Organizations often get sources reported back to them in the DMARC reports which fail the DMARC checks. In this article we will explain how to setup DMARC for these ‘not compliant’ sources.
How to get insight into your email channel?
When a DMARC record is placed within the DNS, ISPs who have adopted DMARC will start sending DMARC reports to the address which is defined in the RUA and RUF tag of the DMARC record. Based on the information which is send in the DMARC reports, it is possible to get insight in all sources that send email on behalf of a domain. Based on this information it is possible to start authenticating and aligning email with DMARC.
In order to start receiving DMARC reports based upon information can be gathered on how to improve the compliance of sources, a DMARC record has to be placed on the domain of which the compliance needs to be improved. This can be done in three steps:
- Log in to the Control Panel of your DNS vendor.
- Select the domain which needs to be updated and open the DNS Editor.
- Add a DMARC record to the domain, we recommend to generate one using our DMARC Record Generator
More information on how to setup DMARC can be found at our DMARC setup guides.
Why are not compliant sources getting reported?
After a DMARC record is published and DMARC data is gathered, it is possible to determine if all valid sources are authenticated and aligned properly. If this is not the case, not compliant emails will be reported back to you in the DMARC reports. It is possible that an X% of the emails coming from a valid source are not DMARC compatible. To resolve this, the SPF and DKIM signing for all valid sources of an organization should be setup correctly. In order to sent DMARC compliant email either the DKIM signature or SPF setup needs to align with the ‘From’ address. This means that the source sending email on behalf of a certain domain, should either setup SPF or sign DKIM using the ‘From’ domain.
How to improve the compliance of a source in 2 easy steps:
- Align SPF on all valid sources
To correctly authenticate SPF for the sources which are allowed to send email on behalf of a certain domain, the SPF the domain within the RFC5321.MailFrom (MAIL FROM) portion of SMTP or the RFC5321.EHLO/HELO domain, need to align with the ‘from’ domain. These may be different domains, and they are typically not visible to the end user. Most of the time the ‘Return-Path’ header is used for this.
Example for SPF:
You send mail from yourdomain.com using some-esp.com. This ESP has setup bounce processing and therefore use a ‘Return-Path’ header of [email protected] As you have entered the ESP in your SPF, the SPF will pass. However as the domain in the Return-Path header does not match yourdomain.com, these messages do not align. The ESP should change the Return-Path header or add an aligned DKIM signature.
- Align DKIM on all valid sources
To correctly authenticate DKIM for the sources which are allowed to send email on behalf of a certain domain, the domain used to create the signature (and provided through the d= parameter), should match the ‘From’ header.
Example for DKIM:
You send mail from yourdomain.com using some-esp.com. This ESP correctly signs these mails with a DKIM signature. They do this using their domain some-esp.com. This DKIM signature itself is valid as passes. However, as the signing domain some-esp.com does not match your domain, these messages are not aligned. The ESP should sign the messages using yourdomain.com to make these messages DMARC compliant.
Having trouble to find out how it is possible for certain sources to sign DKIM and or SPF correctly?
Most sources have documentation online on how to sign the emails which are send through their platform correctly using DKIM and SPF, however there are also smaller ISPs which do not have this or do not even support DMARC at all. If this is the case for one of your valid sources, it can be hard to determine how to properly align these sources. DMARC Analyzer has an email template which can be send to a source in order to ask them how to send DMARC compliant email via their platform. Please refer to our article about how to approach vendors for more guidance on how to approach vendors with DMARC related questions.