DMARC-Compliant Messaging in NetSuite

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an anti-spoofing technology that makes it possible for domain owners to use the Domain Name System (DNS) to inform receiving servers of their DMARC policy. This policy specifies how the domain owner wants the receiving mail server to handle messages claiming to be sent from their domain, but cannot be authenticated as having originated from that domain. DMARC has become a widely-recognized standard and is being implemented by major ISPs and mail service providers. This is a positive move and will go a long way to enhancing the email reputation of commercial organizations. This topic explains how DMARC works. Links to information and resources about setting up a DMARC policy for incoming and outgoing mail messages are provided.

How Does DMARC work?

DMARC is a policy layer that sits on top of two email authentication technologies known as SPF and DKIM.

• SPF is used to authenticate the origin of an email. Does this mail originate from where it says it does?

• DKIM looks at authenticating the message content. Is this the same message as the one which the sender sent-has it been tampered with?

DMARC looks at authentication from an end-user perspective and tries to answer the most commonly posed question, whether the FROM name that users see in their inbox is authentic and originates from the domain it claims to be. DMARC uses the FROM address as the basis for performing what is known as an alignment check against SPF and DKIM.

DMARC works by testing and enforcing an alignment check on the incoming mail’s SPF and DKIM headers against the From domain in the mail header (known as RFC5322.From.)

For more information about DMARC, go to dmarc.org. DMARC requires that only one authenticated identifier (either SPF or DKIM) needs to match the From domain to be considered in alignment. While visiting the DMARC website, you may want to read the following articles:

• DMARC and the Email Authentication Process section of the Overview page. dmarc.org/overview.

• How Many From: Addresses Are There?

How is email handled in NetSuite?

If you have enabled the Capture Email Replies feature, a special reply to address, generated by NetSuite, is added to your email message. This address is used by NetSuite to log the communication when a customer replies to you. First the message is routed to NetSuite, where it is recorded in the system, and then it is forwarded to your regular email address (the one specified in your User Preferences). This process is done seamlessly by NetSuite.

With DMARC alignment, forwarded email in NetSuite may cause an alignment check failure. This is because if the NetSuite SMTP IP addresses are not recorded in the originating domain owner’s SPF record, the SPF alignment check in DMARC will fail. The DKIM alignment check will also fail in situations where NetSuite does not have access to the domain owner’s private key. If either of these two checks fail, it will not pass DMARC because at least one authentication method needs to be aligned for it to pass the mail.

Note:

For information about how to ensure that email you send reaches the intended recipients, see Email Best Practices.

Consider setting up a DMARC policy record for your company’s entire email infrastructure.

Important:

Setting up a DMARC policy affects the entire email infrastructure of your company. The administrator responsible for your company’s email infrastructure should be involved in setting up a DMARC policy record with your domain provider. Consider carefully how strong a policy to implement as it may have consequences. For example, if you use the optional rua tag, it might consume some of your company’s email resources, depending on the volume of received reports.

See also Domain-based Message Authentication, Reporting and Conformance (DMARC).

Both DKIM and DMARC policy records must be published for email messages to be recognized as DMARC-compliant. See DomainKeys Identified Mail (DKIM).

In the past, messages forwarded by NetSuite from Yahoo and some of the larger ISPs and mail service providers could fail DMARC alignment. Because Yahoo does not include NetSuite on its SPF record, nor is it possible to have their private key for DKIM authentication, forwarded email is not able to pass DMARC. In these cases, the sending domain is overwritten. See FROM Headers in Email Can Be Rewritten.

Note:

This is only the case for inbound forwarded mail. Outbound mail in NetSuite is unaffected, if the account owner has full control of DKIM signing, and DKIM has been configured correctly.

For more information about DMARC:

• Go to https://dmarc.org/overview. You may find the Anatomy of a DMARC resource record and How Senders Deploy DMARC in 5-Easy Steps sections of that page particularly helpful. See also the DMARC specification, RFC 7489.

• See also the DMARC specification, RFC 7489

Related Topics

• DomainKeys Identified Mail (DKIM)
• Opportunistic TLS and NetSuite Email
• Size Limits for Emails and Attachments
• Email Blocklists and Spamlists

General Notices