Email Verification & DMARC: Protect Your Business Email

I've been seeing a common issue faced by many companies. They send emails through a bulk email provider like Mailchimp, Ticketmaster, Brevo, Hubspot, etc. and their emails are getting flagged as possible spam or as unverified.

Understanding the Problem

Let's break this down to show what's happening. When a company sends email using their Mailchimp Account, it should be legitimate, right? Let's check the mail header to understand what's going wrong.

Authentication-Results: spf=pass (sender IP is 198.2.144.59) smtp.mailfrom=mail59.atl301.rsgsv.net; dkim=pass (signature was verified) header.d=mailchimpapp.net; dmarc=fail action=none header.from=deploydepot.ca; compauth=fail reason=001

Pulling out the important info:

• SPF Passed
• DKIM Passed
• DMARC Failed
• Fail reason = 001

What is DMARC, DKIM, and SPF?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Its goal is to increase email security. Here's how it works:

Authentication Standards

• SPF: Checks if the sender's IP address is authorized to send emails on behalf of a domain. It specifies which servers are allowed to send mail for a domain.
• DKIM: Adds a digital signature to outgoing emails. The recipient's server can verify this signature to ensure the email hasn't been tampered with.

DMARC Implementation

• DMARC allows domain owners to set policies for handling emails that fail authentication checks.
• An organization can publish a DMARC policy that says, "If you send mail from my domain, it must pass SPF and DKIM checks."
• DMARC creates a feedback loop between the sender and receiver. If an email fails authentication, the receiver can send a report back to the sender, detailing why it failed.

How to Fix the Issue

In the Mailchimp example, the CNAME record you create is actually pointing at their TXT record which holds the public key used to verify the DKIM signature applied by the Mailchimp mail server.

A proper TXT record should be formatted like this:

[selector]._domainkey.[domain]

With a value of:

v=DKIM1; p=[insert public key here]

Step 1: Find the Selector

In your email, you need to open the message details or header (in Outlook you can right-click -> View -> Message Details). Scroll to the DKIM-Signature section of the header and take note of these important items:

• d= is the Domain (e.g., mailchimpapp.net)
• s= is the Selector (e.g., k3)
• v= is the version
• a= is the algorithm used to apply the DKIM signature

Step 2: Create the DNS Records

Head over to www.mxtoolbox.com and use their Super Tool. Select the DKIM Lookup from the dropdown and enter the d value and s value separated by a colon (:) - example: mailchimpapp.net:k3

This will show you the DKIM record for your email provider. When you create your CNAME record, this is what you are pointing to. This has the public key used to verify the DKIM signature.

Setting Up DMARC Records

The last piece of the puzzle is setting up your DMARC records. You should create a mailbox or distribution list to collect DMARC reports and set your DNS DMARC to reject or quarantine emails that don't pass DMARC. Or you can use a service like https://www.uriports.com to collect the reports for you.

Example DMARC TXT DNS record:

v=DMARC1; p=quarantine; adkim=s; aspf=s; rua=mailto:dmarcfailure@yourdomain.ca

What this means:

• v=DMARC1: Indicates this is a DMARC policy
• p=quarantine: Email servers should "quarantine" emails that fail DKIM and SPF
• adkim=s: DKIM checks are "strict"
• aspf=s: SPF checks are "strict"
• rua=mailto:xxxx: Sends DMARC reports to this email address