Should ESPs force DKIM and DMARC on paid customers, and what are the implications and downsides?

Key findings

• Industry norm: Forcing DKIM and DMARC is rapidly becoming the standard practice for ESPs, driven by new email authentication requirements from major mailbox providers. Outlook, for example, is enforcing stricter standards.
• Enhanced deliverability: Proper implementation of these protocols significantly improves email deliverability and strengthens sender reputation, reducing the likelihood of messages landing in spam folders.
• Onboarding overhead: While beneficial long-term, requiring customers to configure DKIM and DMARC can increase initial onboarding complexities for ESPs.
• Mailing list challenges: DMARC policies, particularly p=quarantine or p=reject, can disrupt legitimate email flows through traditional mailing lists due to header modifications.
• Perceived benefits: There's an ongoing debate among experts about the precise impact of DMARC on broad phishing prevention for person-to-person email and the availability of data to support strong claims.
• Business driver: Some argue that the push for widespread DMARC adoption is partly fueled by companies financially invested in DMARC services.

Key considerations

• Customer support: ESPs need robust onboarding processes and clear documentation to guide customers through the necessary DNS configurations to comply with these new mandates.
• User experience: ESPs must find a balance between enforcing security standards and ensuring a smooth experience for customers, especially smaller businesses that may lack technical resources.
• Legacy compatibility: The impact on long-standing email functionalities, such as mailing lists, requires careful consideration and potential workarounds.
• Transparency of benefits: Clear communication about the tangible benefits of DMARC and DKIM, supported by evidence where possible, is important to justify the implementation effort.
• Long-term strategy: ESPs are adapting to an email ecosystem where email authentication is becoming non-negotiable.

Key opinions

• Crucial requirement: Many marketers believe that mandating DKIM and DMARC is essential, especially given recent updates from Google and Yahoo.
• Strategic advantage: Implementing these protocols positions ESPs and their customers for better long-term deliverability and compliance.
• Positive trend: Forcing these authentication measures is seen as an amazing decision, even if it might present initial hurdles.
• Universal support: Many marketers express full support, calling the move to require DKIM and DMARC 100% the right way to go.
• Avoiding future issues: Proactive adoption helps prevent potential deliverability problems stemming from non-compliance in a tightening email ecosystem.
• Onboarding assistance: Modern APIs can significantly simplify the process of setting up custom domains and DNS records for clients.

Key considerations

• Implementation challenges: While beneficial, the process of configuring DKIM and DMARC can pose a challenge for clients, particularly those less technically inclined.
• Temporary disruption: There may be a minor, temporary loss of emails during the initial setup and transition phase.
• Domain ownership: A key question remains whether ESPs should also require customers to purchase their own domains for email sending.
• Beyond compliance: Marketers must understand that while DMARC protects exact domains, it does not prevent all forms of phishing, such as lookalike domain attacks.

Key opinions

• Proactive approach: ESPs mandating DKIM and DMARC is a sound business decision that prepares them for future email authentication requirements.
• Historical context: The current push for customer-domain authentication is a correction for past ESP practices of authenticating on behalf of customers.
• Simplicity of setup: DKIM setup is largely automated, and DMARC at p=none is a relatively simple DNS record addition, minimizing customer effort.
• Mailing list breakage: DMARC policies at p=quarantine or p=reject can cause legitimate emails to fail when sent through mailing lists, impacting basic email functionality. RFC 7960 details mailing list and DMARC issues.
• Exaggerated claims: Some experts question the exaggerated claims about DMARC's ability to stop phishing, noting a lack of empirical data to support such assertions.
• Complexity and profit: Concerns exist that DMARC's complexity is intentionally maintained by some entities that profit from DMARC-related services.
• Targeted protection: DMARC is highly effective at mitigating spoofing for exact domains and subdomains, but it is not designed to prevent all types of cyber attacks.

Key considerations

• Policy enforcement: Careful consideration is needed when moving to stricter DMARC policies, as they can inadvertently impact legitimate email flows.
• Data and transparency: There's a call for more transparent and quantifiable data on DMARC's actual impact on phishing reduction to inform industry decisions, as highlighted by discussions around email authentication.
• Interoperability: The conflict between DMARC and how email is commonly used, especially with mailing lists, needs ongoing attention and potential solutions.
• Phased implementation: Guiding customers through a careful, phased DMARC implementation is crucial to avoid unintended deliverability issues, particularly for smaller businesses with limited resources. Find out about key DMARC implementation considerations.
• Comprehensive security: DMARC is one component of a broader email security strategy; it should not be seen as a standalone solution for all email-related threats. Explore how SPF, DKIM, and DMARC affect deliverability.

Key findings

• Foundational protocols: SPF, DKIM, and DMARC form the backbone of modern email authentication, working together to verify sender identity.
• Policy and reporting: DMARC leverages SPF and DKIM authentication results to enable domain owners to publish policies for unauthenticated mail and receive reports.
• Mandatory for bulk senders: Recent updates from major mailbox providers are transitioning these protocols from recommended best practices to mandatory requirements, especially for high-volume senders.
• Combating spoofing: The primary objective of these authentication methods is to prevent email spoofing, phishing, and other forms of email fraud.
• Alignment requirement: DMARC specifically introduces an alignment check between the From: header domain and the SPF or DKIM authenticated domain.

Key considerations

• Complex implementation: Implementing these protocols correctly requires precise DNS record management and understanding of their interactions. For a clear overview, refer to a simple guide to DMARC, SPF, and DKIM.
• Policy impact: The chosen DMARC policy (none, quarantine, or reject) directly dictates how receiving mail servers should handle emails that fail authentication.
• Avoiding errors: Misconfigurations can lead to legitimate emails being marked as spam or rejected, underscoring the need for careful setup.
• Report analysis: Analyzing DMARC aggregate and forensic reports (RUA and RUF) is essential for monitoring email authentication status and refining policies. Understanding DMARC tags and their meanings is critical.
• Industry compliance: Adhering to these authentication standards is increasingly a prerequisite for achieving optimal email deliverability in the current email ecosystem.