I've been seeing dire warnings about DMARC. What do you think?

[LilyBLily]

This was a copy and paste from a company called Moosend:

    "Google and Yahoo Email Requirements: What you need to do before February 2024

     Dear users,

Google and Yahoo are implementing stricter border control measures to distinguish between legitimate and harmful emails.

This sends a clear message to mass email senders: "Stick to the rules or face the consequences."

The upcoming changes are poised to enhance the identification of legitimate emails, ensuring a safer and more secure email environment.

Non-compliance may lead to blocked emails for Google and Yahoo recipients.

Google's changes will be effective as of February 1st, 2024, while Yahoo's as of Q1, 2024.

     Here are some proactive steps you can take now:

     DNS Authentication:

    Make sure that your domain name is being supported by :

        SPF and DKIM
        Make sure your domain name is being protected by Dmarc.

        Transition to Your Own Domain: If you're currently using a @yahoo.com or @gmail.com address, or any free email address to send messages from the Send platform [This may be specific to Moosend], make sure to create a plan for transitioning to your own domain to align with the upcoming authentication changes.
        Keep Your Spam Complaints Low: Starting February 2024, spam complaints need to remain at 0%.

    Embrace Yahoo's and Google's authentication changes and stay ahead of the game in the ever-evolving landscape of email communication."

A few days previously I saw a link to this lengthy set of directions on how to implement DMARC:

https://authorssellingdirect.com/blogs/blog/how-to-add-a-dmarc-record

What I don't understand about any of this is:

1. Why do Google and Yahoo care. Google already sends many newsletter emails to its promotions tab where they are seldom seen.

2. Having zero spam complaints is not under the control of a sender, only of a receiver.

3. Why isn't DNS authentication enough?

I wonder if this is a tempest in a teapot?

[Post-Crisis D]

1. Why do Google and Yahoo care. Google already sends many newsletter emails to its promotions tab where they are seldom seen.

The destination server (the one that receives the eMail to be delivered to the eMail recipient) is the one that does the check to verify the eMail was sent from the domain it claims to have been sent from.

2. Having zero spam complaints is not under the control of a sender, only of a receiver.

All the sender can do is minimize the odds of spam complaints.  The only way to guarantee zero spam complaints is to never send any eMails.

The DMARC option helps prevent spoofing, like a phisher sending you an eMail made to look like it came from your bank.  It's not really designed for spam.  I mean, if you register spamsRus.dom and start spamming people from lilyBlily@spamsRus.dom, then DMARC is going to compare the sender address and the server address and say, sure, looks legit!

3. Why isn't DNS authentication enough?

If someone sends an eMail from xyz.server but makes it look like it came from bob@yourbank.dom, DNS authentication can make sure that, yes, the eMail did come from xyz.server.  But, it cannot check to make sure that the purported sender address (bob@yourbank.dom) actually matches the server address (xyz.server).  That is where DMARC comes in.

[alhawke]

Post-Crisis D, is there anyway to know how much spam puts you at risk? Is there a number involved?

[Bill Hiatt]

The advantage of having a good registrar and a good email provider is that much of this is already implemented.

Aside from being my cdn provider, Cloudflare is also the domain registrar for my author website, which is the domain I use in newsletter emails. Mailerlite is my email provider. Both encouraged the use of appropriate verification and authentication practices long ago. All I needed to do to finish was implement a DMARC policy, which CF walked me through.

Most email list providers probably have instructions on their websites specific to their services. Most domain registrars will also have info on what DNS entries you need and how to add or change them.

New requirements can often be a nuisance, but in this case, it looks as if compliance is easy enough.

[LilyBLily]

Alas, since my domain is hosted by a different company than my website--which is supposedly a best practice--I'm having trouble getting my domain registrar to understand what I am asking. I don't think the chatbot knows anything about DMARC. I authenticated my domain name a long time ago, but this DMARC thing is slightly worrying. An awful lot of people have gmail addresses.

[Bill Hiatt]

This may be more of a problem for people sending 5000+ emails per month (if Mailerlite is correct), so it might depend on the size of your email list whether it's a real problem for you or not.

Is there a way to bypass the domain chatbot and commune with a live person? It's doubtful you're the only customer who needs answers on that subject.

Most of the DMARC stuff is easy. (ML lays out what the basic elements are and what they mean. Likely, your email list provider does as well.) If your domain registrar provides the ability to create new DNS entries, you could practically create a DMARC policy yourself. However, the registrar does need to support DMARC, meaning that you need an address for DMARC reports to be sent. Your registrar would have to provide that. (At least, that's the way CF does it.)

For the record, yes, it's probably better to have web hosting and domain registration with separate companies. My webhost is Bluehost. CF just handled cdn for me originally. I switched the registration to them because it made it easier to implement one of the email security features from before. I forget the details, but my old registrar didn't seem able to do it.

if your registrar is giving you grief, it is possible to transfer the registration to another company. It's basically as easy as reading instructions unless your current registrar is doing something weird. If you can't do DMARC for you, that's always an option.

[Post-Crisis D]

Alas, since my domain is hosted by a different company than my website--which is supposedly a best practice--I'm having trouble getting my domain registrar to understand what I am asking. I don't think the chatbot knows anything about DMARC. I authenticated my domain name a long time ago, but this DMARC thing is slightly worrying. An awful lot of people have gmail addresses.

The best practice is to not register your domain name with the same company that hosts your website.

The name servers used for your domain name should be your webhost's, not your domain name registrar's.  Some registrars will do domain forwarding and stuff like that, but it's fine to have your webhost do the DNS because you can always change the DNS settings for your domain name with your domain name registrar.

If your webhost handles the name servers for your domain, then they are the ones to ask about DMARC and other similar things.

If you domain name registrar is managing the DNS and forwarding domain requests to your webhost, they may not even be able to do anything with DMARC because the server(s) that handles your eMail is not theirs.

[alhawke]

I just received the email from mailerlite. They're requiring authentication with my website in order to send out emails to yahoo and gmail by feb 2024. The computer language is like a foreign language to me. 

As far as DMARC, I probably should set that up as well. According to Mailerlite, this will be required if your emails are sent out to over 5k readers.

The process seems simple but I don't know half of the words you guys are talking about^^

[LilyBLily]

I've copied down some of the info Mailerlite gave me but will have to remember where I actually did my DNS authentication, because I believe that location is where I'm supposed to do the DMARC. However, Mailerlite does not mention DMARC at all, and meanwhile someone has said that setting up DMARC causes a flood of useless emails.

Also, I have multiple domain names and emails although I only send newsletter emails from one source. So I wonder if I need to go through all this nonsense for all the domains? I have .net and .us and a couple more in addition to .com. Someone could spoof them and I'd never notice since I'm basically squatting on those names.

[Post-Crisis D]

Also, I have multiple domain names and emails although I only send newsletter emails from one source. So I wonder if I need to go through all this nonsense for all the domains? I have .net and .us and a couple more in addition to .com. Someone could spoof them and I'd never notice since I'm basically squatting on those names.

I would think you only need it for domain names associated with a mail server.

For example, if you have lilyblily.com and lilyblily.net and only use lilyblily.com to send eMail, then you should only need DMARC for lilyblily.com.  If there is no mail server for lilyblily.net, then if someone tries spoofing an eMail from lilyblily.net and the receiver's mail server uses DMARC, then the message would not go through because it would not be able to authenticate the mail as having come from the lilyblily.net mail server because there isn't one.

[Bill Hiatt]

I've copied down some of the info Mailerlite gave me but will have to remember where I actually did my DNS authentication, because I believe that location is where I'm supposed to do the DMARC. However, Mailerlite does not mention DMARC at all, and meanwhile someone has said that setting up DMARC causes a flood of useless emails.

Also, I have multiple domain names and emails although I only send newsletter emails from one source. So I wonder if I need to go through all this nonsense for all the domains? I have .net and .us and a couple more in addition to .com. Someone could spoof them and I'd never notice since I'm basically squatting on those names.

Mailerlite has an article on DMARC. https://www.mailerlite.com/help/the-basics-of-dmarc

Your authentication and verification should both be done from the domain used to send your emails. Your DNS entries will probably include an ml._domainkey. There should also be an entry beginning with "_globalsign-domain-verification=" and one with "v=spf1"  I got those when I first went through the Mailerlite process to ensure maximum deliverability.

DMARC only produces a lot of email if someone configures the DMARC entry to their own email address. The norm (if CF is any indication) is for the domain registrar (of the manager of the DNS name servers, as Post-Crisis-D said) to provide an email to which DMARC emails go. CF includes a utility for viewing them. But I guess other providers might function differently in that regard. The purpose of the email is to alert you if your emails get bounced, and on what basis. The reason Google and Yahoo want you to have is so that you can be aware if someone is trying to use your email to send messages you haven't authorized. Otherwise, you won't know. It could also be handy if your legit newsletter is getting bounced.

[EB]

I just received the email from mailerlite. They're requiring authentication with my website in order to send out emails to yahoo and gmail by feb 2024. The computer language is like a foreign language to me. 

As far as DMARC, I probably should set that up as well. According to Mailerlite, this will be required if your emails are sent out to over 5k readers.

The process seems simple but I don't know half of the words you guys are talking about^^

I just went through it today with Mailerlite and boy, it was a royal PIA. It took me several tries to get it right. Apparently there are different instructions depending on who hosts your domain.  And now that Google is transferring everything to Squarespace, it's even more fun.

I will say if you change one thing in your DNS, wait about 5 minutes to check if it worked. Don't change more than one thing at a time. I think I was bungling myself up changing more than one at once. 

[alhawke]

  Not looking forward to working on this. At least it's good to go for you.

[writeway]

My ML isn't 5,000 subscribers but I still added the DMARC to the DNS of my professional email address because I have a feeling that this will be the norm for everyone soon and I wanna have this already done. My advice is, I would set this up now regardless of how many subscribers you have. Also, some are confused by the 5,000. What they mean is if you send to 5,000 people in one day who all have Google and Yahoo then this is where you are affected. It's not just 5,000. The 5,000 people have to have Yahoo and Google emails. Many seem to think it's just for sending 5,000 emails to any 5,000 people.

This is why it's recommended to have a professional email address and not use a free one to do business. I was surprised to see so many authors using free email addresses for their author business and mailing lists. Companies have always frowned upon people sending bulk mailings with free email addresses, which is why I got a paid one a few years ago. Also, a professional email is less likely to get blocked or thrown into spam by companies. This often happens with free email addresses.

So while it's fine to use free email addresses for personal stuff I would highly advise anyone who does not have a paid email address to get one ASAP. You will have to with these new changes if you do a lot of bulk mailings. A paid email address is not expensive at all. You can get them for as little as $1 a month depending on who you use. I pay $4 a month for mine.

Tip: After adding DMARC to your DNS record, make sure you check the domain using a DMARC checker. Use several to be sure. If the DMARC is detected it means it's working.

[writeway]

I just received the email from mailerlite. They're requiring authentication with my website in order to send out emails to yahoo and gmail by feb 2024. The computer language is like a foreign language to me. 

As far as DMARC, I probably should set that up as well. According to Mailerlite, this will be required if your emails are sent out to over 5k readers.

The process seems simple but I don't know half of the words you guys are talking about^^

Don't be discouraged or scared. Many sites will walk you through it and if it's still intimidating for you then just reach out to your domain host and they will help you. If you haven't even checked your DNS settings you might already even have DMARC depending on who your domain host is. You definitely will already have SPF or DKIM or both because it's standard to have one of those automatically. But, yeah, don't be afraid to reach out to those you use and they should walk you through it or do it for you. But it is important so don't let fear stop you. As I said in my other comment, I have a feeling everyone will have to do this soon no matter how many subscribers they have as well as you don't know what other email companies (AOL, Outlook, etc.) who will start demanding these changes so best to be prepared so you don't have to deal with it later.

[alhawke]

I'm nearly complete with Mailerlite. But I also still use Mailchimp on occasion. Do I need to set up DMARC and authentication for mailchimp too? Is it possible to set this up for two different email providers with the same domain/website?

[Bill Hiatt]

I'm not certain what would happen. It could be as simple as email alerts being sent to two different places (depending on how the DNS entry is set up).

If you don't set up both, logic suggests that the Mailchimp one will produce DMARC alerts, since you have DMARC set up on the domain.

Again, though, I'm merely making an educated guess. 

[Post-Crisis D]

Is it possible to set this up for two different email providers with the same domain/website?

Yes, but I don't know how that would work for DMARC.

You can have multiple MX entries.  They are generally listed in priority.  So, if the first mail server is down or inaccessible, mail would be routed through the second listing.

So, if you had Mailerite as the primary and Mailchimp as the secondary (or vice versa), imagine mail gets sent from Mailchimp.  Here, I don't know how DMARC would factor in.  Does the receiving server check DMARC against the server being sent from (Mailchimp) or does it first check the primary mail server (Mailerlite)?  Because if it checks the first and the mail is coming from the second, the first is going to say "Nope, not us" and then DMARC would fail and your message wouldn't get delivered.

On the other hand, if DMARC does check with the server being sent from, then it would be okay.

I don't know what happens here as I haven't researched that particular setup.  I would imagine it could be done but each mail server would have to have the DMARC setup.  I would think that if your DNS lists a particular mail server (regardless of order), the receiving server is going to check the DMARC of the sending server, regardless of its priority in the MX records.  That would make the most sense and is most likely the case.

But I can't say for sure without digging into it more.

[alhawke]

I might just work with Mailerlite and call it a day. It just used to be nice to have a backup mail server.

I'm still gathering emails from Mailchimp from book signups. The trouble with setting up signups on your back matter is you have books from years back still routing to a particular older service. It doesn't matter if I authenticate or set up DMARC to receive sign ups, right?

[Bill Hiatt]

DMARC is about sent email. As far as I know, it wouldn't affect signups to your mailing list.

[Post-Crisis D]

DMARC may affect the confirmation eMail sent after someone signs up for your list.  Maybe?

[Bill Hiatt]

True, that does involve sending mail. But as long as things are properly configured, I wouldn't think it would be a problem.

[Wonder]

I just finished setting my DMARC records up. It looks like DMARC helps authenticate your emails as being actually from you, and it provides a reporting mechanism to you if someone has spoofed your domain and is sending out a lot of spam or phishing attacks. I figured it's worth doing, even though I'm not sending out 5000 emails at a time. It involves adding a TXT record to DNS settings wherever your custom domain is hosted.


Here's an example of a basic DMARC record, to comply with the new rules:

TYPE: TXT

HOST: _dmarc.mydomain.com

VALUE: v=DMARC1;p=none;


And here's an example of a DMARC record if you want to receive reports via email:

TYPE: TXT

HOST: _dmarc.mydomain.com

VALUE: v=DMARC1;p=none;rua=mailto:email@mydomain.com


I used my real domain, not mydomain.com, obviously. Also, my techie friend advised me NOT to use my regular email address for DMARC reports. That email address will be public and scrape-able, and it may attract spam. (How ironic!) So it's best to create a separate email for that purpose if you want to get reports. (I don't know what the reports look like or how often they're sent.)

Domain hosts may differ, so I can't promise these examples will work for you, but this is what I've learned so far.

Wonder

Mailerlite Info: https://www.mailerlite.com/help/the-basics-of-dmarc

[writeway]

I've only had my DMARC set for probably almost a week and sent only ONE mailing to my subscribers and getting reports every day. Already sick of 'em.  I'll see how this goes but if they get too much of a nuisance I might go change my settings to where I don't get reports. Can't understand them anyway. You need one of those sites to translate it for you. They have free DMARC sites that will translate your reports and send them to you.

[alhawke]

I can't get txt to work for domain align. A and MX record worked??
The requirement is for authentication, not DMARC by February. Right? My authentication worked.

[writeway]

I can't get txt to work for domain align. A and MX record worked??
The requirement is for authentication, not DMARC by February. Right? My authentication worked.

If you send to 5,000 or more people at a time who have Gmail or Yahoo mail then yes you have to have DMARC. If you send less than that number you have to have SPF or DKIM or both. I went on and set up DMARC even though I didn't need to because I have a feeling this might end up being a policy for everyone one day. SPF was already set up through my email provider.

[Shoe]

I'm just now getting around to setting up DMARC for my newsletters. It looks like you've all already taken care of your DMARC situations, so forgive me please if it's a tired subject.

My domain was purchased through Google Domains several years ago (I don't even remember where to go to manage it). I don't use it for anything other than setting up my email newsletters with Mailerlite, and it gives me a "sent from" address when mailing. Has anyone here with a Google Domains domain been through the ropes setting up their DMARC's? Anything I should know before diving in?

Thanks for any replies.

[TimothyEllis]

I have no idea what any of this is, but I guess it explains why so many of the forum emails are being rejected now.

[Bill Hiatt]

Oh, maybe.

I forget how the forum is hosted, but your host probably has a guide for setting up DMARC somewhere. It doesn't end up being that hard to do. I suppose it might be a little more complicated in this case because the forum emails aren't sent through a newsletter provider. Those companies also have instructions for handling DMARC.