Is a DMARC policy really right for everyone?
This post claimed that doing so would actually hurt deliverability. This can be true — but only if you rush to enforcement without putting in the time to authenticate all your sending services correctly.
When you do put in that time, though, DMARC at enforcement improves your deliverability. And if your domain is heavily phished, the improvement can be substantial.
The danger, as the post correctly notes, is failing to correctly authorize a service you’re actually using. Do that, and moving to DMARC enforcement will cause those legitimate (but not correctly authorized) email messages to get blocked. This is a real concern, particularly for beleaguered IT administrators who are just trying to keep the mail flowing but are now tasked with keeping up with all the nuances of DMARC, SPF, and DKIM, while dealing with the many variations in how different cloud service providers authenticate email (or don’t), interpreting DMARC reports, trying to track down which department owns which cloud service, etc.
But the broader argument that DMARC is relevant only to a few special use cases? That argument flies in the face of modern email best practices.
Authentication boosts deliverability now
In fact, virtually every major provider of email, including Google, Microsoft, and Verizon Media (Yahoo Mail and AOL Mail) recommends using DMARC at enforcement. The industry group M3AAWG also recommends DMARC at enforcement as a deliverability best practice. That’s because enforcement helps receivers know, without a doubt, who owns the domain that an email message comes from. This is a valuable signal that mail providers leverage.
But don’t just take our word for it. We checked with Marcel Becker, director of product management at Verizon Media, and he told us this: “If you value deliverability, want to secure your brand, and want to leverage AMP, BIMI, or other modern email enhancements, you must do DMARC at enforcement. ”
The evidence is plain that deliverability rises markedly after publishing a DMARC record with an enforcement policy, for the simple reason that bad mail sent in your name no longer counts against your reputation.
A published account by HMRC has shown deliverability rates jumping from 18% to 98% after implementing DMARC at enforcement. Granted, HMRC’s experience is an outlier: It was being heavily spoofed, and as a result the reputation of its domain was in the toilet with most mail receivers. But Valimail’s customers regularly see 10%, 20%, or even greater rates of improvement in deliverability after moving to enforcement.
Authentication will be essential in the future
The effectiveness of authentication (with DMARC at enforcement) is a significant reason that these mail providers will eventually move to a “No Auth, No Entry” policy — which will mean that they will only deliver mail if it authenticates in the manner DMARC requires. That day is not yet here, but it is getting closer, as the rate of DMARC adoption continues to grow worldwide.
DMARC enforcement is essential for ensuring trust as the world moves to embrace new email functionality that increases engagement and conversion rates. For example, a lot of people are getting excited about AMP for Email, a new way to deliver efficient, interactive content via email messages. Naturally, there are security concerns involved in sending even more powerful interactive code via email — and companies can help allay these concerns by authenticating their sending domains. That’s done — you guessed it — by using DMARC at enforcement.
Also, if you want to leverage BIMI, a new standard that allows senders to specify an image that appears alongside their messages, you’re going to need a DMARC record with a policy of p=quarantine or p=reject — in other words, enforcement.
Phishing defense and brand protection
The deliverability benefit is hardly the only reason to move to enforcement. A policy of p=reject or p=quarantine is where you actually start to realize the anti-impersonation benefits of DMARC, blocking unauthorized emails posing as you, no matter where in the world they originate.
In other words, it will cut down on phishing (directed at your employees as well as your customers/partners). And it will help protect your email brand from being sullied by impersonators.
Challenges with DMARC enforcement
Yes, there are challenges in ensuring that you properly authenticate every legitimate service that you want to be able to send mail. If you want to authorize Mailchimp, Hubspot, Asana, system update emails, email discussion lists, invoices, payroll, and credit card processing receipts (for example), you need to ensure that they are all correctly configured, using SPF and DKIM.
Far from being a difficult or impossible job, though, this is eminently achievable. In fact, Valimail does this every single day on behalf of our customers. That’s because we understand how the modern email ecosystem works. We have detailed knowledge of (and relationships with) all the major email-sending services in the world — thousands of them — so we can accurately identify them and authorize them.
In short, enforcement works. It helps deliverability, major email receivers recommend it, and it positions you well to take advantage of future enhancements to email that will make it an even more powerful marketing tool.
Anyone who tries to tell you that you should not publish a DMARC policy, or that you don’t need to be at enforcement, is selling DMARC’s potential short.