Labs: A free tool to monitor and implement DMARC

For the last several weeks Artem, Derek, and I have been working on a secret labs project internally. On behalf of all three of us, I’m really excited and proud to announce dmarc.postmarkapp.com, a free service to monitor and implement DMARC for your domains.

A free tool to monitor and implement DMARC

What is it? #

As any Postmark customer knows, SPF and DKIM are extremely important for email reputation and preventing email spoofing. We’ve supported both from day one. Since SPF and DKIM are part of the Postmark onboarding process, we have an extremely high adoption rate from customers. The latest standard, DMARC, ties both SPF and DKIM together, allowing you to create domain policies on what email should be accepted (or rejected) based on the SPF or DKIM results. A number of ISPs (Google, Microsoft, Yahoo, etc) support DMARC and will obey the policies that you set in DNS.

While DMARC is truly a huge step forward, it’s highly complicated and risky to implement. If you set a DMARC policy without knowing all of your email sources (mailboxes, email marketing services, CRM, transactional email, server alerts, etc) you could potentially cause legitimate emails to be rejected. In addition, each ISP will deliver reports about your domain’s activity and show which domains and IP address have sent email on your behalf along with the SPF and DKIM results. The problem is that these reports are sent as XML files, making it incredibly hard to read and understand. That’s where Postmark’s DMARC service comes in.

How does it work? #

Just go to dmarc.postmarkapp.com and insert your email and domain. After that, we’ll give you some instructions with a TXT record to insert into your DNS. Once verified, our service will collect and parse the reports that are sent from each ISP and you’ll receive a weekly email digest of your DMARC alignment and statistics.

The goal is to monitor your DMARC alignment across your sending sources (Postmark, Google Apps, Newsletters, etc). Once you are confident that all of your sending sources are properly aligned according to DMARC, you can start to slowly set quarantine and reject policies for your domain.

Built using Postmark #

The coolest part of this project is that we were able to build it using our own set of tools. To parse the reports from the ISPs, we are using Postmark Inbound processing. And to send the digests, we use our Outbound API with the recently launched open tracking tools. It’s always nice when you get to save some time by using the product you built. Partially influenced by the Beanstalk team, Artem decided to build this new service in Clojure and the result looks really promising.

Why does Postmark not align via SPF? #

Most email service providers will send email showing your own From address, but the Mail From (or Return-Path) is set to their own domain email address. This allows ESPs to collect bounces for reporting. With DMARC, the Return-Path and From address must match the same domain. This means that many ESPs will fail the DMARC alignment. Some ESPs get around this by using a Sender header, but we never liked that option due to the ugly “on behalf of” message that can show up in email clients. In addition, we like our customers to build a portable reputation on their own domains by using custom DKIM in their DNS.

To fully support DMARC, we are working on an option to allow custom Return-Path domains using your own domain. This will allow the Return-Path to match the From address, resulting in a passing DMARC alignment for your emails. I expect this to be ready in several weeks. For now, start using the DMARC service to collect data and get a handle on your sending sources.