Is DMARC needed?

We would say: yes. DMARC exists because email was not designed with security in mind (since this was done over half a century ago, who can blame them).

Both SPF and DKIM are a bit older than DMARC, and you can use either of them separately or even together. Both standards do mitigate spam, phishing and other abuses of email identity by themselves - but just by themselves they cause some headaches as well.

DMARC is a simple but effective addition. It provides an overarching policy which makes your email set-up less likely to break, and keeps you informed on the deliverability of your email.

One common case where having DMARC pays off is when your recipient has a setup where email is relayed as-is to another email address - a so called ‘forwarding address’. Say you send an email to support@product.example, but the company automatically forwards their emails to team@example.com as-is (which has been a common practise for decades) - after all, they can’t have people monitor email inboxes for every product in their portfolio.

Since the IP address of the server at product.example is not included in the whitelist contained in your SPF record, the server at example.com would refuse your email.

Another one is if email is sent by one of your users to a mailing list, which may invalidate both the digital signature (because contents are slightly altered, to add for instance an unsubscribe notification) and may cause emails to come from an IP address not listed in the SPF whitelist. Modern mailing list managers tend to have provision for this, but you don’t control whether your users still have an old mailing list to e.g. distribute emails among team members.

How do I check if my organisation isn’t already using these standards?

If you want to check if you are not by any chance already using SPF, DKIM or DMARC, simply go to internet.nl and do the free tests.

Internet.nl is an initiative of the Internet community and the Netherlands government.

How do I set up DKIM, SPF and DMARC?

There are excellent guides from Internet.nl, SIDN (the .nl registry) and Internet Society:

Who should use DMARCaroni?

Anyone using DMARC needs a way to view the incoming reports, even if you are still orienting yourself and have set DMARC up with the dry-run setting. And you really need software to do it: DMARC reports are not easily human readable.

DMARCaroni is one of the most feature-rich tools for DMARC monitoring in the market, despite being free and open source software available at no cost. Of course, there are other alternatives you can use ‘as-a-service’. We invite you to check for yourself: DMARCaroni has a very competitive feature set. And it comes with one very fundamental advantage over all its competitors: you can run it yourself for as long as you like, or have someone you trust run it for you (even as-a-service, if you prefer that). That means there is no lock-in, but also no data leakage.

What do you mean by data leakage?

With whom you correspond is pretty sensitive information, and may contain personally identifiable information which is subject to legislation such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act and similar regulations around the world. The organisation or person operating the software you use to store and process DMARC reports has access to this information, and over time can create a pretty accurate picture of the operations of your organisation.

If you don’t want to leak information about who you correspond with, make sure you choose the service providers you share any data with wisely.

What can go wrong?

DMARC can be set in a dry-run mode: everything happens as before you introduced DMARC, you just turn on reporting. Instead of emails just being delivered or silently being discarded by recipients, you should now be informed by any standards compliant server if those emails do or don’t conform to the criteria you’ve set.

Once you move to a real deployment, DMARC prevents bad emails from being delivered when they don’t conform to these same criteria. But of course, if your own email fails those tests, your own email does not get delivered either. For instance, imagine your technical department install a new server with some application that is configured to directly sends emails instead of using an existing mailserver. Or that you contract some new service provider to outsource sending invitations for some event you organise. If the IP addresses of new machines that send out emails are not added to SPF, and the emails aren’t signed with DKIM either, those emails are technically no different than the emails from an attacker. And as such they will be treated.

Should I use SPF, DKIM and DMARC for my parked domain? I’m not using it, so what can happen?

Yes, actually you should protect your parked domains. If you don’t, it is like leaving a loaded weapon laying on the street. Anyone in the world can send email on your behalf to anyone, for malware, phishing and other abuse. This also taints your own reputation - we presume you registered that name for a reason.

It takes minutes to do, and saves potentially millions of people unsolicited email for as long as you hold that domain name.