Worth setting up DMARC for my domain(s)?

I was just wondering what the general consensus is regarding the use of DMARC DNS records for mail sending domains? I already have SPF (version 1 and 2) records and DKIM records as well for my mail sending domains and was wondering if it was worthwhile adding DMARC as well?

These are business domains so deliverability is important.

4 Replies

I decided to go with it in the end. I went with this DMARC configuration:

v=DMARC1; p=none; adkim=s; aspf=s; pct=100; rua=mailto:[email protected]

does that look like a reasonable setting? If nothing happens in the next couple of weeks I'll switch it to a reject policy.

Your settings look reasonable, but be careful with setting p=reject since it, in effect, prevents users of your domain from sending mail to mailing lists. Mailing lists make modifications that break DKIM signatures (like rewriting the Subject: or appending a "unsubscribe" footer to the body) yet preserve the From: header. These messages will get rejected by DMARC-supporting sites if you turn on p=reject. I get a ton of DMARC failure reports every time I post to a mailing list or even create a bug report in the Debian Bug Tracker.

Unfortunately, p=reject seems useful only for domains that send exclusively transactional mail destined for individuals (think PayPal, bank emails, etc.).

@AGWA:

Your settings look reasonable, but be careful with setting p=reject since it, in effect, prevents users of your domain from sending mail to mailing lists. Mailing lists make modifications that break DKIM signatures (like rewriting the Subject: or appending a "unsubscribe" footer to the body) yet preserve the From: header. These messages will get rejected by DMARC-supporting sites if you turn on p=reject. I get a ton of DMARC failure reports every time I post to a mailing list or even create a bug report in the Debian Bug Tracker.

Unfortunately, p=reject seems useful only for domains that send exclusively transactional mail destined for individuals (think PayPal, bank emails, etc.).

Thanks for the reply.

OK. I've just received my first DMARC report for the domain and all seems well except for one thing. I use Google Apps for Business on this domain and make use of the collaborative inbox provided by Google Groups for Business. Essentially I have a Support group so that users can email [email protected] and the email will arrive in a nice forum view that staff members can then reply to. Google Groups for business provides a nice GUI allowing you to mark each thread as complete or in progress etc.

Since I disallow public access to the group (for obvious reasons) the only way to allow people to see the responses that staff members post to their support requests is to CC them into the response. This means that it is Google Groups sending the CCed message to the client and therefore SPF checks fail. Does anyone know if there is a way to include a set of email servers in an SPF record if you don't know what all the mail servers for that domains IP address are? Normally Google tell you to include _spf.google.com in your SPF records but this doesn't include Google Groups unfortunately.

Fixed by including mx:googlegroups.com in the SPF records.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct