DMARC Compliance
Quick FAQs (but you should probably read all the rest too, since you're here already)
Q: What is "DMARC Compliance"
A: Getting all of your legitimate traffic for to pass DMARC checks by receivers (e.g. Google, Yahoo, others)
Q: I published a DMARC record, is my domain "compliant"?
A: NO. The traffic sent for that domain must pass DMARC checks in order to be considered compliant.
Q: How do I increase/gain "compliance"?
A: You must work with all vendors which send original email using your domain in the From header, to make that traffic pass DMARC.
Q: How does dmarcian help with this effort?
A: DMARC data is really the only way to get a good picture of how well authenticated your domain's email traffic is, who is sending it, and in what volume+frequency. As a DMARC data aggregator dmarcian compiles views to help the domain owner understand where they need to look to make improvements.
Understanding DMARC Compliance is vital to any successful DMARC implementation project. Your goal is to increase the DMARC Compliance rate across each of the Sources (this could be your own infrastructure but more commonly it's seen as vendors that send email using your domain in the From header) that are sending email on behalf of your domains. Only DMARC Compliant messages will survive DMARC enforcement policies (e.g. p=quarantine or p=reject). Increasing your overall DMARC Compliance rate is achieved through a combination of configuring your desired Sources to pass DMARC correctly and adding associated entries to your DNS. Adding associated entries to your DNS alone is insufficient. (i.e. you WILL have to work with your vendors)
For an email message to be considered DMARC-compliant, the domain found in the “From:” header must match the domain validated by SPF or the source domain found in a valid DKIM signature. If the domains match, and at least one of the two mechanisms succeeds verification, this is a DMARC pass and receivers know that the email legitimately came from the domain specified.
By themselves, SPF and DKIM can associate a piece of email with a domain. DMARC attempts to tie the results of SPF and DKIM to the content of email: specifically to the domain found in the From header of an email, which is the object that ties together all DMARC processing.
Because anyone can buy a domain and put SPF and DKIM into place (including criminals), the results of processing SPF and DKIM have to be related to the domain found in the From header to be relevant to DMARC. This concept is referred to as “Identifier Alignment.”
A DMARC policy allows a domain owner to indicate that their messages are protected by SPF and/or DKIM and tells the recipient what to do if none of these are verified on a particular piece of email, such as marking it as junk mail or rejecting delivery of the message. Domain owners can set their DMARC policy (referred to as “p=”) to determine how non-compliant emails are processed by receivers.
Note well: Having a DMARC record does not automatically make a domain DMARC compliant.
The traffic sent on behalf of that domain must actually pass DMARC in order to convey compliance: it is really a question of whether or not the traffic sent for the domain is compliant, not whether the domain itself is compliant; on behalf of the domain you can really only say whether the published DMARC record is correct, and what policy it publishes.