Overview
Some emails are not sent and show errors related to DMARC policies. This article describes a high-level overview of DMARC and how to configure ListManager to send DMARC compliant mail.
Information
Background
On April 4th, 2014, Yahoo implemented a new standard for email authentication known as DMARC. The new standard is designed to help protect Yahoo mail users' addresses from unauthorized use and to help block fake or "spoofed" mail that doesn't originate from Yahoo. Unfortunately, it also stops the delivery of what would have been considered previously as authorized mail sent on behalf of Yahoo mail users via non-Yahoo servers.
What is DMARC?
Domain-based Message Authentication, Reporting & Conformance—or DMARC—is the most recent addition to the list of email authentication protocols. It builds on two existing and widely deployed frameworks, the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols. DMARC is essentially a policy and reporting layer on top of DKIM and SPF.
Reporting
The reporting side means that DMARC-enabled receivers will tell you:
- How many messages they’ve received using your internet domain in the "from:" address.
- Where these messages came from.
- Whether these messages passed DKIM and SPF checks.
This is incredibly useful to organizations introducing email authentication, and allows them to see if any criminals are impersonating them.
Policy
The policy side of DMARC lets the domain owner request particular handling of messages that use their domain in the from address, but don’t pass either DKIM or SPF. In other words: If somebody uses your domain but fails authentication, what action should the inbox provider take? You can ask that:
- No action be taken
- The failing messages be quarantined
- The failing messages be rejected.
Address Alignment
Here’s one additional factor that DMARC introduces, and that is known as address alignment. DKIM and SPF authentication use particular domain names for each message. With SPF this is the domain within the “bounce address,” more precisely the RFC5321.MailFrom. With DKIM this is a domain that’s included in the cryptographic signature that DKIM attaches to the message. Under DMARC, these domains must match (or be “in alignment” with) the address in the "from" header. This is what we call address or domain alignment.
Solution
We recommend you start from the official DMARC website and ask your IT Operations team to implement the DMarc framework.
On the ListManager side, the following steps need to be taken:
- Determine mail type
-
- Log into the ListManager UI as admin
- Navigate to the incoming queue of the list you are interested in 'Mailings : Mailing Status : Mail Queues : Incoming'
- Click on the ID of a recent mailing
- Under the 'Advanced' section, you will find two fields called Type and Sent by email
- For emails sent from the ListManager web interface, the type will show as "admin-send" and sent by email will show to "No"
- For emails sent from external source to ListManager list (discussion groups) will show type "unknown" and sent by mail as "Yes"
- You could also see 'Type: triggered', this is for automated triggered messages
-
- Configure DMARC for UI sent mail
- Configure DMARC for email submitted content (discussion groups)
Discussion Groups
- Navigate to Utilities : List Settings : Email Submitted Content and choose the "Header Rewrites" tab.
- Update the "From" field to be the email address of the actual sender as the "friendly name" and the list email address with domain of your ListManager server as follows:
"%%merge inmail_.HdrFromSpc_%%" <%%email.list%%>
NOTE: If you have a large number of discussion lists on your server, you may need to write an SQL query to modify the value of the SMTP From_ column of the lists_ table which will make this change across a large number of lists.
Sending to AOL
Also if the "reply to" is set to AUTHOR, this will not work in sending mailing to AOL as their DMARC rules are different. They check to see if the "reply-to" and the "from" addresses are the same. If not they will reject with a 521 such as below:
<-- 250 2.1.0 Ok
--> RCPT TO:<Jonh.Smith@aol.com>
<-- 250 2.1.5 Ok
--> DATA
<-- 354 End data with <CR><LF>.<CR><LF>
--> (message body)
--> [sent entire message body]
<-- 521 5.2.1 : AOL will not accept delivery of this message.
The workaround would be to remove the "AUTHOR" from the "reply to:".
Be sure to include the brackets (< >).