13
Enable DMARC policy compliance check (how does SM handle DMARC?)
Question asked by Michael - 9/25/2017 at 10:04 AM
Answered
Can we get some background or KB article on how exactly Smarter Mail enforces DMARC policy?
 
In the Antispam Administration | Options there is the option for: "Enable DMARC policy compliance check"
 
My question is:
How does Smarter Mail enforce DMARC policy?
For example: does the SM server regularly reply to domains "ruf" or "rua" email addresses with reports? From what "from" address does the SM server send these notices to the addresses listed in the DNS?
 
Some more background on DMARC would be nice. DMARC seems to be catching on and I feel we should start to be compliant for inbound message processing. But SM documentation and help articles on the subject is very scarce.

23 Replies

Reply to Thread
1
John Ellis Replied
Greetings SmarterTools Staff! I have the same question as Michael. What happens when we "Enable DMARC policy compliance check"?
1
Michael Replied
I haven't heard back to the post in more than a year. It left me the impression that dmarc was a little half baked at least in v15
0
Michael Replied
Maybe DMARC is handled better in upcoming 17.x?
1
Scarab Replied
Michael,

TBH I haven't paid much attention to how well it specifically works in SM anymore as we disabled it a long time ago (shortly after the feature was initially released) as it caused far more trouble than it was worth. The general SM Admin consensus seems to have been to leave it disabled ever since.

In theory, the DMARC policy conformance check should query to see if there is a DMARC policy for a domain, then it would check SPF & DKIM and if either fails do according to the DMARC policy if one exists (the options being "none", "quarantine", or "reject"). Even if the SM implementation works flawlessly there is going to be an issue with any email that is sent from a forwarder, resulting in hundreds of bounces for each forwarding address that forwards to an account on your server. I also seem to recall that at the time UPS didn't have their SPF Records aligned properly and since they had a "reject" DMARC policy it resulted in all of their emails were being rejected...which the majority of our users run mom-and-pop ecommerce sites and are dependent upon their UPS emails...and since UPS didn't seem intent on fixing it by updating their SPF record over the course of 6+ months we just disabled it. AMEX, PayPal, and a few other important domains had similar issues.

It's one of those things that is a great idea. but In practice, however, it can be a huge mess. It's not like Spammers use DMARC policy and all it does is prevent Spoofing, which if you score SPF and DKIM hard-fails high enough it accomplishes the same thing with far less headache.
1
Michael Replied
Now that V17 (100) is in full swing. I wonder if Smarter Tools brass can comment more now? Can we get some background or KB article on how exactly Smarter Mail enforces DMARC policy?
3
Michael Replied
*bump*

Can we get some background or KB article on how exactly Smarter Mail enforces DMARC policy?

For example: does the SM server regularly reply to domains "ruf" or "rua" email addresses with reports? From what "from" address does the SM server send these notices to the addresses listed in the DNS (postmaster or ?) ?

Some more background on DMARC would be nice. DMARC seems to be catching on and I feel we should start to be compliant for inbound message processing.
0
Phill Healey Replied
HELLOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!!!  Is there anybody out there? S.M.A.R.T.E.R.T.O.O.L.S......... Are you receiving? Over.

0
Employee Replied
Employee Post Marked As Answer
Michael,

SmarterMail enforces DMARC policy based upon however the DMARC record is configured.  If the ri (Reporting Interval) flag is set, it would send out reports at whatever interval is specified.  If that flag is omitted, reports default to being sent out every 24 hours.

I believe, though I'm not 100% certain, that the email address these reports would be sent from would be the system administrator email address.
0
Michael Replied
Ben, how can we learn more or see this within official documentation?
2
Employee Replied
Employee Post
Michael,

I've passed this along to the documentation team so that they can work on adding some more thorough documentation on how SmarterMail works with DMARC.
2
Phill Healey Replied
Woot! Almost 2 years, but we finally got an answer!

(I notice my post requesting a response to this got removed though.)
3
Jaime Replied
Hi, Ben, thanks for your reply... When can we expect to have the new documentation on this topic?

Jorge
1
Michael Replied
Ben, how can we learn more or see this within official documentation?
0
Employee Replied
Employee Post
Michael,

I passed this along to the documentation team; however, I don't believe the updated documentation has been published yet.
3
Michael Replied
Ben, updating the documentation may be a process, but surely we can get an answer here in the forums by leadership... right?

For some time now we've been trying to understand how Smarter Mail enforces DMARC policy. Getting the answer has been painful.

For example: 
  • Does the SM server regularly reply to domains "ruf" or "rua" email addresses with reports? 
  • From what "from" address does the SM server send these notices to the addresses listed in the DNS (postmaster or ?)
DMARC is clearly becoming more and more important. Many of us want to be compliant, but it's not clear how Smarter Mail handles DMARC enforcement and notification. Forget the documentation for the time being, maybe we can simply get some feedback here?
1
Steve Norton Replied
Hi Michael,
I've often looked for evidence that SM sends DMARC reports but haven't found even one shred, if you have a DMARC policy on your domain, as I do, I'd be happy to do some testing with you. We may end up creating a problem thread instead of requesting documentation updates.
Steve
1
Michael Replied
Thanks Steve. We suspected the same which is why we asked the question. DMARC support seems minimal at the moment (which is too bad). It would just be great to get some feedback from development on this. Some transparency if possible.
0
Phill Healey Replied
DMARC = Dont Make Anyone (at SmarterTools) Remark & Consider (your questions).
0
IT Admin Replied
It's all about MAPI and that is the only thing that matters to them these days.
0
Sébastien Riccio Replied
I would also be interested to know how smartermail handle sending DMARC reports

Sébastien Riccio System & Network Admin https://swisscenter.com
1
Douglas Foster Replied
DMARC is three different things:   (1) Enforcing sender's policy, (2) Collecting data and sending reports to senders that request reports, and (3) Receiving and analyzing reports about your own domain.   Item 3 has nothing to do with email reception, so it is out of scope for Smartermail.   Item 1 is useful even without item 2.   If there is no configuration and no documentation for DMARC reports, I would assume that item 2 is not implemented.

However, the DMARC policy in SM has no visible exception mechanism.  It seems unlikely to me that all DMARC-enabled senders will have their act together, so I am not likely to enable the feature.  If someone has figured out how to implement exceptions effectively, it would be interesting to hear your experience.
0
Michael Replied
SmarterTools team can you shed some light on this regarding the processing of inbound messages?

We'd like to know if the SmarterMail server replies to domains "ruf" or "rua" email addresses with reports per the sending domain's DNS DMARC record?

Also...
From what "from" address does the SM server send these notices to the RUF / RUA addresses listed in the DNS (postmaster or ?)
What do the SM server reports look like and can they be customized?
0
Douglas Foster Replied
SM does not do either type of report.   Creating a reporting system will require an external database, a task scheduler, and a lot of new code to populate the database and extract results. 

Based on data from more knowledgeable people, RUF reporting is rare.  Privacy concerns abound and volumes may be untenable.  As a result, it is usually limited to parties under specific contract with each other.

Reply to Thread