Can I use DMARC with shared IP addresses?

Key findings

• Domain-centric: DMARC policies are published in the DNS for your domain, meaning they apply to the domain itself, not the specific IP addresses used for sending. This ensures that the policy covers all legitimate sending sources, irrespective of their IP configuration.
• Authentication alignment: For DMARC to pass, either SPF or DKIM must be aligned with the From: header domain. When using shared IPs, the SPF check might align with the sending service's domain (e.g., bounce.emailservice.com), not your actual From: domain, which can lead to SPF alignment failures for DMARC. However, DKIM alignment typically remains straightforward.
• DKIM's role: Given potential SPF alignment challenges with shared IPs, DKIM becomes crucial for DMARC success. As long as your DKIM signature is valid and the signing domain aligns with your From: header, DMARC will pass, even if SPF alignment fails.
• Initial implementation: It's best practice to start with a DMARC policy of p=none (monitoring only) to gather reports and understand your legitimate email streams before moving to enforcing policies like p=quarantine or p=reject. This is particularly important when using shared IPs as it helps identify any unexpected authentication failures.

Key considerations

• SPF alignment for shared IPs: When an email service provider (ESP) sends on your behalf using shared IPs, the Return-Path domain (which SPF checks) may be an ESP-controlled subdomain. This means SPF can pass, but not align with your organizational domain (the From: header domain), causing DMARC to rely solely on DKIM.
• Reliance on DKIM: If you rely on a single authentication method (DKIM) for DMARC pass when using shared IPs, you introduce a single point of failure. While DKIM is generally robust, it's something to be aware of.
• DMARC reports: Implementing DMARC, even with shared IPs, provides valuable visibility into your email ecosystem through DMARC aggregate and forensic reports. These reports reveal who is sending email on behalf of your domain, including unauthorized senders, and how well your legitimate emails are authenticating. This is critical for maintaining your domain reputation and improving inbox placement.
• Policy progression: While you can deploy DMARC with shared IPs, moving from p=none to p=quarantine or p=reject should be a cautious, iterative process, regardless of IP type. For more information on this, Email on Acid has a useful article on DMARC policies.

Key opinions

• DMARC works with shared IPs: Many marketers confirm that implementing DMARC for a domain that uses shared IPs is entirely feasible and recommended. DMARC operates at the domain level, so the underlying IP structure does not inherently prevent its use.
• Focus on domain reputation: Some marketers emphasize that with shared IPs, domain reputation becomes even more critical than IP reputation. DMARC plays a significant role in protecting and enhancing this domain reputation by preventing unauthorized use.
• DKIM for alignment: It's commonly stated that while SPF might not always align when using shared IPs (as the mail path is often via the ESP's domain), DKIM typically aligns, which is sufficient for DMARC to pass. This makes DKIM the primary alignment mechanism in such scenarios.
• Initial reporting policy: Marketers frequently advise starting with a DMARC policy of p=none to monitor performance and gather data. This allows them to identify any authentication failures or legitimate mail streams before applying enforcement policies.

Key considerations

• Understanding SPF alignment: Marketers must understand that SPF records validate the sending IP, and with shared IPs, the Return-Path domain might belong to the ESP, not their custom domain. This can lead to DMARC only passing via DKIM alignment.
• ESP configuration: The ease of DMARC implementation with shared IPs often depends on how well the ESP supports and configures SPF and DKIM for your domain within their shared environment.
• Monitoring reports: Even with shared IPs, continuous monitoring of DMARC reports is essential to ensure legitimate emails pass authentication and to identify any potential issues or unauthorized senders trying to spoof your domain. This provides crucial insights into email deliverability.
• Managing shared IP reputation: While DMARC itself doesn't directly manage shared IP reputation, a strong DMARC policy helps protect your domain's reputation from the negative impact of other senders on the same blocklist or blacklist. Kickbox Blog offers excellent advice for senders on shared IPs.

Key opinions

• IPs don't negate DMARC: Experts universally state that DMARC is not dependent on IPs; it is a domain-level tool. You can and should implement DMARC regardless of your IP configuration (shared or dedicated).
• SPF and IPs: SPF is indeed IP-dependent, requiring authorized IPs to be listed. For DMARC, if these IPs are part of an aligned SPF record (where the Return-Path domain matches the From: domain), then the DMARC SPF check will pass.
• DKIM for DMARC pass: Even if SPF doesn't achieve DMARC alignment (common with shared ESP IPs where the Return-Path is an ESP subdomain), DMARC only requires *one* of SPF or DKIM to align. DKIM is usually reliable for alignment in shared IP scenarios.
• Start with p=none: Experts strongly recommend initiating DMARC with a p=none policy to gather reports and assess email streams. This slow is fast approach helps ensure that enforcing policies (quarantine/reject) do not inadvertently block legitimate email traffic.

Key considerations

• DMARC reports provide utility: The core utility of DMARC, particularly with shared IPs, lies in its reporting feature. These reports offer crucial insights into email authentication results and identify all sources sending mail for your domain, helping you manage potential abuse and challenges for DMARC implementation.
• Risk tolerance: While relying solely on DKIM for DMARC alignment is often safe, it technically creates a single point of failure. The decision to enforce DMARC (go beyond p=none) should consider your organization's risk tolerance and a detailed understanding of your email infrastructure.
• Comprehensive understanding: Experts advise that a nuanced understanding of DMARC's interaction with SPF and DKIM is necessary, especially concerning edge cases or when not having RUA (reporting URI for aggregate reports) set up. This comprehensive view helps ensure proper DMARC setup with multiple email senders.
• IPs in SPF records: While DMARC doesn't care about the shared nature of IPs, SPF records do. Mailgun's blog explains how DMARC instructs ISPs to reject emails from fraudulent IPs, which relies on SPF's ability to identify authorized sending sources.

Key findings

• DMARC is domain-centric: DMARC records are published as TXT records in a domain's DNS, containing instructions for how email servers should handle messages that fail authentication. This inherently ties DMARC to the domain, not the specific sending IP.
• Authentication alignment is key: DMARC evaluates email based on the alignment of the RFC5322.From (header from) domain with either the RFC5321.MailFrom (envelope from) domain for SPF, or the d= tag in the DKIM signature. IPs are relevant to SPF, but the alignment (or lack thereof) is what DMARC assesses.
• Importance of DKIM in shared environments: In shared IP scenarios, ESPs often control the RFC5321.MailFrom domain. This means SPF alignment for DMARC may fail. However, DKIM can still provide alignment, making it a critical component for DMARC success when using shared IPs.
• Policy enforcement based on domain: A DMARC policy instructs receiving servers on how to handle emails claiming to be from your domain, whether by rejecting, quarantining, or monitoring. This instruction applies to the domain, not the specific IP addresses, underscoring DMARC's domain-centric nature.

Key considerations

• Accurate SPF records: While DMARC itself is domain-level, it relies on accurate SPF records that include all legitimate sending IPs (whether shared or dedicated). Documentation stresses that including clearly authorized IP addresses in SPF records is vital for proper authentication.
• DNS setup for DMARC: To set up DMARC, organizations must publish a DMARC TXT record with their DNS registrars. This DNS entry serves as the official declaration of their DMARC policy, which mail receivers then consult.
• DMARC reports detail IP behavior: Although DMARC policies don't directly manage IPs, the DMARC reports (aggregate and forensic) will list the source IP addresses associated with incoming email streams claiming to be from your domain. This provides transparency into all sending sources, including those on shared IPs.
• Universal applicability: Documentation indicates that DMARC is a standard for all mail sending domains, regardless of their size or the type of IP infrastructure they use. A DMARC record contains instructions for handling failed authentication, applicable universally.