Who Drives DMARC?

Every time that someone comes up with a new way to talking about mail back channels it gets just a little more complex.

First, we had SPF. That was a relatively easy thing. Add a text record to DNS that says where your mail is coming from and you’re set. You even had options to say whether or not the listed IPs were all of the IPs that you would possibly use as well an option to include IPs owned by others.

Then came DKIM. This was more complex than SPF. Now you have to add a cryptographic signature to your outgoing mail which would help to validate that the message hadn’t been changed.

Now, it’s important to note just here that SPF and DKIM check different things. DKIM validates the message sent and SPF validates the IP the message is sent from.

Both of these items are things that a good ESP will generally drive when it comes to adoption. It might be a default offering or it might be an add-on that you have to pay for. Either way, defining where a message is coming from and then properly signing it are things that an ESP — any ESP — should be really good at.

But, the newest twist in authentication is DMARC (and yes, I know DMARC is a few years old now). Unlike SPF and DKIM, a DMARC record is a statement of policy. DMARC says “If something doesn’t authenticate using either SPF or DKIM, here’s what I want you to do with it.” (It goes on to give options for how to receive reports about what providers are seeing.) Saying “what I want” is a very different thing than saying “here is a list of the IPs that I’m using” or “here’s a cryptographic signature so you know nothing changed between here and there.”

If there’s one thing that you really don’t want, it’s having someone external to your company determine policy for you. That really is a job for your company’s own Security and/or Trust team. This is especially true when you want to send email that looks like it comes from your main domain. Why? Because the policy that you set then must include not only your marketing messages but also all of the mail that your company sends. The appropriate team members to handle policy decisions concerning all of the messages sent by a domain are rarely found in the marketing department much less an external mail service vendor.

Does that mean that your ESP doesn’t have a role to play? They can certainly do the things that they’re good at: helping set an appropriate SPF and making certain that outgoing mail is properly signed using DKIM. But, policy decisions should usually be set by internal personnel, not by external vendors.

Mickey Chandler