[This article was originally published in August 2018 but still has a lot on interest - It's why we republish it.]
Apple announced in July 2018 they are switching their DMARC policy from “p=none” to a “p=quarantine” on the following domains:
- mac.com
- me.com
- icloud.com
What does this mean?
If you send mail from these domains outside of Apple’s network you will see delivery issues.
Al Iverson of Spam Resource reports that: “If you have an email address in these domains, your ability to send outbound mail using an email service provider or other, non-Apple email platform to send mail, deliverability won’t look so good. Mail may not be blocked outright (Apple didn’t move to “p=reject”) but moving to “p=quarantine” means it’s much more likely that your mail could end up in the spam folder.”
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance and like SPF & DKIM, DMARC is an email validation method designed to detect and prevent email spoofing (it discourages people from using your domain without your permission). DMARC goes one step further however, in that it allows the sender to control what happens to email that does not pass DMARC.
How Does it Work?
DMARC builds on alignment of the From domain with SPF and DKIM authentication, but adds a reporting function between the sender and receivers to improve and monitor protection of the domain from fraudulent email.
DMARC in unique in that it lets the sender tell the receiver what to do if the DMARC does not pass – like “None” (do nothing), “Quarantine” (send it to the Junk) or “Reject” (block it). This removes some of the guesswork from the receiver’s handling of the failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages at the same time. DMARC also provides a way for the receiver to report back to the sender about messages that fail DMARC. Senders can now see a report of who is using their domain without permission.
Yahoo and AOL were the first large email providers to apply DMARC policy of “Reject” back in April, 2014. They both changed their DMARC policy asking all mail services to reject email claiming to come from their domains.
What can you do?
The best course of action is to start using your own domain name. If you don’t own your own domain, it’s time you did. The best way to avoid being affected by changes like these in the future is by using your own domain when you send email, and is something we’ve always recommended.
If people sign up at www.maggiescupcakes.com, the email should come from an email address that ends in @maggiescupcakes.com (not an @Aol, @icloud or @yahoo address).
By using your own domain, you have full control. You validate it once and you are on your way. No more worrying about ISPs affecting your delivery by changing their DMARC policies.
Why is Apple doing this?
When malevolent people impersonate a brand, such as Apples in an attempt to get your personal details, it’s abuse plain and simple and can lead people to think the email their looking at is real. DMARC is one of the ways receivers can check to see if the sender is really who they say they are thus, prevent spoofing.
Visit https://dmarcian.com/dmarc-what for more details on what DMARC is and what it does to identify the sender.
My email is with Gmail (or Hotmail), are they going to be doing this too?
While they both have DMARC records in place, Gmail and Hotmail (Outlook) are not set to block anyone just yet. Gmail had said they would change to a “Reject” policy in 2016, but everyone is still waiting. While Yahoo, AOL and Apple may have been the first to take concrete action by changing their DMARC policies, it’s only a matter of time before the others follow suit. Here is a current list of domains current deployed with a “p=reject” DMARC policy:
yahoo.*
ymail.com
rocketmail.com
aol.com
adp.com
aetna.com
airbnb.com
americanexpress.com
aexp.com
americangreetings.com
applemusic.com
box.com
britishairways.com
chase.com
jpmchase.com
citibank.com
dhl.com
evernote.com
facebook.com
fedex.com
gap.com
groupon.com
instagram.com
linkedin.com
oldnavy.com
paypal.com
pinterest.com
pch.com
rollingstone.com
squarespace.com
twitter.com
ups.com
ftc.gov
senate.gov
usps.gov
usaa.com
wachovia.com
wellsfargo.com
whatsapp.com
What impact is this going to have on me?
I did a test back in 2015 using our Cakemail servers From a @Yahoo address and it was clear DMARC was well on it’s way. I sent a sample mailing to over 600 test accounts all over the world and at the time over 56% of the mail sent to the United States went missing (32.2% worldwide).
The list of ISPs that showed 100% block were:
Gmail
Yahoo (worldwide)
Hotmail/Outlook
AOL
ATT
Rogers
Bellsouth
British
Telecom
Comcast
CompuServe
Netscape
SBC
Cantv.net
I decided to repeat this test again today and the results were virtually the same in 2018, with the exception of 100% now missing at Apple’s 3 domains.
For a list of recommendations on using your own domain.
Bye for now,
Kevin