So, someone told you to set up DMARC. Let’s ask some important questions: What is DMARC anyway? What is the risk of making this change? What is the benefit of implementing DMARC?
What is DMARC anyway?
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an authentication policy for email living in your domain’s DNS. It is essentially a policy you can publish dictating how services sending on behalf of your domain should configure their authentication to be considered legitimate. It also provides direct instruction to mailbox providers on how you would like failures to be handled. Your choices are one of the following:
None: Do nothing, just send reports
Quarantine: Put the mail in the quarantine folder
Reject: Do not accept the mail.
However, this presumes every every mailbox provider follows the protocol to the letter. I wouldn’t be surprised if failing DMARC didn’t factor somewhat into spam filtering, which brings us to our next question.
What is the risk of making this change?
There is always risk with any change, and deploying DMARC is no different. But the key to any risk is managing it. DMARC reporting is how you manage the risk of deploying a DMARC policy to your domain. The primary risk of this change is mail could be filtered or bounced based on how you deploy the DMARC policy.
I saw an incident once where a company had a significant business issue after implementing DMARC. They didn’t have reporting configured, and thus had not been monitoring it before moving their policy to “reject” status. If they had been, they might have noticed there was a stream of mail coming from another ESP using a dedicated IP that was failing DMARC authentication.
What is the benefit of DMARC?
It helps protect your domain against spoofing. Spoofing is a concern because there is no technology stopping anyone in the world from spinning up an email server and sending on behalf of any domain they want, except for authentication and its enforcement. Another benefit of DMARC is the reporting information you get back directly from the mailbox providers receiving your mail. This information will allow you to keep track of which services are sending on behalf of your domain and whether or not their authentication is passing as it should to appease the DMARC policy on your domain.
What is a marketer to do when implementing something to manage the risk of spoofing comes with its own risks? As long as you take a cautious approach and deploy the policy as “p=none,” everything should be fine. I also recommend monitoring the reports daily for the first 30 days to catch any unauthenticated streams as quickly as possible. If you need help setting up DMARC or interpreting the results, it’s always best to call an expert. Overall the long-term benefits of DMARC outweigh the risks, but always reach out to your resident expert if you have any questions.