BLOG

Tag: dmarc

ARC: Authenticated Received Chain

On Friday I talked a little about DMARC being a negative assertion rather than an authentication method, and also about how and when it could be deployed without causing problems. Today, how DMARC went wrong and a partial fix for it that is coming down the standards pipeline. What breaks? DMARC (with p=reject) risks causing problems any […]

1 Comment

The philosophy of DMARC

We know that legitimate email sent with valid SPF and a DKIM signature often breaks in transit. SPF will fail any time mail is forwarded – via a mailing list, a forwarding service used by the recipient, or just ad-hoc forwarding. DKIM will fail any time the message is modified in transit. That can be obviously […]

No Comments

Tools!

I just added a DMARC validation tool over on tools.wordtothewise.com. You can give it a domain – such as ebay.com – and it will fetch the DMARC record, then explain and validate it. Or you can paste the DMARC record you’re planning to publish into it,  to validate it before you go live. If you’ve not […]

2 Comments

Fun with opinions

Over the last few weeks I’ve seen a couple people get on mailing lists and make pronouncements about email. It’s great to have opinions and it’s great to share them. But they’re always a little bit right… and a little bit wrong. SPF is dead! This came from the new ESP of an experienced mailer. […]

1 Comment

Beware the oversimplification

Setting up a DMARC record is the easy bit. Anyone can publish a record in DNS that will trigger reports to them. The challenge is what to do with those reports and now to manage them. DMARC is a complex protocol. It builds on two other protocols, each with their own nuances and implementation issues. […]

No Comments

More on ARC

ARC – Authenticated Received Chain – is a way for email forwarders to mitigate the problems caused by users sending mail from domains with DMARC p=reject. It allows a forwarder to record the DKIM authentication as they receive a mail, then “tunnel” that authentication on to the final recipient. If the final recipient trusts the […]

No Comments

Ask Laura: Can you help me understand no auth / no entry?

Dear Laura, I’m a little confused by the term “no auth / no entry”. Gmail and other major receivers seem to be moving towards requiring authentication before they’ll even consider delivery. Does this just mean SPF and DKIM, or does this mean the much more stringent DMARC, as well? Thanks, No Shirt, No Shoes, No […]

3 Comments

DMARC p=reject

Mail.ru is switching to p=reject. This means that you should special-case mail.ru wherever … Actually, no. Time to change that script. If you operate an ESP or develop mailing list software you should be checking whether the email address that is being used in the From: address of email you’re sending is in a domain […]

1 Comment

Ask Laura: Do I have to publish DMARC?

  Dear Laura, I heard recently that both Gmail and Yahoo will require DMARC authentication in early 2016 or images will be automatically blocked. Is that correct? And if so, do you know when they will be requiring DMARC? A DMARC-Overwhelmed Admin Dear Overwhelmed, There are three things going on here, all of which are […]

2 Comments

More Yahoo domains get DMARC'd

Yahoo is turning on p=reject for 62 of their international domains on March 28, 2016. These domains include: y7mail.com yahoo.at yahoo.be yahoo.bg yahoo.cl yahoo.co.hu yahoo.co.id yahoo.co.il yahoo.co.kr yahoo.co.th yahoo.co.za yahoo.com.co yahoo.com.hr yahoo.com.my yahoo.com.pe yahoo.com.ph yahoo.com.sg yahoo.com.tr yahoo.com.tw yahoo.com.ua yahoo.com.ve yahoo.com.vn yahoo.cz yahoo.dk yahoo.ee yahoo.fi yahoo.hr yahoo.hu yahoo.ie yahoo.lt yahoo.lv yahoo.nl yahoo.no yahoo.pl yahoo.pt yahoo.rs yahoo.se […]

3 Comments