Every time that someone comes up with a new way to talking about mail back channels it gets just a little more complex.
First, we had SPF. That was a relatively easy thing. Add a text record to DNS that says where your mail is coming from and you’re set. You even had options to say whether or not the listed IPs were all of the IPs that you would possibly use as well an option to include IPs owned by others.
Then came DKIM. This was more complex than SPF. Now you have to add a cryptographic signature to your outgoing mail which would help to validate that the message hadn’t been changed.
Now, it’s important to note just here that SPF and DKIM check different things. DKIM validates the message sent and SPF validates the IP the message is sent from.
Both of these items are things that a good ESP will generally drive when it comes to adoption. It might be a default offering or it might be an add-on that you have to pay for. Either way, defining where a message is coming from and then properly signing it are things that an ESP — any ESP — should be really good at.
But, the newest twist in authentication is DMARC (and yes, I know DMARC is a few years old now). Unlike SPF and DKIM, a DMARC record is a statement of policy. DMARC says “If something doesn’t authenticate using either SPF or DKIM, here’s what I want you to do with it.” (It goes on to give options for how to receive reports about what providers are seeing.) Saying “what I want” is a very different thing than saying “here is a list of the IPs that I’m using” or “here’s a cryptographic signature so you know nothing changed between here and there.”
If there’s one thing that you really don’t want, it’s having someone external to your company determine policy for you. That really is a job for your company’s own Security and/or Trust team. This is especially true when you want to send email that looks like it comes from your main domain. Why? Because the policy that you set then must include not only your marketing messages but also all of the mail that your company sends. The appropriate team members to handle policy decisions concerning all of the messages sent by a domain are rarely found in the marketing department much less an external mail service vendor.
Does that mean that your ESP doesn’t have a role to play? They can certainly do the things that they’re good at: helping set an appropriate SPF and making certain that outgoing mail is properly signed using DKIM. But, policy decisions should usually be set by internal personnel, not by external vendors.
About the Author
Mickey Chandler is a Consultant & Attorney with over 28 years of experience in Email Deliverability & Privacy Law. He has a strong background in email authentication infrastructure (SPF, DKIM, DMARC), ISP and mailbox provider relations, anti-spam policy and compliance, CAN-SPAM and state anti-spam law gained through overseeing the Abuse & Compliance team at Salesforce Marketing Cloud, originating the ISP relations role at Informz (now part of Higher Logic), and working in the fight against spam since 1997. He holds a B.A. in Government, a B.S. in Computer Information Systems, and a J.D. from the University of Houston Law Center. He is a certified CIPP/US professional and a certified CIPM professional.
