Email Spam and DMARC

All technical security is a compromise between functionality and protection.

Modern email security protocols have evolved over the last 25ish years because of the threat of fraudsters, spammers, phishers, spoofers and hackers.

These attacks seek to misrepresent or mislead you (or your staff, customers and business partners) into doing things you may not otherwise want to do, mainly through leveraging the trust in your organisation and brand.

There are 3 main types of email security features that we use to protect against these threats - SPF, DKIM and more recently DMARC, which is the most recent and hardest to implement properly.

  1. SPF is Sender Policy Framework - the bare minimum that we recommend which pre-authorises certain mail servers (by company policy) to send on behalf of the company's domain.
  2. DKIM - Domain Keys Identified Mail - is pre-configured cryptographic proof from the domains system that the sending server is who it says it is.
  3. DMARC - Domain-based Message Authentication Reporting and Conformance is the feature configured from your domain that instructs a receiving server what it should do with any email that doesn't align with the SPF and DKIM features - basically a policy and rules system.

We, as IT professionals normally don't tell business owners or ask you how you want this to be configured (because you'll just ask our advice anyway) and we default to the most secure configuration possible to protect you from all threats.

DMARC has 3 policy settings: none, quarantine and reject.

  1. NONE means that no action will be taken by email systems on emails that don't align with SPF and DKIM.
  2. QUARANTINE means that the receiving email system will be instructed to send to spam and throw up warnings and all sorts of scary red and yellow coloured error messages.
  3. REJECT means that the email will never be delivered.

If you're using DMARC setup with Quarantine as the policy and you're seeing your mail from other platforms going to spam, this may be the issue.

DMARC quarantine-flagged emails result in scary spam warnings that damage client trust and create additional friction in your business transactions - which does not mean you shouldn't use it!

QUARANTINE is great and very secure if you're definitely only sending from one server/platform and for one purpose - but businesses these days use multiple sending services like CRM's, Marketing Mail, Websites etc etc and while using DMARC, all of those sender domains need to be in alignment to ensure that your legit emails don't go to spam on the regular.

Not using DMARC is less secure and given the choice, us IT security folks would prefer to see you using it rather than not -

However, we live in a world of compromises and we're here to help your business succeed as much as to protect it from all threats.

So currently, until the rest of the sending platforms out there have upgraded to properly authenticate and send as your domain, we need to take a more measured approach to DMARC and balance the security against the functionality or time-saving automation we get from using these platforms (not to mention the embarrassment of your legit business emails going to spam folders)

So we currently recommend that you definitely should use DMARC, but with caution in a reporting-only state so we can monitor what platforms or services fail our testing and where we need to fix SPF and DKIM alignment.

You can use a policy such as 'v=DMARC1; p=none;;; fo=1;" in your _dmarc. txt record and have the system send you reports of how many emails sent from your domain are failing DMARC, before you implement a stricter system.

If this is all double-dutch to you, please reach out to us for advice on email security options for your domain before making hasty decisions that may affect your deliverability in the pursuit of more and more security.

To read a little more on the topic, have browse through these articles: