Email authentication for marketers - the DMARC standard

In Blog Posts By Steve Willer, Chief Technical Officer

On Jan 30, 2012, a coalition of top email providers, including Google, Comcast, AOL, and Facebook, released a new anti-spam standard for email: DMARC. What does DMARC mean for the email marketer? Let’s take a look at the best practices around email authentication.

Email suffers from a huge problem: spam. More than 98% of emails sent on the net are junk. DMARC aims to cut down one large source of spam: faked sending addresses. The “from” address on an email is about as reliable as the return address on a paper letter – it’s trivially easy to fake it. Email authentication is a set of technologies used to verify that an email actually comes from the source that is claimed.

Spam filtering takes two main forms: looking at an email’s technical authentication, and looking at its content. If you’re trying to market a well-known erectile dysfunction pill, or you’re a manager at a Nigerian bank, you’re going to have trouble with the content filters no matter how authentic your message may be.

DMARC is an add-on to two existing authentication technologies: SPF and DKIM. Together, they form a powerful block against faked messages.

Your Email Reputation

As an email marketer, one of your most important assets is your reputation as an email sender. Your reputation applies to two pieces of your sending world: your domain (the part after the @ sign in the “from” address) and your email server. Whenever you send a message, it may be filtered based on the reputation you’ve earned from past behavior. One of the key advantages of email authentication is that it gives you a message to prevent anyone else from using your domain. This means that your reputation is based on your behavior, not on some spammer’s.

SPF – Limiting Allowed Senders

SPF is an existing standard that allows domain owners to limit what email servers can send mail for their domain. For example, if I own company.com, I can say that only mail.company.com is allowed to send email from that domain, and that any email from some other source should be dropped. This is a huge advantage to your reputation – fake messages dropped in this way don’t hurt your reputation at all. If we think of email as like a paper letter, SPF is like checking the postmark to see that it was mailed from the correct place.

SPF checks usually happen on the recipient’s email server, before the message is delivered. Depending on the configuration, messages that fail SPF validation will either be marked as spam or even deleted before delivery.

SPF is reasonably well-used, but one key problem with it is that many domains send messages from multiple sources (ie: a corporate Exchange server and an email marketing provider). With SPF, it’s easy to configure your domain to drop “good” traffic by mistake (forgetting about the email provider) and most recipient servers are therefore pretty lenient about what they let through.

DKIM – Signing the Message

DKIM is a complementary technology. It lets the originating server sign an email message before it transits the Internet. This signature can be verified by the recipient, so the recipient knows that the message came from the original source. DKIM is usually checked by the recipient’s server before delivery. Unlike SPF, DKIM-enabled domains don’t usually control what happens to the message. The signature is instead “remembered” and the server builds up a reputation for the sender’s email server. If much of the traffic from a server is marked as spam by users or the content filter, the recipient’s server will stop “trusting” the sender and start filtering based on the DKIM results. Continuing the analogy, DKIM is something like corporate letterhead or a company’s seal. It establishes that the message came from a known source.

DMARC – Putting the Two Together

DMARC puts SPF and DKIM together into a unified policy. When your domain enables DMARC, you publish a policy telling domains what to do if a message is received that fails either SPF validation or DKIM checks or both. This lets you definitively say “drop everything except email from mail.company.com” and gives the recipient two different ways (SPF and DKIM) to verify a message’s identity. With DMARC, you can also tell receiving servers to tell you about faked messages when they are seen. An email report can be sent back to you, allowing you to adjust your DMARC settings if you’re blocking legitimate mail by mistake, or helping you to track down a spammer who’s using your domain.

This is an excellent way to protect the reputation of your domain, and to ensure that your messages, when they arrive, pass the authentication portion of spam filtering with flying colours.

Rolling out DMARC is very straightforward. Like SPF, it involves publishing a DNS TXT record that states a policy. Thanks to a well-designed standard, you can roll out DMARC in pieces, and use a debugging mode until you’re happy that things are set up correctly.

Best Practices Recommendations

DMARC is very new, and only a few receiving domains (notably gmail.com, facebook.com and aol.com) support it at present. Given the benefits to senders, we expect this to change rapidly.

We recommend:

Never use your corporate email domain for marketing. It mixes your marketing reputation with your corporate email reputation, and that can have unfortunate results. Choose to use info@brand.com or donotreply@brand.company.com instead of brand@company.com.
If you have a domain that won’t send email, protect its reputation for the future. Add SPF and DMARC records that say “this domain never sends mail” (config below!). If you choose to change that at some point in the future, no spammer will have been able to “dirty up” your domain by faking mail from it.
Check that your email marketing provider supports SPF and DKIM, and that they have a plan to roll out DMARC over the next year. This will help your emails pass easily through the authentication stage of spam filtering.
Monitor your email reputation. I’ve included a few links below for sites to check. When you flip DMARC on, watch the abuse reports that come back to see if you’ve misconfigured something or if someone is pretending to be you.

I Don’t Send Email From My Domain

In that case, protect your domain’s reputation from spammers using these records:

your.domain.        IN TXT “v=spf1 -all”
your.domain.        IN SPF “v=spf1 -all”
_dmarc.your.domain. IN TXT (“v=DMARC1; p=reject; ”
“rua=mailto:your_abuse@address.com”)

This will tell receiving mail servers to drop all email from your domain, and to send you an abuse report (if they’re DMARC-enabled).

Your Email Reputation

SPF – Limiting Allowed Senders

DKIM – Signing the Message

DMARC – Putting the Two Together

Best Practices Recommendations

I Don’t Send Email From My Domain

Links

How to make sure your agencies play well together

Open communications: key to successful relationships

Choosing the right partner: the client-agency relationship

How to start a social project in your company

Harnessing both external and internal social influence

Klick Moves up on the Branham300 List – Again!

Klick Health: One of the Best Workplaces for Women in Canada

Klick Health launches suite of iPad tools for sales reps - iCONNECT™

SXSW 2012

Klick Named Best Managed Gold Standard Winner

Klick Health – Top 50 Best Small and Medium Employers in Canada!

Klick Health Holiday Video 2011

Eye For Pharma Digital Innovation in Pharma Summit 2011

TEDMED2011

Digital Pharma East 2011

Lip Dub - Klick! Holiday Video Memes