DMARC Implementation Suggestion

  • 2
  • Idea
  • Updated 7 months ago
Archived and Closed

This conversation is no longer open for comments or replies and is no longer visible to community members. The community moderator provided the following reason for archiving: EOL CLEANUP

With DMARC becoming more important the lack of DMARC implementation by myEmma is becoming more of an issue. It is used heavilly by email providers such ad Google, Yahoo, Outlook, and Office 365. Getting mail to our recipients there is becoming increasingly difficult. I have been informed that DMARC is planned for implementation by the end of Q1 2018. I am very happy they you are at least looking at this.

There are two methods of DKIM compliance SPF alignment, which references the envelope domain, and DKIM alignment, which references the DKIM key domain. SPF alignment is easier to do but does not cover problems caused by auto-forwarded emails. More emails would get through as the DKIM key can be more easily preserved in auto-forwarded emails.

We use an email forwarder called Mailgun and they implement both SPF and DKIM alignment so it is possible.

Implementing both SPF alignment and DKIM alignment would be best but if you have to pick one please pick DKIM.
Photo of Joe Klovance

Joe Klovance

  • 5 Posts
  • 0 Reply Likes
  • frustrated

Posted 12 months ago

  • 2
Photo of Ben Harrington

Ben Harrington, Employee

  • 112 Posts
  • 12 Reply Likes
Hi There,
Thank you for writing in and providing this feedback! I am going to go ahead and pass this on to our engineering team so they have this feedback when exploring DMARC implementation! 

-Ben
Photo of wordsofpeace.org.au

wordsofpeace.org.au

  • 2 Posts
  • 0 Reply Likes
Is there any news on this? Or any service that can allow us to have an alias Return-Path?
We will need to set the return path to <our return path> in the email header to match the reply address to get 100% DMARC compliance. Currently the 'Return-Path' in the header shows :
Return-Path: <65015499.17099.3840715@e2ma.net>
and the Reply-To: our-reply-to-address

So when the emails are checked for DMARC compliance from Postmark we get:
⚠️ e2ma.net is authorized to send on behalf of <our-domain> however it looks like SPF and DKIM are still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesn’t match your From address, those messages will fail DMARC’s SPF alignment test. Set up a DKIM record and check with this source about setting up custom Return-Path.

Our domain is on an AWS server and using Google as an email server ...
As mentioned, this compliance is getting very important, so have you guys come up with anything?
(Edited)
Photo of Grey Stepp

Grey Stepp, Support Team Manager

  • 1700 Posts
  • 135 Reply Likes
Hi there, 

While we still currently don't allow for DKIM records to be set on an individual account record, we do have a workaround that a lot of folks use if they have DMARC set up:

  1. Have your IT folks create a subdomain for you at customerdomain.com to use specifically for your Emma mailings. This sub domain can be anything you all choose. I suggest choosing a subdomain that is as specific to its use as possible (e.g. - e2ma.customerdomain.com)
  2. Add "sp=none" as a parameter to the DMARC record for customedomain.com (v=DMARC1; p=reject; sp=none; rua=mailto:admin@customerdomain.com).
  3. Create a DMARC record for the subdomain that reads "v=DMARC1; p=none".
** setting sp=none for the top-level domain is ideal because it helps reduce false positives, but it is not necessary.

This will allow email that is sent from you using an email address at that sub domain via Emma to not be impacted by the authentication failure, while still offering DMARC protection to your top level domain. At that point, you would simply use an email address at your subdomain as your from address. When you have this workaround in place, you shouldn't see this issue continue.
Photo of Joe Klovance

Joe Klovance

  • 5 Posts
  • 0 Reply Likes
All that your workaround will do is not create a response from our domain as to what is our recommended advice to do when DMARC fails. The receiving domain still produces a DMARC fail. The receiving domain does not have to follow that advice. They can do whatever they want if DMARC fails including blocking the email. This is not a complete workaround.
Photo of Joe Klovance

Joe Klovance

  • 5 Posts
  • 0 Reply Likes
To clarify, all this workaround does is allow senders to have a DMARC policy published for most of their domains without sending that policy out for the MyEmma emails. You could set up a "block on fail" policy for some domains but the MyEmma domain would get no such suggestions. Some receivers really like the "block on fail" advice and will give them lower spam points. Some receivers will give high spam marks if no DMARC advice is given. The "workaround" will cause the latter issue.
This "workaround" does not help deliverability on the MyEmma sending domain; it just does not hurt deliverabilty on your other domains.
Photo of wordsofpeace.org.au

wordsofpeace.org.au

  • 2 Posts
  • 0 Reply Likes
The 'workaround' is not sufficient . Will you guys provide a real solution at any point, or change your policy about having individual DKIM records?