DMARC
Hey, I’ll be participating in the next Certified Senders Alliance (CSA) webinar, where I’ll be chatting with Sebastian Kluth (CSA) and Karsten Vendler (LEGO Group) about where DMARC and BIMI are today and where we think this is all headed. It’s sure to be a fun discussion and I’ll have some new data to share on DMARC and BIMI adoption. Please join us? It’s on June 1st at 10:00 am US central time and you can register for it here. I hope to see you there!* I also promise to annoy Karsten with many LEGO related questions, like, is it truly fun to work for LEGO? Do you get many free LEGO blocks? Will you get me some free LEGO blocks? And more.
There are enough BIMI questions floating out there nowadays, that I thought it’d be good timing to put together a BIMI mini-FAQ. If you did not already know, BIMI (Brand Indicators for Message Identification) is a way to attach a logo to your email sending domain and with recent Gmail developments (not to mention, Apple support), it’s poised to become rather a big thing. And assuming you did know what BIMI was, let’s jump right into the FAQ:What’s that new blue checkmark thing at Gmail? How do I get that?Gmail recently announced that for senders who implement BIMI, they’ll show a little blue checkmark next to the sender’s email address, showing that the sender has been validated. You’ll get that by implementing BIMI (with a VMC). Read more about that here.What’s a VMC again and where do I get one of those?VMC means “Verified Mark Certificate” and it’s a certification you
It looks like Microsoft are getting pickier about email address syntax, rejecting mail that uses illegal address formats. That might be what’s causing that “550 5.6.0 CAT.InvalidContent.Exception: DataSourceOperationException, proxyAddress: prefix not supported – ; cannot handle content of message” rejection. Why do we care? It’s good to send syntactically valid email in a warm fuzzies sort of way – it shows we know what we’re doing, and aren’t dodgy spamware – but it’s increasingly important to delivery as mailbox providers are tightening up on their syntax checks. But why are mailbox providers doing that? One reason is that authentication tech like DKIM and DMARC is built around them only being applied to email. Not to messages that kinda look like email. There are ways to bypass DKIM protections by sending invalid messages. As one example, if you send multiple copies of the From: header with different values a DKIM checker
SPF flattening is functionality meant to help deal with overly chunky SPF records that contain too many references to too many different service providers or IP addresses.SPF flattening came about to be a solution a very specific problem: That a lot of senders utilize multiple service providers, utilizing business email platforms like Outlook 365 or Google Workspace, CRM tools like Salesforce, ESP tools like Mailchimp, and more. Each of these comes with guidance to add a specific “include” to an SPF authentication record, and if you add enough of these different “includes” from a multitude of providers, you end up with complex DNS records that take far too many DNS lookups to fully process, beyond what is allowed in the SPF specification. Dmarcian indicates that their “SPF Surveyor” was the first tool to help address this problem by reading your existing SPF record, and providing a new, smaller, “flattened” SPF record
Microsoft OLC, aka “Microsoft Outlook Consumer,” aka what used to be called Hotmail, now called Outlook.com (which includes the domains hotmail.com, outlook.com, live.com, msn.com, and all the other Microsoft domains I’ve listed here), will soon respect DMARC policy on inbound mail, declining to accept unauthenticated mail from domains with a DMARC policy of “reject.” Yahoo and Gmail already reject this type of failed mail today.Current state: If an email message sent to Microsoft OLC domains failed DMARC and the DMARC domain had a policy of “reject,” Microsoft would not actually reject that email message. It would end up in the junk mail folder instead. (Even though the specification strongly suggests that this mail should be rejected.)Why this is sub-optimal: It overrode a domain owner’s publicly stated desire (via that DMARC record in DNS) to reject mail that failed DMARC checks. This meant that more bad mail was likely to get into
Why Is SPF Flattening Relevant? SPF has a limit of 10 DNS Lookups; any mechanism (entry) requiring a lookup after the lookup limit will not be evaluated and will fail authentication. In some cases, people turn to SPF flattening tools to work around the 10 DNS lookup limit. When you add a new mechanism in your record, you require a new DNS lookup. The more services and third-parties that send on your behalf, the more complicated and bloated your record can become. SPF record flattening can be an easy answer, but is not the safest route. How Does SPF Flattening Work? In SPF Flattening, hostnames are converted to IP addresses, which don’t count in the DNS lookup tally. Then you create your SPF records using the IP addresses instead of the hostnames. dmarcian developed SPF flattening as an experiment to work around the DNS lookup limit. In IETF’s RFC 7208
In this article, we present a guide on deploying DMARC on Cisco’s Email Security Appliance(ESA). If you believe that you already have your system’s DMARC authentication and reporting set up correctly, please take the time to read through the information and compare it to your current settings. These settings are industry best practices, and we encourage you to not diverge from them. Your ESA’s AsyncOS version should be 13+. If 14, it should be 14.0.2 or greater due to a bug in lower versions of 14. NOTES: If you don’t set this up correctly, please don’t set it up at all. If it isn’t configured correctly, you’ll pollute valid data being sent from other sources, and your DMARC data may be blacklisted by aggregators. Varying settings from the recommendations in how or whether your environment performs SPF or DKIM verification will affect the ability of the system to perform adequate
Back in October 2019, Microsoft included ARC support in their Microsoft 365 Roadmap, stating that “[ARC] is now enabled for Office 365 hosted mailboxes.” But at that time it could only be used between Office 365 tenants, or from Microsoft’s in-house services. However in June of 2022 they made it possible for each tenant to […]
The other day, I ran across a complaint on Linkedin. “Just saw another email go to the Promotions Folder with DKIM, SPF, and DMARC set up perfectly. Stop telling people this will fix their e-mail problems!” It’s not the first time I’ve heard this, and I can understand why the author is frustrated. But, it’s important not to miss the true point — email authentication will help to improve inbox delivery. Because it does! But there’s a nuanced explanation to go along with that. The devil truly is in the details.Email authentication is fantastic. SPF and DKIM both allow you to set yourself up as YOU in the eyes of mailbox providers — as opposed to just being one of the many clients of ESP or CRM platform X, based on a shared IP address or shared DKIM domain. This is a good thing, but it’s just the start.Setting yourself
This guide describes the process for configuring Sendinblue to send DMARC compliant messages. You will need to configure this source, and others you authorize, before advancing your DMARC policies to a more restrictive state, e.g., quarantine and/or reject. To bring this source into DMARC compliance, you will need access to Sendinblue’s administrative account and the domain’s DNS management console. From time to time, these instructions change with very little advance notice. Please always refer to documentation hosted by Sendinblue for the most complete and accurate information. General informationSendinblue provides a platform to send transactional and marketing emails. It is often used to send B2C (business-to-consumer) and B2B (business-to-business) emails. Many areas in your organization may use this service, including marketing, sales, and finance. Sendinblue supports DMARC compliance through DKIM and SPF alignment. DKIMTo configure DKIM, you will need to access the domain’s settings. There are two ways to do this: