17 Jul 2018

The MVP of Email Deliverability

Email Process
In team sports, every player has a specific job to do. But they all have the same goal – win the game! Email deliverability and authentication methods are similar – Sender Policy Framework (SPF) has one specific job. DomainKeys Identified Mail (DKIM) has another. Then, in 2012 a new “player” arrives on the scene – Domain-based Message Authentication, Reporting and Conformance (DMARC). While 90% of top brands are targeted by malicious email, 92% of Fortune 500 companies don’t use DMARC.1 SoftVu believes DMARC should be a top priority for every brand. DMARC takes elements of SPF and DKIM, adding more sophisticated features than those two combined creating the MVP – Most Versatile and Productive “player” of email deliverability.

WHAT IS DMARC and HOW DOES IT WORK

A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM. It also tells a receiver what to do if neither of those authentication methods are in place – allowing it to head to the junk or spam folder, or simply be rejected. DMARC removes the guesswork from the receiving ISP’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent and harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.2

“With SPF and DKIM your messages are properly authenticated and virtually tamperproof,” says Nick Peeples, VP of Engineering at SoftVu. “With DMARC you can control what inbound ISPs do with unapproved messages. Who wouldn’t want that?”

BENEFITS OF DMARC

While SoftVu currently does not require DMARC, we highly recommend our clients begin implementing a DMARC record. We believe that the major email providers like Gmail and Yahoo will begin to put more weight on DMARC set-up when it comes to inbox placement.

To test other consumer brands, we signed up for Target, Beauty Brands, Nike, and countless other retailers who utilize email marketing. You bet, they all had DMARC set up. Since our client base primarily consists of financial institutions, it is our professional recommendation that all of our clients set up DMARC in order to protect their domain reputation.

DMARC does more than just protect your domain. It also protects your potential customers and existing customer base as well. Without DMARC, consumers who work with you are left vulnerable to phishing and spoofing attacks.3

Nick explains it this way. “We all know bad ‘actors,’ who pretend to be your brand, can negatively impact your overall reputation. What many companies don’t think about is the damage those bad guys can do to their clients. DMARC proactively protects your brand’s reputation and your clients from imposters.”

DMARC process

WHY PUBLISH A DMARC RECORD?

Publishing a DMARC record prevents an imposter from sending mail from your domain. That protects your brand. Just publishing a DMARC record may result in a positive boost to your reputation. Nothing wrong with that! And, consuming DMARC reports increases visibility and transparency into your email program because it lets you know who is sending mail from your domain – something we’re sure you would want to know.

TOP 3 REASONS TO DMARC

  1. It makes your real email easy to identify, and it tells the world to reject fake email that pretends to be from you. No more domain abuse!
  2. Since all major email receivers ask to be sent DMARC compliant email, you want your brand to be easily identified making it ready to process and deliver.
  3. Domain owners can now see how their domains are used across the internet.

HOW TO SET IT UP

Building your DMARC starts with those two key players mentioned earlier. You’ve got to have SPF and DKIM in place first. Now you’re ready to proceed.

Step 1: Start by identifying the domain or subdomain listed in your email headers from the emails you send. Are your domain names identical? If so, you’re aligned and ready for set up. If that’s the case, jump to Step 3. If not, go to Step 2.

Step 2: If your domain names are not identical you can still create your DMARC record. Connect with you IT and your security teams to get the domains aligned. Then proceed to Step 3.

Step 3: You now want to determine which account will receive DMARC reports. You may want more than one since you could get bombarded with data! You may want to consider setting up time with SoftVu to help your team make sense of it all.

WHAT ARE DMARC TAGS?

Here’s the real dirt on DMARC. It’s all about the tags. The tags are the language of the DMARC standard. The tags tell the email receiver what to do once it checks for DMARC. And there are various DMARC tags but Nick recommends you keep it simple.

“Our take is that you stay focused on the v=, p=, fo=, rua, and ruf tags. With those five tags you’ll have your bases covered. You can use a DMARC generator or SoftVu can help.” Nick also recommends you set your mail receiver policy to “none” which indicates the DMARC “monitor” mode.

Tag Name Purpose
v Protocol version
p Policy for organizational domain
fo Reporting of SPF related failures
rua Reporting URI of aggregate reports
ruf Reporting URI of forensic reports

The monitor mode is critical to gathering information on your email ecosystem. It’s the best way to snag any culprits sending email on behalf of your brand. Plus, it tells you which emails are getting delivered and which ones are getting kicked out, important information to track, according to Nick.

“At the very least, having your DMARC record in monitor mode will give you the information to start tracking down any of those bad actors that are attempting to impersonate your brand or damage your reputation.”

The only thing better than having the MVP – Most Versatile and Productive “player” on your team is having the MVT – Most Versatile and Productive TEAM. Why not set your team up for a win with a DMARC home run? Let’s get those emails delivered where you want them to go!

Give SoftVu a call at (877) 611-0104 or send us an email at info@softvu.com with your questions. We are ready to help you with your DMARC needs.

If you want to read more about DMARC, Nick suggests these two websites: https://dmarcian.com and www.250ok.com.

1 Email Fraud and DMARC Adoption Trends, Second Half 2017, Agari Threat Center Report

2 Why is DMARC important? https://dmarc.org/wiki/FAQ#Why_is_DMARC_important.3F

3Internet giants form DMARC to battle email spam, phishing attacks www.digitaljournal.com