Enable DMARC policy compliance check (how does SM handle DMARC?)
Question asked by Michael Breines - September 25, 2017 at 10:04 AM
Can we get some background or KB article on how exactly Smarter Mail enforces DMARC policy?
In the Antispam Administration | Options there is the option for: "Enable DMARC policy compliance check"
My question is:
How does Smarter Mail enforce DMARC policy?
For example: does the SM server regularly reply to domains "ruf" or "rua" email addresses with reports? From what "from" address does the SM server send these notices to the addresses listed in the DNS?
Some more background on DMARC would be nice. DMARC seems to be catching on and I feel we should start to be compliant for inbound message processing. But SM documentation and help articles on the subject is very scarce.

4 Replies

Reply to Thread
John Ellis Replied
Greetings SmarterTools Staff! I have the same question as Michael. What happens when we "Enable DMARC policy compliance check"?
I haven't heard back to the post in more than a year. It left me the impression that dmarc was a little half baked at least in v15
Maybe DMARC is handled better in upcoming 17.x?
Scarab Replied

TBH I haven't paid much attention to how well it specifically works in SM anymore as we disabled it a long time ago (shortly after the feature was initially released) as it caused far more trouble than it was worth. The general SM Admin consensus seems to have been to leave it disabled ever since.

In theory, the DMARC policy conformance check should query to see if there is a DMARC policy for a domain, then it would check SPF & DKIM and if either fails do according to the DMARC policy if one exists (the options being "none", "quarantine", or "reject"). Even if the SM implementation works flawlessly there is going to be an issue with any email that is sent from a forwarder, resulting in hundreds of bounces for each forwarding address that forwards to an account on your server. I also seem to recall that at the time UPS didn't have their SPF Records aligned properly and since they had a "reject" DMARC policy it resulted in all of their emails were being rejected...which the majority of our users run mom-and-pop ecommerce sites and are dependent upon their UPS emails...and since UPS didn't seem intent on fixing it by updating their SPF record over the course of 6+ months we just disabled it. AMEX, PayPal, and a few other important domains had similar issues.

It's one of those things that is a great idea. but In practice, however, it can be a huge mess. It's not like Spammers use DMARC policy and all it does is prevent Spoofing, which if you score SPF and DKIM hard-fails high enough it accomplishes the same thing with far less headache.

Reply to Thread