Categories
DMARC

Is a DMARC Policy Right for Everyone?

Learn why a DMARC policy is a must-have for every brand, and how it protects your business while simultaneously boosting email deliverability rates.

TL;DR: Yes.

Some will argue that the vast majority of organizations should not try to publish a DMARC record with an enforcement policy (p=quarantine or p=reject).

Some claim that doing so would actually hurt deliverability. This can be true — but only if you rush to enforcement without putting in the time to authenticate all your sending services correctly.

When you do put in that time, though, DMARC at enforcement improves your deliverability. And if your domain is heavily phished, the improvement can be substantial (as much as 10%).

The danger is failing to correctly authorize a service you’re actually using.

Do that, and moving to DMARC enforcement will cause those legitimate (but not correctly authorized) email messages to get blocked. This is a real concern, particularly for beleaguered IT administrators who are just trying to keep the mail flowing. However, now they’re tasked with keeping up with all the nuances of DMARC, SPF, and DKIM:

  • Dealing with the many variations in how different cloud service providers authenticate email (or don’t)
  • Interpreting DMARC reports
  • Trying to track down which department owns which cloud service

But the broader argument that DMARC is relevant only to a few special use cases? That argument flies in the face of modern email best practices, and here’s why.

Why DMARC Is Right for Everyone

1. Authentication Boosts Deliverability

In fact, virtually every major provider of email, including Google, Microsoft, and Yahoo, recommends using DMARC at enforcement. The industry group M3AAWG also recommends DMARC at enforcement as deliverability best practice.

That’s because enforcement helps receivers know, without a doubt, who owns the domain that an email message comes from. This is a valuable signal that mail providers leverage.

“If you value deliverability, want to secure your brand, and want to leverage AMP, BIMI, or other modern email enhancements, you must do DMARC at enforcement.”

Marcel Becker, Director of Product Management at Yahoo

The evidence is plain that deliverability rises markedly after publishing a DMARC record with an enforcement policy for the simple reason that bad mail sent in your name no longer counts against your reputation.

A published account by HMRC has shown deliverability rates jumping from 18% to 98% after implementing DMARC at enforcement. Granted, HMRC’s experience is an outlier: It was being heavily spoofed, and as a result, the reputation of its domain was in the toilet with most mail receivers.

But Valimail’s customers regularly see 10%, 20%, or even greater rates of improvement in deliverability after moving to enforcement.

2. Authentication Is Becoming Essential

The effectiveness of authentication (with DMARC at enforcement) is a significant reason that these mail providers will eventually move to a “No Auth, No Entry” policy — which will mean that they will only deliver mail if it authenticates in the manner DMARC requires.

Google and Yahoo already announced that they will be requiring email authentication standards for bulk senders starting in February 2024.

Additionally, in Google’s FAQ about the coming changes, they mentioned: “It’s likely that DMARC alignment with both SPF and DKIM will eventually be a sender requirement.” Google is going to continue requiring best sending practices, and if you haven’t considered DMARC before, you will need to in the future.

“Your email should be trusted and safe. Everyone’s email should be. This is Valimail’s mission: restore trust to email. We believe that authentication is foundational, and doing it the right way is critical. Google and Yahoo are elevating best practices — having strong authentication — into requirements. We welcome this! And we’re looking forward to partnering with Google and Yahoo to take this even further and ensure quality of enforcement.”

Seth Blank, CTO of Valimail

DMARC enforcement is essential for ensuring trust as the world moves to embrace new email functionality that increases engagement and conversion rates.

For example, a lot of people are getting excited about AMP for Email, a new way to deliver efficient, interactive content via email messages. Naturally, there are security concerns involved in sending even more powerful interactive code via email — and companies can help allay these concerns by authenticating their sending domains. That’s done — you guessed it — by using DMARC at enforcement.

Also, if you want to leverage Brand Indicators for Message Identification (BIMI), a new standard that allows senders to specify an image that appears alongside their messages, you’re going to need a DMARC record with a policy of p=quarantine or p=reject — in other words, enforcement.

BIMI-Verified 1

3. Phishing Defense and Brand Protection

The deliverability benefit is hardly the only reason to move to enforcement. A policy of p=reject or p=quarantine is where you actually start to realize the anti-impersonation benefits of DMARC, blocking unauthorized emails posing as you, no matter where in the world they originate.

dmarc-policy-graphic

In other words, it will cut down on phishing (directed at your employees as well as your customers/partners). And it will help protect your email brand from being sullied by impersonators.

Challenges with DMARC Enforcement

Yes, there are challenges in ensuring that you properly authenticate every legitimate service that you want to be able to send mail. If you want to authorize Mailchimp, Hubspot, Asana, system update emails, email discussion lists, invoices, payroll, and credit card processing receipts (for example), you need to ensure that they are all correctly configured using SPF and DKIM.

Far from being a difficult or impossible job, though, this is eminently achievable. In fact, Valimail does this every single day on behalf of our customers.

That’s because we understand how the modern email ecosystem works. We have detailed knowledge of (and relationships with) all the major email-sending services in the world — thousands of them — so we can accurately identify them and authorize them.

Interested? Check out Valimail Enforce, our automated solution to helping you reach (and maintain) DMARC enforcement at scale.

Enforcement Matters: Take Action Now

In short, enforcement works. It helps deliverability, major email receivers recommend it, and it positions you well to take advantage of future enhancements to email that will make it an even more powerful marketing tool.

Anyone who tries to tell you that you should not publish a DMARC policy, or that you don’t need to be at enforcement, is selling DMARC’s potential short.

See for yourself. Get free visibility into your domains with Valimail Monitor to identify and authorize all senders, point out any bad actors, and take the first step toward enforcement.