Ask Laura: Do I have to publish DMARC?

AskLaura_Heading3
 

Dear Laura,
I heard recently that both Gmail and Yahoo will require DMARC authentication in early 2016 or images will be automatically blocked.
Is that correct? And if so, do you know when they will be requiring DMARC?
A DMARC-Overwhelmed Admin

Dear Overwhelmed,
There are three things going on here, all of which are related to DMARC but are very different in how it affects mail delivery.
1) What policies the freemail domains publish in DMARC records.
Currently AOL, and many of the Yahoo properties publish a p=reject. This affects small senders who may use @aol.com or @yahoo.com email addresses in their bulk mail. Gmail has announced they will change their DMARC record for @gmail.com to p=reject sometime in the next year or so. This will affect all the senders who are using @gmail.com as their From address in bulk email.
2) How domains apply the policies published in DMARC records.
In other words, what does the receiver do with an incoming mail that fails DMARC authentication AND there is an active p=reject policy. Many of the large freemail providers are not strictly following “p=reject” but they are respecting it for the most part. I have seen cases where the p=reject policy is ignored for certain IP addresses. Typically these addresses are known forwarders like ieee.org and the like. This is good for everyone as it means less email failures due to a p=reject policy, but still provides domain owners the ability to make policy statements.
3) How domains handle incoming email that does not align and/or does not have a DMARC policy.
One of the things I’ve seen recently is that some of the freemail providers are checking for a DMARC-style alignment even in the absence of any published DMARC record. I’m also seeing some indications that mail that does not align is more likely to go to the bulk folder.
Example: a client was recently doing some testing. Exact same content message sent with a from address that aligned and a from address at Gmail.

% Inbox Delivery

Receiving DomainFrom: AlignedFrom: Unaligned
AOL100%5%
Gmail100%90%
Hotmail95%0%
Yahoo100%0%

Same content, same source IP, same return path, same DKIM signature, the ONLY difference was the 5322.from address. 95% bulk at AOL, 100% bulk at Hotmail and Yahoo. Ironically, it was Gmail that had no problem with a gmail.com address being used for unaligned email.
Takeaways:
1) DMARC Alignment, even in the absence of a published DMARC record, is going to start being a factor in deliverability. This is going to cause problems for a lot of senders as many ESPs don’t have a good way to send aligned mail. This is going to cause problems at ESPs because they’re going to have to make infrastructure changes to support alignment.
2) Gmail will, sometime in the next year or so, be publishing a p=reject record. This means @gmail.com addresses will be poorly delivered from ESP and private infrastructure – much like AOL and Yahoo addresses are now. Some of this does seem to be already happening at freemail providers other than Google, based on my client’s test I shared above.
3) Gmail will, sometime in the future, start delivering unauthenticated email to the bulk folder. They’re being a bit vague about whether or not this means DMARC authenticated. I think in the short and medium term this just means either SPF or DKIM authenticated. I do expect that they’ll be looking at alignment, even if senders aren’t publishing a DMARC record and that will influence delivery. Unaligned mail may get a small negative and aligned mail may get a bigger positive during delivery scoring. For a long time, Gmail was doing “best guess SPF” – we didn’t publish a SPF record for a long time, and our mail always passed SPF at Gmail because we were sending from our MX. I expect they’re going to do something similar with DMARC – if either SPF or DKIM align and pass, then the mail will be considered to pass DMARC.
Bottom line: the days of sending unauthenticated email are over. The days of easily sending unaligned bulk email are rapidly coming to a close.

Confused about delivery in general? Trying to keep up on changing policies and terminology? Need some Email 101 basics? This is the place to ask. We can’t answer specific questions about your server configuration or look at your message structure for the column (please get in touch if you’d like our help with more technical or forensic investigations!), but we’d love to answer your questions about how email works, trends in the industry, or the joys and challenges of cohabiting with felines.
Your pal,
Laura

Related Posts

A brief history of TXT Records

txt
When the Domain Name System was designed thirty years ago the concept behind it was pretty simple. It’s mostly just a distributed database that lets you map hostname / query-type pairs to values.
If you want to know the IP address of cnn.com, you look up {cnn.com, A} and get back a couple of IP addresses. If you want to know where to send mail for aol.com users, you look up {aol.com, MX} and you get a set of four hostname / preference pairs back. If you want to know the hostname for the IP address 206.190.36.45 you look up {45.36.190.206.in-addr.arpa, PTR} and get a hostname back.
There’s a well-defined meaning to each of those query types  – A is for IP addresses, MX is for mailservers, PTR is for hostnames – and that was always the intent for how DNS should work.
When DNS was first standardized, though, there was one query type that didn’t really have any semantic meaning:

Read More

Spam, Phish or Malware?

Some mornings I check mail from my phone. This showed up this morning.
PizzaHutMail
My first thought was “oh, no, Pizza Hut is spamming, wonder who sold them my address.”
Then I remembered that iOS is horrible and won’t show you anything other than the Friendly From and maybe it was some weird phishing scheme.
When I got to my real mail client I checked headers, and sure enough, it wasn’t really from Pizza Hut. I’m guessing actually malware, but I don’t have a forensics machine to click the link and I’m not doing it on anything I can’t wipe (and have isolated from the rest of my network).
The frustrating thing for me is that this is an authenticated email. It not from Pizza Hut, the address belongs to some company in France. Apparently, that company has had their systems cracked and malware sent through them. Fully authenticated malware, pretending to be Pizza Hut, and passing authentication on various devices.
Pizza Hut isn’t currently publishing a DMARC record, but in this case, a DMARC record for Pizza Hut wouldn’t matter. None of the email addresses in the headers point to Pizza Hut.
I spent last week listening to a lot of people discussing DMARC and authentication and protecting people from scams and headers. But those all the protocols in the world won’t protect against this kind of thing. Phishing and malware can’t be fixed by technology alone. Even if every domain on the planet published a p=reject policy, mail like this would still get through.
 
 
 

Read More

Email Authentication in a nutshell

There are 3 types of authentication currently in use for email.

Read More