I’m proud to share an update about a recent advancement to our email infrastructure. We now adopt a new technology called DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance.” It is a new and emerging email authentication protocol which helps both email senders and receivers prevent against domain spoofing and phishing.
DMARC provides a method for receivers to identify and take action against spoofing attempts, by utilizing the already widely-adopted authentication protocols of DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework). Since this new DMARC protocol does not require any new technologies (just requires DNS record updates) it makes this a promising tool to become widely adopted by both email senders and receivers.
Essentially, DMARC performs a check against both the SPF record as well as the DKIM of the sending domain and gives the recipient MTA (Message Transport Agent) the information it needs to perform action against a spoofed domain. Coupling these two authentication protocols makes it virtually impossible for a malicious sender to spoof a sender’s domain. While not completely bullet-proof on preventing against all kinds of spoofing, it does provide a reliable method against domain-specific phishing attacks. Infusionsoft has been utilizing both DKIM and SPF for many years, so adding DMARC was an easy decision as we continue to evolve and strengthen our email systems.
DMARC is useful to both senders and receivers because it safeguards against domain fraud as well as end-recipient consumer privacy protection. Meaning, large and popular senders can protect against domain and brand spoofing, while the large recipients (AOL, Gmail, Yahoo, Hotmail, et cetera) also benefit from ensuring their users are not receiving maliciously spoofed emails claiming to be from legitimate organizations in order to capture email addresses and other private and personal information. This technology has already received wide support from brands you trust including Google, Bank of America, PayPal, LinkedIn, Fidelity, Facebook and more.
DMARC is implemented by making an addition to the DNS (Domain Name System) TXT-type record for the given domain. Once a DNS has had time to propagate throughout the Internet, the receiving-side will pick up on this new DMARC addition and begin sending reports on potential spoofing attempts. This helps in identifying any abusive senders who would attempt to imitate your brand in order to compromise recipient privacy, which would only hurt your company branding and reputation.
Earlier this week, I had my team implement DMARC here at Infusionsoft. We are monitoring and testing this new technology. As the leading sales and marketing software for small businesses, Infusionsoft sends a lot of permission-based email on behalf of our customers. As an ESP (Email Service Provider), we will now better identify if and when our domain is being spoofed, and report such abusive practices accordingly. In short, DMARC is another tool in our email systems toolbox to help Infusionsoft’s email reputation and email deliverability stay strong.
P.S. Infusionsoft’s partner, Return Path has built a DMARC record creation tool which is available on their website. Additionally, by sending an email to [email protected], Return Path will send you a report back so you can see whether or not your email is authenticating with SPF/DKIM as well as whether or not your domain is ready to start using DMARC.
That’s awesome guys, being an early adopter is exciting. I can’t active
mine yet, since I use an older version Exim that doesn’t support DKIM.
But I was still able to set up DMARC in monitoring mode to get reports
without it actually blocking emails by setting the policy to “none”.
Even if you have DKIM and SPF set up, you can still get the reports.
The Return path creation tool rocks, but if you’re not DNS savy, you can
try the one over at Unlock The Inbox:
http://www.unlocktheinbox.com/dmarcwizard.aspx , it creates the record
in many different formats TinyDNS, Bind, etc.
I was able to set
mine up and google actually sent me reports the next day validating my
setup. Which I failed the DKIM check, but that was expected.
Michael S. Hobbs says
We set ours up with only 50% initially but have not received any reports. In fact I had just bumped it up this morning to 100% prior to seeing your comment. We’ll see how it goes.
Todd Troutman says
Infusionmail.com signs on behalf of our domain with the infusionmail.com’s key.
SPF works but as sent by Infusionsoft identifier alignment is off so to implement DMARC in a useful way
it seems like Infusionmail.com really needs to be able to allow us to publish an infusionmail._domainkey