What is DMARC and how does it affect our Oracle Service Cloud site?
Domain-based Message Authentication, Reporting and Conformance (DMARC)
DMARC is a technical specification designed to give domain owners the ability to protect their domain from unauthorized use. DMARC provides the ability for an organization to publish a policy that specifies which mechanism (DKIM, SPF, or both) is employed when sending email from that domain. It also informs how the receiver should deal with failures and provides administrators a reporting mechanism to monitor that activity.
Overall, users can benefit from implementing DMARC in the reporting it provides while simultaneously improving your domain's reputation. If your organization does choose to implement DMARC, be sure that your messages have "identifier alignment" (more on that below) as it will be necessary to pass DMARC checks. Please note, this is a general email specification and not unique to Oracle Service Cloud. However, considerations should be made as implementing DMARC can impact the deliverability of email messages.
DMARC Policy Levels
DMARC policies can be set at three levels:
- Monitor policy: p=none
A policy value of NONE indicates the receiver should not take any special action with the emails sent.The email proceeds into the inbox / folder of the receiver and the data in DMARC reports can be used to start analyzing who is sending emails on your behalf. After some good analysis, the policy can be moved up to QUARANTINE.
- Quarantine policy: p=quarantine
A policy value of QUARANTINE indicates email receivers should put emails in special ‘quarantine’ folders like junk/spam. Data in DMARC reports should still be analyzed to check who is sending email on behalf of your domain in order to address any outstanding issues prior to proceeding to the next level.
- Reject policy: p=reject
A policy value of REJECT indicates email receivers should reject all emails that fail the DMARC check. Messages will bounce and will not end up in any folder of the receiver. While this policy provides the most strict control, be aware this will also block emails that are sent from your domain by vendors that have not been specifically whitelisted. For example, if you use third party senders like Oracle Service Cloud or Email Service Providers and did not expressly configure permission to send on your behalf, their emails will bounce.
It is highly recommended when implementing DMARC to start with a less strict policy so that reports can be monitored and legitimate senders of your mail can be identified. Setting a REJECT policy without fully vetting out the legitimate senders of your email can cause severe business impact. If mail from Oracle Service Cloud shows on reports as failing DMARC checks, please review the below answers in our knowledgebase in order to properly configure SPF and DKIM.
DMARC operates by checking that the domain in the message From: field (also called "5322.From") is "aligned" with other authenticated domain names. If either SPF or DKIM alignment checks pass, then the DMARC alignment test passes.
Alignment may be specified as strict or relaxed. For strict alignment, the domain names must be identical. For relaxed alignment, the top-level "Organizational Domain" must match. To understand alignment, you need to understand the differences between From Domain and the Mail From domains:
- "Mail From" is also known as Return path address, bounce address, envelope from or envelope sender
- "From domain" is also known as header from
SPF Alignment is the alignment of two headers which are evaluated during SPF validation testing, at which point the server that received the email will compare two headers in the email which are:
1.The <From:> domain
2.The RFC5321.MailFrom / Return Path domain
For Reference: https://mxtoolbox.com/dmarc/spf/spf-alignment
DKIM Alignment is performed in order to verify the authenticity of the domain sending the email by using two signatures found in the message where the sender's domain is present:
1. The <From:> domain
2. The DKIM domain (d= tag) from the DKIM-Signature header
For Reference: https://mxtoolbox.com/dmarc/dkim/dkim-alignment
For more information on DMARC see https://dmarc.org/resources/specification/