DMARC: Please Be Careful!

(Cross posted from Spam Resource.)

Every couple of days, somebody new pops up on the DMARC-Discuss mailing list to ask some question or share an observation. It’s great to see people interested and joining the conversation. Clearly, DMARC interest and adoption are growing. What’s really frustrating, though, is that for about a quarter of the new subscribers, their first mailing list message goes to the spam folder in my Gmail account. It has become sort of an intelligence test I apply to new subscribers — I’ve stopped digging those messages out of the spam folder. I’m figuring that if they can’t figure out how to implement a DMARC record, or they don’t understand that it’s not really compatible with mailing lists nor is it meant for hobbyist domains, then I think perhaps they’ve got some things they’ve got to figure out before they’re ready to join the discussion.

To that end, let me take a moment to jot down some recommendations for folks who are considering implementing DMARC.

  1. Testing and monitoring is very important. When you sign up to DMARC-Discuss, please also create a Gmail account, and subscribe that address to the list as well. If your list messages go to the spam folder, take a look at your DKIM or DMARC settings– my experience is that when this happens, you’ve probably got something set wrong, or your policy/configuration choice is overreaching (and perhaps poorly considered). Keep in mind that you’re making it harder for people to read your posts and respond to them. Not everybody’s going to go to the trouble of whitelisting you or clicking “not spam” every time you post.
  2. Remember that DMARC doesn’t play nice with mailing lists. DMARC is all about preventing misuse of your domain name, and it is very strict, by design. It’s very easy for mailing lists posts from a DMARC-using domain name to fail a DMARC check, because most mailing lists rewrite the return path or make other changes to the message, potentially invalidating a DKIM signature. Some folks would say that DMARC really has no place for usage on a domain with real, live users. That’s open to debate, but certainly, operational complexity increases.
  3. Remember that DMARC wasn’t really intended for use on hobbyist domains. If your domain name only has three valid users, and this includes your wife and dog, then you probably aren’t a valuable phishing target. I see a lot of people struggle to configure DMARC, spending effort on implementing it on domains that just do not need it. (Though I understand the desire to learn by testing it on your own domain name, or a small domain name, before implementing it on some large known-brand domain name you manage.)

It amazes me how many people have never thought of signing up for a Gmail or other account to see how their own messages are being handled by a large ISP. Please, please, please consider doing that.


Your email address will not be published. Required fields are marked *

  • Lost in the mists of time

    Over on the Farsight Security blog Joe St. Sauver talks about some of the early days of online abuse, on usenet. Laura and I were on the periphery of early usenet abuse, mostly as users, but Usenet (and IRC) around then were the places we both started with email abuse.No Comments

  • Ongoing Yahoo delays

    I've been hearing from folks over the last few days that they're seeing an uptick in deferrals from Yahoo! The deferrals are not uniform. ESPs report they're seeing some, but not all, customers affected. Other ESPs aren't seeing any changes. It's not just you. But it would be very worthwhile to dig into engagement and other stats. It's possible this is a new normal at Yahoo! and they're tightening filters to catch mail that doesn't fit their standards but was previously difficult to filter.No Comments

  • AOL starts using Sender Score Certification

    Good news for Sender Score Certified IPs. Return Path recently announced that AOL has joined the list of ISPs offering preferential treatment to certified IPs.  1 Comment