DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to protect and monitor fraudulent use of a domain in email.
DMARC allows domain owners, including ISPs and webmail providers, to publish a “policy” that can have restrictions on where their domain can be utilized. Yahoo, for example, can restrict the use of the yahoo.com domain in from addresses. Their restriction effectively prevents anyone from using a yahoo.com from address except when using the Yahoo! Mail webmail interface. You cannot use a yahoo.com email address when sending from Marketing Cloud, because the DMARC restrictions means ISPs that honor DMARC will reject this mail, because it purports to be from Yahoo, but the message did not originate from Yahoo infrastructure.
Does Marketing Cloud support DMARC?
Yes. If you have Sender Authentication Package and are using you Sender Authentication Package domain name in you from address, then any mail sent from that account will pass DMARC if you choose to implement a DMARC DNS record.
Note that when supporting DMARC, supporting multiple domain names inside of one account becomes complex, because the Return-Path (bounce) domain is typically static. To address this, to make the bounce domain variable, for maximum DMARC compliance, reach out to Salesforce support requesting that “multi-bounce domain support” be enabled for any accounts where you will be sending from multiple domains.
Policy Choices, Implementation Partners and Reporting
I can not advise on what DMARC policy to choose. Salesforce recommends that you partner with a vendor that provides tools and guidance related to DMARC policy implementation, such as Proofpoint, DMARCIAN or Agari.
Salesforce Marketing Cloud can and will implement your desired DMARC policy upon request. But they are not able to advise on what policy choice makes the most sense for you.
Salesforce Marketing Cloud does not capture or report on DMARC failure notifications. They recommend that you partner with a vendor that provides DMARC monitoring and reporting, such as Proofpoint or Agari.
Why does Marketing Cloud not provide tools or guidance for DMARC implementation?
Marketing Cloud’s core competency is the building and delivering of email messages. DMARC is an anti-fraud and security related technology that is currently well handled by various vendors with specific experience relating to DMARC and security in general. To provide DMARC data requires specialized tools and knowledge that are currently better handled by vendors with this specialized expertise.
For more information on DMARC, visit http://www.dmarc.org.
Simple DMARC Option
If your specific Sender Authentication Package domain is in use only on Marketing Cloud, here is a simple DMARC record that you can request to have applied to your domain. This does not require you to partner with a third party, but its scope is limited compared to what you can do when partnering with a third party DMARC specialist provider.
Suggested DMARC record: v=DMARC1; p=reject; pct=100;
- This will instruct ISPs to discard mail from your SFMC domain that does not authenticate properly;
- This may provide a modest deliverability boost at Gmail;
- Will NOT result in DMARC/authentication failure or spoofing reports being sent;
- Will NOT notify you of attempted fraudulent use of your domain or subdomain name.
- Assumes this exact domain or subdomain is in use ONLY on Salesforce Marketing Cloud;
- Is not safe if you use this exact domain or subdomain on more than one email platform. You could be instructing ISPs to reject that other non-SFMC legitimate mail.
To proceed, please submit a Salesforce support ticket requesting that the “simple DMARC option” be enabled. If you are self-hosting your DNS, you just add this as a new TXT record (unless you already have a DMARC in place).