DMARC: Please Be Careful!

(Cross posted from Spam Resource.)

Every couple of days, somebody new pops up on the DMARC-Discuss mailing list to ask some question or share an observation. It’s great to see people interested and joining the conversation. Clearly, DMARC interest and adoption are growing. What’s really frustrating, though, is that for about a quarter of the new subscribers, their first mailing list message goes to the spam folder in my Gmail account. It has become sort of an intelligence test I apply to new subscribers — I’ve stopped digging those messages out of the spam folder. I’m figuring that if they can’t figure out how to implement a DMARC record, or they don’t understand that it’s not really compatible with mailing lists nor is it meant for hobbyist domains, then I think perhaps they’ve got some things they’ve got to figure out before they’re ready to join the discussion.

To that end, let me take a moment to jot down some recommendations for folks who are considering implementing DMARC.

  1. Testing and monitoring is very important. When you sign up to DMARC-Discuss, please also create a Gmail account, and subscribe that address to the list as well. If your list messages go to the spam folder, take a look at your DKIM or DMARC settings– my experience is that when this happens, you’ve probably got something set wrong, or your policy/configuration choice is overreaching (and perhaps poorly considered). Keep in mind that you’re making it harder for people to read your posts and respond to them. Not everybody’s going to go to the trouble of whitelisting you or clicking “not spam” every time you post.
  2. Remember that DMARC doesn’t play nice with mailing lists. DMARC is all about preventing misuse of your domain name, and it is very strict, by design. It’s very easy for mailing lists posts from a DMARC-using domain name to fail a DMARC check, because most mailing lists rewrite the return path or make other changes to the message, potentially invalidating a DKIM signature. Some folks would say that DMARC really has no place for usage on a domain with real, live users. That’s open to debate, but certainly, operational complexity increases.
  3. Remember that DMARC wasn’t really intended for use on hobbyist domains. If your domain name only has three valid users, and this includes your wife and dog, then you probably aren’t a valuable phishing target. I see a lot of people struggle to configure DMARC, spending effort on implementing it on domains that just do not need it. (Though I understand the desire to learn by testing it on your own domain name, or a small domain name, before implementing it on some large known-brand domain name you manage.)

It amazes me how many people have never thought of signing up for a Gmail or other account to see how their own messages are being handled by a large ISP. Please, please, please consider doing that.


Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments