TL;DR: Yes.
Some will argue that the vast majority of organizations should not try to publish a DMARC record with an enforcement policy (p=quarantine or p=reject).
Some claim that doing so would actually hurt deliverability. This can be true — but only if you rush to enforcement without putting in the time to authenticate all your sending services correctly.
When you do put in that time, though, DMARC at enforcement improves your deliverability. And if your domain is heavily phished, the improvement can be substantial (as much as 10%).
The danger is failing to correctly authorize a service you’re actually using.
Do that, and moving to DMARC enforcement will cause those legitimate (but not correctly authorized) email messages to get blocked. This is a real concern, particularly for beleaguered IT administrators who are just trying to keep the mail flowing. However, now they’re tasked with keeping up with all the nuances of DMARC, SPF, and DKIM:
- Dealing with the many variations in how different cloud service providers authenticate email (or don’t)
- Interpreting DMARC reports
- Trying to track down which department owns which cloud service
But the broader argument that DMARC is relevant only to a few special use cases? That argument flies in the face of modern email best practices, and here’s why.
Why DMARC Is Right for Everyone
1. Authentication Boosts Deliverability
In fact, virtually every major provider of email, including Google, Microsoft, and Yahoo, recommends using DMARC at enforcement. The industry group M3AAWG also recommends DMARC at enforcement as deliverability best practice.
That’s because enforcement helps receivers know, without a doubt, who owns the domain that an email message comes from. This is a valuable signal that mail providers leverage.
“If you value deliverability, want to secure your brand, and want to leverage AMP, BIMI, or other modern email enhancements, you must do DMARC at enforcement.”
Marcel Becker, Director of Product Management at Yahoo
The evidence is plain that deliverability rises markedly after publishing a DMARC record with an enforcement policy for the simple reason that bad mail sent in your name no longer counts against your reputation.
A published account by HMRC has shown deliverability rates jumping from 18% to 98% after implementing DMARC at enforcement. Granted, HMRC’s experience is an outlier: It was being heavily spoofed, and as a result, the reputation of its domain was in the toilet with most mail receivers.
But Valimail’s customers regularly see 10%, 20%, or even greater rates of improvement in deliverability after moving to enforcement.
2. Authentication Is Becoming Essential
The effectiveness of authentication (with DMARC at enforcement) is a significant reason that these mail providers will eventually move to a “No Auth, No Entry” policy — which will mean that they will only deliver mail if it authenticates in the manner DMARC requires.
Google and Yahoo already announced that they will be requiring email authentication standards for bulk senders starting in February 2024.
Additionally, in Google’s FAQ about the coming changes, they mentioned: “It’s likely that DMARC alignment with both SPF and DKIM will eventually be a sender requirement.” Google is going to continue requiring best sending practices, and if you haven’t considered DMARC before, you will need to in the future.
“Your email should be trusted and safe. Everyone’s email should be. This is Valimail’s mission: restore trust to email. We believe that authentication is foundational, and doing it the right way is critical. Google and Yahoo are elevating best practices — having strong authentication — into requirements. We welcome this! And we’re looking forward to partnering with Google and Yahoo to take this even further and ensure quality of enforcement.”
Seth Blank, CTO of Valimail
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) agrees: “Mailbox providers have long advocated for email authentication since they anchor reputation to authenticated identities to support message handling decisions. Furthermore, the use of authentication protocols such as SPF, DKIM, and DMARC has long been recognized as a best practice by M3AAWG.”
DMARC enforcement is essential for ensuring trust as the world moves to embrace new email functionality that increases engagement and conversion rates.
For example, if you want to leverage Brand Indicators for Message Identification (BIMI), a new standard that allows senders to specify an image that appears alongside their messages, you’re going to need a DMARC record with a policy of p=quarantine or p=reject — in other words, enforcement.
3. Phishing Defense and Brand Protection
The deliverability benefit is hardly the only reason to move to enforcement. A policy of p=reject or p=quarantine is where you actually start to realize the anti-impersonation benefits of DMARC, blocking unauthorized emails posing as you, no matter where in the world they originate.
In other words, it will cut down on phishing (directed at your employees as well as your customers/partners). And it will help protect your email brand from being sullied by impersonators.
4. DMARC Doesn’t “Break” Email
DMARC is an example of the ongoing evolution of email technology, security and deliverability. It changes some use cases around email, for example how folks handle or special case certain types of email messages, like email forwarding or email discussion lists.
For the most part, the email discussion list concerns have long been addressed; we are indeed already living in a DMARC world (with millions of domains publishing a DMARC policy) and mailing lists still exist. Mailing list operators know the right way to take responsibility for, and maximize the deliverability of, their discussion mailing lists. Discussion groups and email-based forums continue on and remain popular in this modern evolution of email messaging.
Email forwarding has long been a trickier thing to handle, and not newly “broken” because of email authentication or DMARC. The evolution of the email ecosystem, and protection against spam and other threats was such that going all the way back to the late 1990s, when IP-based blocking lists were the primary spam protection for the inbox, was always a “last-hop mechanism” that meant that checking IP reputation and properly filtering forwarded messages has always been challenging. In this regard, DMARC is not something “new” to impede email forwarding.
DMARC fundamentally evolves email to help make it more secure. How you implement a given mail service might change post DMARC-implementation, but how you implemented email services back in 1998 versus how you would do it today, in 2024, will be significantly different for many reasons — including because tools and software can grow out of date and become unable to keep up with modern security standards, so they are eventually replaced by newer versions of tools, or completely different tools. This evolution started long before DMARC was even contemplated.
Updating your mail server (MTA) version (or replacing the MTA completely) to address “open relaying” spam issues is an example of outdated, insecure email software requiring updates as far back as 25+ years ago. Since then email and communication software has been regularly updated to become more secure, to support modern TLS encryption, to support SMTP auth and then Oauth, and to sign messages with DomainKey Identified Mail (DKIM). These are just a few of many times it has been necessary to update, replace or implement new tools and technology to keep up with evolving security requirements.
Challenges with DMARC Enforcement
Yes, there are challenges in ensuring that you properly authenticate every legitimate service that you want to be able to send mail. If you want to authorize Mailchimp, Hubspot, Asana, system update emails, email discussion lists, invoices, payroll, and credit card processing receipts (for example), you need to ensure that they are all correctly configured using SPF and DKIM.
Far from being a difficult or impossible job, though, this is eminently achievable. In fact, Valimail does this every single day on behalf of our customers.
That’s because we understand how the modern email ecosystem works. We have detailed knowledge of (and relationships with) all the major email-sending services in the world — thousands of them — so we can accurately identify them and authorize them.
Interested? Check out Valimail Enforce, our automated solution to helping you reach (and maintain) DMARC enforcement at scale.
Enforcement Matters: Take Action Now
In short, enforcement works. It helps deliverability, major email receivers recommend it, and it positions you well to take advantage of future enhancements to email that will make it an even more powerful marketing tool.
Anyone who tries to tell you that you should not publish a DMARC policy, or that you don’t need to be at enforcement, is selling DMARC’s potential short.
See for yourself. Get free visibility into your domains with Valimail Monitor to identify and authorize all senders, point out any bad actors, and take the first step toward enforcement.
