Start a conversation
  1. AEM Lyris LM
  2. Lyris LM - Configuration
  3. Articles

Sending DMARC Authenticated Mail

Overview

Some emails are not sent and show errors related to DMARC policies. This article describes a high-level overview of DMARC and how to configure ListManager to send DMARC compliant mail.

Information

Background

On April 4th, 2014, Yahoo implemented a new standard for email authentication known as DMARC.  The new standard is designed to help protect Yahoo mail users' addresses from unauthorized use and to help block fake or "spoofed" mail that doesn't originate from Yahoo.  Unfortunately, it also stops the delivery of what would have been considered previously as authorized mail sent on behalf of Yahoo mail users via non-Yahoo servers.  

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance—or DMARC—is the most recent addition to the list of email authentication protocols. It builds on two existing and widely deployed frameworks, the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols. DMARC is essentially a policy and reporting layer on top of DKIM and SPF.

Reporting

The reporting side means that DMARC-enabled receivers will tell you:

  • How many messages they’ve received using your internet domain in the "from:" address.
  • Where these messages came from.
  • Whether these messages passed DKIM and SPF checks.

This is incredibly useful to organizations introducing email authentication, and allows them to see if any criminals are impersonating them.

Policy

The policy side of DMARC lets the domain owner request particular handling of messages that use their domain in the from address, but don’t pass either DKIM or SPF. In other words: If somebody uses your domain but fails authentication, what action should the inbox provider take? You can ask that:

- No action be taken
- The failing messages be quarantined
- The failing messages be rejected.

Address Alignment

Here’s one additional factor that DMARC introduces, and that is known as address alignment. DKIM and SPF authentication use particular domain names for each message. With SPF this is the domain within the “bounce address,” more precisely the RFC5321.MailFrom. With DKIM this is a domain that’s included in the cryptographic signature that DKIM attaches to the message. Under DMARC, these domains must match (or be “in alignment” with) the address in the "from" header. This is what we call address or domain alignment.

Solution

We recommend you start from the official DMARC website and ask your IT Operations team to implement the DMarc framework.

On the ListManager side, the following steps need to be taken:

  1. Determine mail type
      • Log into the ListManager UI as admin
      • Navigate to the incoming queue of the list you are interested in 'Mailings : Mailing Status : Mail Queues : Incoming'
      • Click on the ID of a recent mailing
      • Under the 'Advanced' section, you will find two fields called  Type  and  Sent by email
      • For emails sent from the ListManager web interface, the type will show as "admin-send" and sent by email will show to "No"
      • For emails sent from external source to ListManager list (discussion groups) will show type "unknown" and sent by mail as "Yes"
      • You could also see 'Type: triggered', this is for automated triggered messages
  2. Configure DMARC for UI sent mail
  3. Configure DMARC for email submitted content (discussion groups)

Discussion Groups

Discussion groups send mail from their own email clients via email submitted content to ListManager, so any email from an external mail server user processed through ListManager will run into this problem.
 
ListManager discussion groups are considered a potential sender on behalf of AOL or Yahoo addresses, with mail originating from outside each respective ISP.  Mail sent on behalf of AOL or Yahoo mail users to DMARC-compliant domains will be rejected by those domains unless the mail passes SPF and/or DKIM authentication checks and the domain(s) used in those checks match aol.com or yahoo.com, respectively - but some discussion group mail will not meet those criteria.  As such, legitimate senders will be challenged by this change and forced to update how they send mail. 
 
In accordance with these ISPs' recommendation for listservs, the following steps will ensure that mail sent from a member's mail account to a ListManager server's discussion group will be modified so that the sender's address is overwritten with the address of the list itself, thus bypassing the necessary condition for the mail to be sent directly from that ISP's server. You can merge in the sender's name and email address, in order to tell who a message came from in the discussion group, follow the steps below:
  • Navigate to Utilities : List Settings : Email Submitted Content and choose the "Header Rewrites" tab. 
  • Update the "From" field to be the email address of the actual sender as the "friendly name" and the list email address with domain of your ListManager server as follows:

 "%%merge inmail_.HdrFromSpc_%%" <%%email.list%%>

NOTE: If you have a large number of discussion lists on your server, you may need to write an SQL query to modify the value of the SMTP From_ column of the lists_ table which will make this change across a large number of lists.

Sending to AOL

Also if the "reply to" is set to AUTHOR, this will not work in sending mailing to AOL as their DMARC rules are different. They check to see if the "reply-to" and the "from" addresses are the same. If not they will reject with a 521 such as below:

<-- 250 2.1.0 Ok
--> RCPT TO:<Jonh.Smith@aol.com>
<-- 250 2.1.5 Ok
--> DATA
<-- 354 End data with <CR><LF>.<CR><LF>
--> (message body)
--> [sent entire message body]
<-- 521 5.2.1 : AOL will not accept delivery of this message.

The workaround would be to remove the "AUTHOR" from the "reply to:".
Be sure to include the brackets (< >).
 

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments