DMARC: The #1 Cause of Email Deliverability Problems

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is a security protocol designed to combat email spoofing to reduce phishing, spamming, and scamming. Used in combination with two other forms of email authentication (SPF and DomainKeys), the the presence of the DMARC policy record instructs receiving servers to cross-check successful alignments with the visible “from” domain, and includes instructions on how to handle sent emails which do not pass.

If DMARC isn’t properly configured, organizations sending from email accounts on their company domains are affected with email deliverability issues. Marketing emails and transactional emails (including website contact form submissions) are also negatively affected.

The implementation of DMARC requires configuration of specific settings on the domains which send email. The settings are made within the DNS records to comprise a system of checks determining whether the email is being sent with authentication and alignment of permitted senders on the domain. “DMARC” can refer to the whole system of the domain records settings required to implement it, or just the DMARC policy record. DNS records are referenced at the end.

What Changed That is Now Causing Issues

Since at least February 2024, many email senders have experienced an increase in deliverability problems. The cause is that major email providers including Google and Yahoo began to enforce policies requiring adoption of DMARC. The purpose is to make their email platforms more strict about which emails they mark as suspicious, spam, or outright refuse to deliver to recipients on their systems. The February change date was announced by Google in October 2023 as official notification that email senders must prepare for the enforcement of the accompanying guidelines by making adjustments to their email domain settings.

Email Sender Guidelines

The top image is the warning message a recipient sees if Gmail flags an email as suspicious. Below that is Google’s Email Sender Guidelines.

Gmail’s Email Sender Guidelines which are now being enforced, state that everyone (including GoogleWorkspace users) sending email to personal Gmail users must comply with a set of sending requirements in order for their emails to be delivered to intended recipients’ inboxes as normal. The guidelines include the requirement of implementing sender authentication and DMARC. It includes additional requirements which bulk email senders (who send 5,000 or more per day) must meet.

image of Gmail Sender Guidelines and Suspicious Email Warning

There has been some misunderstanding about the guidelines by professionals. Many have mistaken the list of requirements as applying only to bulk email senders who send more than 5,000 emails per day. But that is not the case. Instead, the list applies to all senders as the heading states. The “important” note about senders of more than 5,000 emails refers that group to the link in the sentence where additional requirements are listed. 🤷🏻‍♀️ Just do it or hire it out, thereby securing your clients’ deliverability and protecting others from harm.

Email Delivery Failure

Unfortunately, many organizations did not heed the warning and were surprised by the consequences. Many senders had emails wholly rejected very early, despite the rejection phase for non-compliant traffic scheduled to begin in April. Part of the cause was likely due to new domains, whose enforcement actions were on an accelerated timeline. There are many reasons that email can fail normal delivery, some of which seemed to become less acceptable since the change, for example – using an email “from” address which does not match the actual sending domain, and others.

If you are experiencing email deliverability problems, you may have been told by customers and suppliers that they haven’t been receiving your emails. Some receive them labeled with a warning that they are “suspicious” or “unauthenticated” email messages.

Make Email Safe Again 🧢

Without DMARC set up and monitored, scammers could be using your domain to send email to thousands of people around the world. They find domains and subdomains which haven’t been secured, then use those which haven’t yet been blacklisted. They use them to conceal their identity when sending emails with ill intent, often with the added benefit of appearing to be the trusted entity displayed on the email address.

The enforcement rollout by major email providers is a serious effort to reduce scams and cybersecurity threats, which are often initiated when bad actors send email disguised as the sender indicated. Until legitimate email senders implement DMARC correctly, their emails will be mistaken as spoofed or unauthorized and will fail to be delivered.

This email abuse causes problems for the domain owner – businesses like yours who suddenly can’t send email. The abused domains often become “blacklisted”, and websites can also be blocked on search engines if the blacklist triggering behavior is extreme.

If these are some of the problems you have been experiencing, the most likely cause is that you or whomever is managing your domain have not taken steps to comply with DMARC.

If you think your domain or IP address has been blacklisted, you can check and then work towards restoring your domain’s reputation.

Realtime Blackhole Lists (RBLs)

“Blacklists” of email domains and IP addresses are collected and shared among email servers automatically. Having your domain end up in these lists means that your sender reputation is poor and you will encounter severe email deliverability problems. There are many reasons that email senders land on the blacklists. The most common are:

  1. Bad actors sent spam or scam emails from your domain which was then reported. This happened because the authentication and DMARC settings discussed in this article were not implemented or were too weak, allowing them to take advantage of the unprotected domain.
  2. The settings were not implemented, making the legitimate emails your organization sent look forged due to the missing signs of secure authentication.
  3. Your organization sends marketing emails and had numerous reports by recipients that it was spam. This could be because a) you did not obtain explicit consent to send them marketing emails or b) you sent emails to your list of your subscribers after a pause during which they changed their mind or forgot they had subscribed.
  4. Email sent by your organization was marked as spam by anti-spam software due to detection of spammy language and/or the types and amount of links.

Blacklist Lookup and Removal Tools

Spamhaus.org – Look up your sending domain at Spamhaus, a reputable non-profit blacklist provider. If you are found on the list, a note about issues and solutions may be provided on the page.

Email Sender Reputation – Here is an article by Sendgrid about the domain and IP addresses as factors of email sender reputation, which impacts deliverability. TL;DR: both IP and Domain are considered. Even if you send from different IP addresses, the Domain accrues a reputation “score”.

Microsoft Blacklist Removal

Microsoft manages its own blacklists. If your email domain has been blacklisted by Microsoft, you will receive a message similar to this Non Delivery Report (NDR):

550 5.7.606-649 Access denied, banned sending IP [IP address] (ex. 5.7.511 Access denied)

  • Microsoft Office365 – If you have fixed the issues which were causing your emails to be banned, you can forward the NDR email to the Microsoft email address listed in the notice. Another method is to submit your sending domain and its IP address. For more information, watch this instruction video.
  • Microsoft Outlook Blacklist Removal – If you have been blacklisted from Outlook.com, you can use: Outlook list removal tool here (requires Microsoft account login).

My Thoughts

As a website developer who works with servers, email and domains, email deliverability and security are issues I take seriously. I stay up to date on news about exploits and have fixed many problems in this realm. I see sending reports which reveal thousands of attempts by imposters to send email from others’ domains. This is why it worries me to observe that many domain owners, marketers, and web designers are not taking steps to prevent this.

What I see is that it is quite common for domains to have the DMARC policy of “p=none” which is like having no policy whatsoever. In fact, I have read that the Whitehouse (.gov) domain also has this non-policy setting. Do a search for “dmarc whitehouse gov”. The stricter options are “quarantine” or “reject”, but there seems to be a lack of awareness surrounding them.

There have been warnings by the NSA and FBI about hostile nations taking advantage of this no policy weakness. They are also exploiting an even more common mistake, that domain owners have no settings on their subdomains – no SPF and Domainkey records, and a DMARC policy of p=none.

Recommendations

Setup guides for email hosts, email marketing platforms, and other services often recommend “p=none” as the default DMARC policy. However, this should come with a clear recommendation of adopting a stricter policy once deliverability is stable.

Technical experts emphasize that “p=none” should only be used initially while monitoring. Email security managers have standard procedures for monitoring email send failures and spoof attempts. The stage of monitoring send reports and resolving issues is necessary prior to making a successful transition to stricter policy settings. Given the rise in email misuse, it is important to schedule the move out of the “p=none” stage.

When clients use any of my email setup or improvement services, I properly implement, monitor and transition DMARC for protection and deliverability. This is necessary for the following: domain email accounts, SMTP sending for website forms and other notifications, and custom domains used on email marketing platforms.

See the email services I provide to web professional as well as direct to consumers.

Email DNS Records – These are records which most commonly must be added or changed for email services when using an outside email host such as Google Workspace, email marketing, and SMTP for website notifications:

  • MX – “Mail Exchange” record. The information to add to this record is provided by the Email Service Provider.
  • DKIM – “Domain Key Identified Message” record is a text record containing a public decryption key which is provided by the Email Service Provider. Receiving email servers will use this key and try to match it to the private key residing on the sending email server. Matching the DKIM is one part of determining whether the email is authentic.
  • SPF – “Sender Policy Framework” record is a text record containing which server domains or IP addresses are authorized to send mail from this domain and how strictly to judge this information in DMARC.
  • DMARC – As noted in the beginning of the article, the DMARC record contains the policy for how to handle email that does not align to authentication standards. Here, we can instruct recipient email servers whether to reject, quarantine, or do nothing when all or some of the authentication measures to do not align or pass. Report info is also added here.

More information can be found at:

Contact us if you need DMARC email services.

  • What is DMARC?

    DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is a security protocol designed to combat email spoofing to reduce phishing, spamming, and scamming. Read: What is DMARC? New Enforcement is Disrupting Email Deliverability. It improves deliverability, increasing the chance that emails you send will be received and not marked as spam.

  • What does DMARC do for email?

    It provides authentication that email was sent from the domain shown in the sender’s email address to reduce unauthorized sending from your domain (spoofing). This greatly reduces the chance of your domain being used by others to send spam and phishing email campaigns, and improves deliverability.

  • How does DMARC help email deliverability?

    If it is properly and adequately implemented, DMARC helps deliverability by proving that email was sent from the domain shown in the sender’s email address. This proof signals to receiving email servers that your domain wasn’t spoofed as is often the case by bad actors who send phishing and spam emails. Your email domain will become more trusted and less likely to have emails sent to spam folders or refused.

  • Is DMARC necessary?

    Absolutely. In the past, email senders could get by without properly setting it. Since email spoofing has increased it is now being enforced more strictly by email service providers. Email spoofing and abuse is the problem of emails being sent from domains and IP addresses without knowledge of the owners, and usually for devious reasons. It is now necessary to comply with so that legitimate emails will be delivered as expected and a good domain reputation is preserved.

  • How Do You Fix DMARC Problems?

    There are a few key DNS records on the domain which need to have the right settings for effective DMARC implementation. In addition, the sender email address must match the sending domain. Contact us about this service.

what is dmarc
x
Want to receive these articles?
SUBSCRIBE

Subscribe to our updates

We'll send you our new articles and helpful tips.