DMARC: Please Be Careful!
Every couple of days, somebody new pops up on the DMARC-Discuss mailing list to ask some question or share an observation. It’s great to see people interested and joining the conversation. Clearly, DMARC interest and adoption are growing. What’s really frustrating, though, is that for about a quarter of the new subscribers, their first mailing list message goes to the spam folder in my Gmail account. It has become sort of an intelligence test I apply to new subscribers — I’ve stopped digging those messages out of the spam folder. I’m figuring that if they can’t figure out how to implement a DMARC record, or they don’t understand that it’s not really compatible with mailing lists nor is it meant for hobbyist domains, then I think perhaps they’ve got some things they’ve got to figure out before they’re ready to join the discussion.
To that end, let me take a moment to jot down some recommendations for folks who are considering implementing DMARC.
- Testing and monitoring is very important. When you sign up to DMARC-Discuss, please also create a Gmail account, and subscribe that address to the list as well. If your list messages go to the spam folder, take a look at your DKIM or DMARC settings– my experience is that when this happens, you’ve probably got something set wrong, or your policy/configuration choice is overreaching (and perhaps poorly considered). Keep in mind that you’re making it harder for people to read your posts and respond to them. Not everybody’s going to go to the trouble of whitelisting you or clicking “not spam” every time you post.
- Remember that DMARC doesn’t play nice with mailing lists. DMARC is all about preventing misuse of your domain name, and it is very strict, by design. It’s very easy for mailing lists posts from a DMARC-using domain name to fail a DMARC check, because most mailing lists rewrite the return path or make other changes to the message, potentially invalidating a DKIM signature. Some folks would say that DMARC really has no place for usage on a domain with real, live users. That’s open to debate, but certainly, operational complexity increases.
- Remember that DMARC wasn’t really intended for use on hobbyist domains. If your domain name only has three valid users, and this includes your wife and dog, then you probably aren’t a valuable phishing target. I see a lot of people struggle to configure DMARC, spending effort on implementing it on domains that just do not need it. (Though I understand the desire to learn by testing it on your own domain name, or a small domain name, before implementing it on some large known-brand domain name you manage.)
It amazes me how many people have never thought of signing up for a Gmail or other account to see how their own messages are being handled by a large ISP. Please, please, please consider doing that.