Do all email service providers support DMARC, and what does 'support' mean in this context?

Key findings

• Sending ESPs: These providers must enable the necessary infrastructure for senders to achieve SPF and DKIM alignment, which is crucial for DMARC pass rates. Without proper alignment, your DMARC implementation may not be effective.
• Receiving MBPs: Major mailbox providers like Gmail and Yahoo do support DMARC by checking records and applying policies, but the level of enforcement and reporting can vary. Not all MBPs are obligated to send DMARC reports or strictly adhere to policy requests like p=quarantine or p=reject.
• DMARC definition: DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. Its purpose is to give domain owners the ability to protect their domain from unauthorized use, often called email spoofing or phishing. Fortinet provides an overview of how DMARC works to verify email senders and help prevent fraud and spam. For more information, see Fortinet's explanation.
• Sender's responsibility: The implementation of DMARC is typically handled by the domain owner through DNS records, not directly by the ESP for sending purposes. However, the ESP's setup needs to facilitate alignment.

Key considerations

• Defining 'support': When inquiring about DMARC support, specify whether you mean the ESP's ability to facilitate DMARC for outbound mail, or the mailbox provider's adherence to DMARC policies for inbound mail.
• Varied enforcement: Even among MBPs that support DMARC, their actions on failing mail or their reporting mechanisms can differ significantly. Some might treat all DMARC failures as if a p=quarantine policy is in place, regardless of your published policy.
• No universal list: There isn't a single, regularly updated list detailing which ESPs or MBPs fully 'support' DMARC in every sense, due to the nuances of what 'support' entails.
• Reporting limitations: While DMARC includes a reporting mechanism (RUA and RUF), not all receiving MBPs send these reports, nor are they obligated to by the DMARC standard. This can make it challenging to gain full visibility into your DMARC performance across all recipients.

Key opinions

• ESPs must facilitate DMARC: Many marketers believe ESPs are responsible for providing the necessary setup for DMARC alignment. This includes proper SPF and DKIM configuration, ensuring the From: domain aligns with authentication domains.
• Varying MBP behavior: Marketers frequently observe that different mailbox providers (MBPs) handle DMARC failures and policy enforcement inconsistently, leading to unpredictable deliverability outcomes. This aligns with SiteGround's observation that most major email service providers support DMARC, though some may not fully implement the protocol. SiteGround explains this further.
• DMARC for reputation: Many marketers now see DMARC as a critical component for maintaining domain reputation and ensuring their emails reach the inbox, especially given the new requirements from major ESPs.
• Reporting needs: Access to DMARC aggregate reports is highly valued by marketers to understand authentication rates and potential spoofing attempts, even if ESPs don't always provide direct dashboards for this.

Key considerations

• Choosing the right ESP: Marketers need to verify that their ESP allows for custom domain sending and provides the necessary DNS records (SPF, DKIM) to ensure DMARC alignment.
• Monitoring deliverability: Despite DMARC implementation, marketers must continuously monitor their deliverability, as DMARC is just one factor among many. This includes understanding how DMARC impacts deliverability and if it improves outcomes. Suped offers guidance on whether DMARC improves deliverability.
• Policy progression: Starting with a p=none DMARC policy is often recommended to gather data before moving to more restrictive policies like p=quarantine or p=reject, ensuring legitimate mail is not blocked.
• Understanding reports: Interpreting DMARC reports (if received) is essential for identifying potential authentication issues or unauthorized use of their domain.

Key opinions

• No universal mandate: Experts clarify that the DMARC standard does not obligate receiving mailbox providers to send reports or act on policy requests within DMARC records. These actions are discretionary.
• Sender-side requirement for ESPs: Sending ESPs are required to have the technical infrastructure to enable senders to achieve DMARC alignment via SPF and DKIM. Without this, DMARC cannot effectively be implemented by the sender.
• Varying MBP interpretations: Even when a DMARC record is present, different mailbox providers may interpret and enforce policies (e.g., p=quarantine, p=reject) in their own ways, or not at all, leading to inconsistent outcomes.
• Importance of proper alignment: The success of DMARC hinges on the correct alignment of the From: domain with the SPF or DKIM authenticated domain. Without this, DMARC will fail. Learn more about how SPF, DKIM, and DMARC work.

Key considerations

• Active DMARC management: Even if cloud email providers claim DMARC support, domains often still need to actively implement and manage their DMARC records to gain full benefits, especially for outgoing email. The Global Cyber Alliance discusses this dilemma around cloud provider DMARC support.
• Understanding policy impact: Domain owners should carefully consider the implications of moving from a p=none policy to p=quarantine or p=reject, as it can affect legitimate email delivery if not configured correctly. Suped provides guidance on safely transitioning DMARC policy.
• DMARC is not a silver bullet: While essential, DMARC alone does not guarantee inbox placement or protect against all forms of email abuse. It's part of a broader email security and deliverability strategy.
• Collaboration with ESPs: Senders should engage with their ESPs to understand their specific DMARC capabilities and ensure proper setup for their sending domains.

Key findings

• DMARC foundation: DMARC builds upon existing email authentication protocols, namely SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). It provides a way for domain owners to publish policies regarding how receiving mail servers should handle emails that fail SPF or DKIM authentication.
• Policy specification: The DMARC record, published in DNS, allows domain owners to specify policies like p=none, p=quarantine, or p=reject, indicating how receiving servers should treat unauthenticated mail from their domain. Suped offers a comprehensive list of DMARC tags and their meanings.
• Reporting mechanism: DMARC includes a reporting feature (RUA for aggregate reports, RUF for forensic reports) to provide domain owners with feedback on their email authentication results. However, the standard allows for flexibility in report generation and delivery by receivers.
• Purpose: DMARC's main goal is to reduce email fraud and phishing by helping receivers distinguish legitimate email from spoofed email, thereby protecting both senders' brands and recipients.

Key considerations

• Advisory policies: The DMARC specification treats the published policies (e.g., quarantine, reject) as recommendations or requests to receiving servers, not strict commands. Receivers retain the ultimate discretion on how to handle emails.
• Reporting is optional: While aggregate DMARC reports are highly beneficial for senders, the DMARC standard does not mandate that receiving mail servers send these reports. This means some receivers may not provide the desired visibility.
• Alignment requirement: For DMARC to pass, the domain in the From: header must align with the domain authenticated by SPF or DKIM. This alignment is a critical component that ESPs must facilitate for their customers.
• BIMI Group perspective: According to BIMI Group, a supporting mailbox provider checks the sending domain's DMARC policy and verifies it's configured with an enforcement policy. This indicates that 'support' for MBPs primarily means acting on the policy. Explore more on BIMI Group's FAQs.