no authentication for any of its email, all mail claiming to be from the sender’s domain will factor into its reputation, whether it was legitimate email, or fraudulent email sent by a bad actor. 

A sender that authenticates some of its mail is in a better place, because only authenticated mail should factor into its reputation. Any spoofed messages won’t authenticate, may not get delivered, and shouldn’t count against the domain’s reputation. But that reputation might still suffer because a good sender will only get “partial credit” for the mail it sends. Only by authenticating all of its mail can the sender ensure that it earns the reputation it correctly deserves.

The key word in the sentence ending that last paragraph is “correctly.” A sender that authenticates all its mail but sends in such a way that makes it obvious that it’s not following other best practices will correctly earn a bad reputation, and its mail will end up in the junk folder or rejected outright, even with authentication in place and a DMARC policy of p=reject.

In fact, while spam-sending domains often do have DMARC policies of p=reject (in the mistaken belief that this will help their deliverability), this is ultimately of no benefit for them. Those DMARC policies only serve to definitively identify them, and once the mail receivers assign them a bad sending reputation, their deliverability will drop precipitously.

Authentication only affirms the identity of the party responsible for sending the mail. By itself, it does nothing to demonstrate that the authenticated mail is wanted by the recipients and deserving of placement in the inbox. To have the best chance of landing in the inbox, you must have authentication in concert with following all other best practices.

Back to blog
Published November 5, 2020
  • deliverability
  • DMARC
Author: Todd Herr
Todd Herr is a Senior Technical Program Manager at Valimail and a Messaging Area Co-Chair for the M3AAWG Technical Committee. He's been working in the email ecosystem since the previous millennium, and has been employed by companies across the email industry, including mailbox providers, senders, and various vendors. He thinks Spam is best served grilled on a block of rice, with both the Spam and the rice wrapped together with nori.
Resources
Email Fraud Landscape Spring 2021
Learn more
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Report Reveals 3 Billion Spoofed Emails are Sent Every Day
Learn more
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

1942 Broadway St., Ste. 314C
Boulder, CO 80302

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Website terms of use
  • Do not sell my personal information
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers
Subscribe to our newsletter

Get exclusive content on improving email security and deliverability from the experts at Valimail.

  • *
    I understand that I may proactively manage my preferences, or opt-out of Valimail communications at any time using the unsubscribe link provided in Valimail email communication. I confirm that I am over the age of 16. The information that you provide will be used in accordance with the terms of our Privacy Policy.
  • This field is for validation purposes and should be left unchanged.