DMARC is a way for a domain owner to say “If you see this domain in a From: header and it’s not been sent straight from us, please don’t deliver the mail”. If a domain is only used for bulk and transactional mail, it can mitigate a subset of phishing attacks without causing too many problems for legitimate email.
In other cases, it can cause significant problems. Some of those problems impact discussion lists, but others cause problems for ESPs servicing small companies and individuals. ESP customers use their email addresses in the From: field; if they’re a small customer using the email address provided by their ISP, and that ISP publishes a DMARC record with p=reject, a large chunk of the mail they’re sending will bounce. When that happens recipients will stop getting their email, they’ll be removed from the mailing list due to bounces, and there’s some risk of blocks being raised against the sending IP address.
Because of that, it’s good to be able to see what consumer ISPs are doing with DMARC.
I’ve created a tool at dmarc.wordtothewise.com that regularly checks a list of large consumer ISPs and webmail providers and sees what DMARC records they’re publishing.
There are two main variants of DMARC records.
One is policy “reject” – meaning that mail that isn’t authenticated (or for which authentication has been broken in transit) will likely be rejected.
The other is policy “none” – meaning that the ISP publishing the record doesn’t want recipients to change their delivery decisions, but are asking for feedback about their mailstream, and how much of it fails authentication. That can mean that the ISP is evaluating whether or not to publish p=REJECT, or is in the process of deploying p=REJECT. Or it can just mean that they’re using DMARC to monitor where mail using their domain in the From: address is being sent from. There’s no way to tell which is the case unless they’ve made an announcement about their plans.
Hopefully this will be a useful tool to monitor DMARC deployment by consumer ISPs, and to help diagnose delivery problems that may be caused by DMARC.
Who's publishing DMARC?
W
RSS - Posts
Excellent tool! Great resource to have as more and more ISPs begin to implement DMARC and take action, whether privately or stated publicly. I anticipate more and more organizations will leverage DMARC to protect their brand and email channel.
Well done!
Unfortunately, when any consumer ISP (or enterprise with real users using the domain) publish DMARC p=reject records it damages DMARC’s reputation, making it less likely that receivers will whole-heartedly support it and making it less useful for those who have a legitimate use for it (senders of bulk and transactional mail).
Awesome. Thanks for creating this tool!
We’re a mass mailer but also co-run our corporate mail from the same domain. The impact of DMARC has mostly been on scripted monitoring stuff where someone just threw a “cat something | mail -s foo” pipe. most everything else didn’t seem to break.
now, the real pain is actually google apps, who throttle any incoming mailbox that receives too much traffic for their taste – including DMARC aliases, info@ inquiries etc. not to mention they take 4 precious SPF queries. 😐