The question of whether all email service providers (ESPs) support DMARC is more complex than a simple yes or no. The term 'support' itself has different meanings depending on whether you're referring to a sending ESP (like Mailchimp, HubSpot, etc.) or a receiving mailbox provider (MBP) like Gmail or Yahoo. For sending ESPs, 'support' primarily means providing the necessary infrastructure to ensure DMARC alignment. For receiving MBPs, it concerns how they process incoming mail with DMARC records, including policy enforcement and report generation.
Key findings
Sending ESPs: These providers must enable the necessary infrastructure for senders to achieve SPF and DKIM alignment, which is crucial for DMARC pass rates. Without proper alignment, your DMARC implementation may not be effective.
Receiving MBPs: Major mailbox providers like Gmail and Yahoo do support DMARC by checking records and applying policies, but the level of enforcement and reporting can vary. Not all MBPs are obligated to send DMARC reports or strictly adhere to policy requests like p=quarantine or p=reject.
DMARC definition: DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. Its purpose is to give domain owners the ability to protect their domain from unauthorized use, often called email spoofing or phishing. Fortinet provides an overview of how DMARC works to verify email senders and help prevent fraud and spam. For more information, see Fortinet's explanation.
Sender's responsibility: The implementation of DMARC is typically handled by the domain owner through DNS records, not directly by the ESP for sending purposes. However, the ESP's setup needs to facilitate alignment.
Key considerations
Defining 'support': When inquiring about DMARC support, specify whether you mean the ESP's ability to facilitate DMARC for outbound mail, or the mailbox provider's adherence to DMARC policies for inbound mail.
Varied enforcement: Even among MBPs that support DMARC, their actions on failing mail or their reporting mechanisms can differ significantly. Some might treat all DMARC failures as if a p=quarantine policy is in place, regardless of your published policy.
No universal list: There isn't a single, regularly updated list detailing which ESPs or MBPs fully 'support' DMARC in every sense, due to the nuances of what 'support' entails.
Reporting limitations: While DMARC includes a reporting mechanism (RUA and RUF), not all receiving MBPs send these reports, nor are they obligated to by the DMARC standard. This can make it challenging to gain full visibility into your DMARC performance across all recipients.
Email marketers often approach DMARC support from two main perspectives: how their chosen Email Service Provider facilitates DMARC for their outbound campaigns, and how recipient mailbox providers handle their authenticated emails. The primary concern is whether their emails, sent via an ESP, will achieve DMARC alignment and thus higher deliverability, especially with new enforcement policies from major mailbox providers like Gmail and Yahoo. They also want to understand if they can access DMARC reporting through their ESP.
Key opinions
ESPs must facilitate DMARC: Many marketers believe ESPs are responsible for providing the necessary setup for DMARC alignment. This includes proper SPF and DKIM configuration, ensuring the From: domain aligns with authentication domains.
Varying MBP behavior: Marketers frequently observe that different mailbox providers (MBPs) handle DMARC failures and policy enforcement inconsistently, leading to unpredictable deliverability outcomes. This aligns with SiteGround's observation that most major email service providers support DMARC, though some may not fully implement the protocol. SiteGround explains this further.
DMARC for reputation: Many marketers now see DMARC as a critical component for maintaining domain reputation and ensuring their emails reach the inbox, especially given the new requirements from major ESPs.
Reporting needs: Access to DMARC aggregate reports is highly valued by marketers to understand authentication rates and potential spoofing attempts, even if ESPs don't always provide direct dashboards for this.
Key considerations
Choosing the right ESP: Marketers need to verify that their ESP allows for custom domain sending and provides the necessary DNS records (SPF, DKIM) to ensure DMARC alignment.
Monitoring deliverability: Despite DMARC implementation, marketers must continuously monitor their deliverability, as DMARC is just one factor among many. This includes understanding how DMARC impacts deliverability and if it improves outcomes. Suped offers guidance on whether DMARC improves deliverability.
Policy progression: Starting with a p=none DMARC policy is often recommended to gather data before moving to more restrictive policies like p=quarantine or p=reject, ensuring legitimate mail is not blocked.
Understanding reports: Interpreting DMARC reports (if received) is essential for identifying potential authentication issues or unauthorized use of their domain.
Marketer view
Marketer from Email Geeks explains that the definition of "email service provider" and "support" for DMARC needs to be clarified. It's important to distinguish between ESPs like Mailchimp and mailbox providers like Gmail.
12 Apr 2021 - Email Geeks
Marketer view
Marketer from SiteGround emphasizes that while most major email service providers (referring to MBPs) generally support DMARC, some may not have implemented the protocol fully.
15 Jan 2024 - SiteGround
What the experts say
Experts in email deliverability and security emphasize the distinction between a sending ESP's role in facilitating DMARC alignment and a receiving Mailbox Provider's (MBP) adherence to DMARC policies. They highlight that the DMARC standard itself does not impose obligations on receiving entities to send reports or strictly enforce stated policies. This nuance is crucial for understanding true 'DMARC support' across the email ecosystem.
Key opinions
No universal mandate: Experts clarify that the DMARC standard does not obligate receiving mailbox providers to send reports or act on policy requests within DMARC records. These actions are discretionary.
Sender-side requirement for ESPs: Sending ESPs are required to have the technical infrastructure to enable senders to achieve DMARC alignment via SPF and DKIM. Without this, DMARC cannot effectively be implemented by the sender.
Varying MBP interpretations: Even when a DMARC record is present, different mailbox providers may interpret and enforce policies (e.g., p=quarantine, p=reject) in their own ways, or not at all, leading to inconsistent outcomes.
Importance of proper alignment: The success of DMARC hinges on the correct alignment of the From: domain with the SPF or DKIM authenticated domain. Without this, DMARC will fail. Learn more about how SPF, DKIM, and DMARC work.
Key considerations
Active DMARC management: Even if cloud email providers claim DMARC support, domains often still need to actively implement and manage their DMARC records to gain full benefits, especially for outgoing email. The Global Cyber Alliance discusses this dilemma around cloud provider DMARC support.
Understanding policy impact: Domain owners should carefully consider the implications of moving from a p=none policy to p=quarantine or p=reject, as it can affect legitimate email delivery if not configured correctly. Suped provides guidance on safely transitioning DMARC policy.
DMARC is not a silver bullet: While essential, DMARC alone does not guarantee inbox placement or protect against all forms of email abuse. It's part of a broader email security and deliverability strategy.
Collaboration with ESPs: Senders should engage with their ESPs to understand their specific DMARC capabilities and ensure proper setup for their sending domains.
Expert view
Expert from Email Geeks states that the DMARC standard itself does not impose any obligation on the receiving side; they are not required to send reports, nor are they required to act on the policy requests specified in DMARC records.
12 Apr 2021 - Email Geeks
Expert view
Expert from SpamResource suggests that senders should not solely rely on the p=reject policy to stop all fraudulent emails, as DMARC is one layer in a multi-layered security approach, and some receivers may not strictly enforce it.
05 Mar 2023 - spamresource.com
What the documentation says
Official DMARC documentation (RFCs) and related industry standards clearly define the protocol's mechanics, its reliance on SPF and DKIM, and the roles of senders and receivers. While the standard strongly encourages receivers to process DMARC records and send reports, it explicitly states that these are not mandatory obligations. This distinction is fundamental to understanding what 'support' means from a technical and compliance perspective for both email service providers and mailbox providers.
Key findings
DMARC foundation: DMARC builds upon existing email authentication protocols, namely SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). It provides a way for domain owners to publish policies regarding how receiving mail servers should handle emails that fail SPF or DKIM authentication.
Policy specification: The DMARC record, published in DNS, allows domain owners to specify policies like p=none, p=quarantine, or p=reject, indicating how receiving servers should treat unauthenticated mail from their domain. Suped offers a comprehensive list of DMARC tags and their meanings.
Reporting mechanism: DMARC includes a reporting feature (RUA for aggregate reports, RUF for forensic reports) to provide domain owners with feedback on their email authentication results. However, the standard allows for flexibility in report generation and delivery by receivers.
Purpose: DMARC's main goal is to reduce email fraud and phishing by helping receivers distinguish legitimate email from spoofed email, thereby protecting both senders' brands and recipients.
Key considerations
Advisory policies: The DMARC specification treats the published policies (e.g., quarantine, reject) as recommendations or requests to receiving servers, not strict commands. Receivers retain the ultimate discretion on how to handle emails.
Reporting is optional: While aggregate DMARC reports are highly beneficial for senders, the DMARC standard does not mandate that receiving mail servers send these reports. This means some receivers may not provide the desired visibility.
Alignment requirement: For DMARC to pass, the domain in the From: header must align with the domain authenticated by SPF or DKIM. This alignment is a critical component that ESPs must facilitate for their customers.
BIMI Group perspective: According to BIMI Group, a supporting mailbox provider checks the sending domain's DMARC policy and verifies it's configured with an enforcement policy. This indicates that 'support' for MBPs primarily means acting on the policy. Explore more on BIMI Group's FAQs.
Technical article
Documentation from Fortinet defines DMARC as an email security protocol that verifies email senders by building upon DNS, DKIM, and SPF, serving as a critical layer against email spoofing and phishing.
22 Mar 2024 - Fortinet
Technical article
Documentation from Amazon Web Services (AWS) focuses on the DMARC policy enforcement mechanism and explores reasons why email may fail DMARC policy evaluation, emphasizing the complexity of authentication.