Perché il DMARC fallisce? Scoprite come migliorare le prestazioni delle vostre e-mail
Sapete cosa fa fallire il protocollo DMARC? Molte cose possono innescare questo tipo di fallimento, la maggior parte delle quali è legata a problemi di autenticazione.
Inoltre, l’identificazione della causa principale dei fallimenti DMARC sarà il passo più importante verso una più sana deliverability delle e-mail.
A volte, questo è il motivo per cui l’ottimizzazione del tasso di conversione soffre, una volta che le e-mail non vengono inviate con successo.
Per questo motivo, abbiamo preparato questo articolo per aiutarvi a capire questo protocollo di autenticazione, come gestire i fallimenti e come migliorare le prestazioni delle vostre e-mail.
Table of contents
What is DMARC?
The protocol called Domain-based Message Authentication, Reporting & Conformance, as known as DMARC, uses the Sender Policy Framework (SPF Email), and Domain Keys Identified Mail method (DKIM), in order to check how authentic and legitimate an email sender is.
In addition, the DMARC protocols work side by side with ISPs (Internet Service Providers), once they have a common objective, which is reducing the circulation of dangerous messages on the web, such as spoofing, phishing, and spam.
The DMARC system basically determines how email senders should manage emails that didn’t receive authentication by SPF records, or DKIM. Actually, they have the options of senders that can:
- monitor strange sending IPs for further analysis;
- choose to send them straight to the junk folders;
- choose to block these domains definitely.
After the DMARC work is done, the ISPs can easily track spammers or malicious senders, avoiding receivers getting too many harmful messages.
Other than that, all these authentication services are efficient tools to keep away from email blacklists, which is essential when you need to make sure your domain is not at any risk.
In conclusion, DMARC and ISP filters are necessary to protect the authenticity and transparency of email senders, minimizing cybercrimes and cases of false identities.
Why does DMARC fails?
If emailing is an important channel of communication for your company, as it is in most cases, DMARC fails are a matter of deep concern.
First of all, when we have a problem, we should analyze what is causing it. We can resolve these failures if we understand their causes.
Even when emails are authenticated through the SPF and DKIM evaluation, the DMARC can still fail in the DMARC standards. Let’s understand how and why it happens.
DMARC: Alignment Failures
The checking made by DMARC is quite simple. It verifies if the domain mentioned in the “FROM” visible header matches the domain mentioned in the hidden Return-Path header (SPF records), and the DKIM signature header (DKIM method).
That’s why the DMARC evaluation is known as “domain alignment”, once the email is only approved by DMARC if there is a match between the visible and hidden domains.
Domain misalignment is a possible cause for DMARC fails, which means the email originated at an unauthorized source, as SPF and DKIM don’t consider the “FROM” part of an email in their analysis.
DMARC: Alignment Mode
According to the nature of an analysis performed by DMARC for SPF and DKIM, there are two alignment modes:
- Strict Mode: when senders choose this option, the originating domain and the “FROM” header domain must be identical.
- Relaxed Mode: this method allows subdomains to be used to send emails because the DMARC is going to check only the top-level domains of an address, making sure they are the same.
The DMARC relaxed mode is more suitable when you use third-parties emails to send messages to your audience. You can choose either alignment mode, according to your necessity and needs.
Set DKIM signature for your domain
When you don’t specify a signature for your domain, it can cause DMARC fails. That’s because the ISPs will set up a default signature for your domain, triggering misalignment issues, once the “FROM” header won’t be aligned with the original domain.
In case of many DMARC failures, try setting up a DKIM signature for your domain, making sure the alignment process is successful.
Email forwarding
Having problems with authentication is very common in email forwarding. When you create SPF records, for example, you can’t forget the third-party addresses.
Email authentication frequently fails in forwarding messages when the new sender is not included in such records.
In DKIM protocols, senders only have problems when they modify the content and/or structure of the original message. Otherwise, the email forwarding is not affected by DKIM.
As DMARC requires only one approval, either by SPF or DKIM, it’s recommendable to use both on all legitimate sending sources, making sure forwarded messages are successfully sent.
Domain spoofing
When all your protocols for authentication are set up and functioning, but you are still facing problems regarding DMARC fails, your domain might be spoofed or forged.
That means that bad-intentioned people are sending harmful emails that appear to be coming from your domain, through a malicious IP address. In this case, you should be aware of the DMARC policies:
- Monitor (p=none): unqualified emails can be sent to users mailboxes;
- Quarantine (p=quarantine): unqualified emails are sent to junk or spam folders;
- Reject (p=reject): unqualified emails are permanently blocked.
The Reject Policy will prevent harmful emails from reaching your subscribers, in case your domain is spoofed, making sure they don’t get in touch with these dangerous IP addresses.
Improve your email performance
Understanding how the DMARC protocol works is important to improve your email performance, as it protects your sender score, taking care of your legitimacy and authenticity.
Let’s analyze how you can explore this method, to make the most of its features, including improving your security, visibility, identity, and delivery.
Monitor your domain with DMARC
DMARC monitoring is the practice of reviewing DMARC reports and looking for unauthorized senders using your domain for dubious purposes, such as spoofing or spamming.
When you set up your first DMARC record, you can include an email address to receive further reports. When a change in your sending methods happens, you can keep track of them, verifying both the status of approved sources and new sending services.
This way, you can protect not only your deliverability but your recipients integrity as well.
Gather all the IP addresses and domains to authenticate them with SPF and DKIM
In order to explore the DMARC benefits, all your sending methods must be authenticated through SPF and DKIM records. Don’t forget to include third-party sources as well.
Learn how to create an SPF record to improve your results.
Authenticate all your legitimate servers and reach DMARC Alignment and Compliance
Keeping an eye on DMARC reports will help you monitor all the activity that originated in your legitimate servers, including the volume of messages delivered through SMTP servers.
This makes you identify when a sender is adopting uncommon volume patterns or when you don’t recognize a sender at all. In both cases, action is required.
Authenticating legitimate servers and agreeing to DMARC alignment and compliance policies is important to have a good reputation as a sender. Later on, this process can help you if you want to authenticate your messages through BIMI.
Enforce your DMARC Policy
In case of the absence of SPF or DKIM protocols, the automatic DMARC will fail. So, setting up these protocols should be the first thing to do.
After that, email senders can determine what is to be done when a certain email is non-compliant (as mentioned earlier, they have three options – Monitoring, Quarantine, and Reject).
You can start by monitoring your sources, which is going to give you insight into how your domain is being used. After some weeks, you can activate the Reject Mode, eliminating any improper use of your domains.
Enforcing the DMARC Policy is an effective way to prevent your messages from going to spam.
Now that you have the answer of why does DMARC fails, learn more about the best practices for having a sucessfull email marketing. Check SafetyMails’ content about the strategies to build a subscriber list.
Cosa dicono i postmaster dei principali provider di e-mail sull’utilizzo del DMARC
Google’s postmaster raccomanda di configurare sempre l’autenticazione DMARC per il proprio dominio. È possibile definire un criterio DMARC con un’applicazione minima, utilizzando il criterio “nessuno” (p=nessuno) e applicandolo allo 0% dei messaggi (pct=0)1 . Ciò consente di iniziare a ricevere segnalazioni senza il rischio che i messaggi vengano rifiutati o inviati alla cartella spam dai server di ricezione2.
Inoltre, solo una piccola percentuale di messaggi viene colpita e i destinatari possono rivedere i messaggi inviati alla cartella spam3. Pertanto, implementando il DMARC, si rafforza la sicurezza e l’affidabilità delle comunicazioni e-mail, proteggendo gli utenti e il marchio da frodi e abusi.
Outlook
Outlook rispetta anche il criterio DMARC. Se un messaggio di posta elettronica non supera la convalida DMARC e il criterio del mittente è impostato su “p=rifiuto”, Outlook rifiuterà il messaggio1. Il criterio DMARC specifica cosa fare con i messaggi che non superano la convalida DMARC (rifiutare, mettere in quarantena o non dare istruzioni)2 .
Pertanto, implementando il DMARC, Outlook aiuta a proteggere la reputazione e il marchio dei mittenti contro lo spoofing e impedisce ai destinatari di ricevere e-mail da mittenti non verificati.
Yahoo
Yahoo ha inoltre adottato una rigorosa politica DMARC per rafforzare la sicurezza delle e-mail e proteggere i propri utenti. La politica di Yahoo richiede ai mittenti di autenticare le proprie e-mail utilizzando SPF e DKIM, oltre a imporre rigorosi controlli di allineamento per prevenire tentativi di spoofing e phishing1.
Pertanto, implementando il DMARC, Yahoo contribuisce a proteggere la reputazione e i marchi dei mittenti dalle minacce e garantisce che le e-mail vengano consegnate in modo sicuro.
Categorizzato in: Consegnabilità delle e-mail
