The advent of DMARC (Domain-based Message Authentication Reporting and Conformance) enables businesses to thwart email spoofing attacks and improve email deliverability. Not only can a DMARC implementation with a p=reject policy block all unauthorized emails via a domain, but also it delivers 100% legitimate emails to the user's inbox.
Right? Well, not really. At least not 100%, when the email goes through an indirect mailflow.
What is an indirect mailflow? Here is a quote from ARC Specification for Email:
When an email sender or Internet domain owner uses email authentication to make it easier to detect fraudsters sending messages that impersonate their domain, some services like mailing lists or account forwarding may cause legitimate messages to not pass those mechanisms, and such messages might not be delivered. These services may be referred to as intermediaries because they receive a message, potentially make some changes to it, and then send it on to one or more other destinations. This kind of email traffic may be referred to as an indirect mailflow.
Simply put, when an email routes through intermediary servers before it's delivered at the final destination, it's an indirect mailflow; whereas an email is delivered without going through any intermediary, it's a direct mailflow.
So how does an indirect mailflow affects the deliverability of legitimate emails? Well, before an email leaves an intermediary, the intermediary could alter the subject or content of the email, which causes DKIM validation to fail. For example, a forwarding service might prepend "FW: " to the subject of the email. What's more, since the intermediary's IP address is different than the source email server, which might cause SPF validation to fail, if the intermediary's IP address is not allowed in the SPF record. Therefore, when both DKIM and SPF fail to authenticate, DMARC authentication fails too.
Okay. So how can we fix this problem? Authenticated Received Chain (ARC) is designed specifically to address this issue. Per ARC Specification for Email:
ARC preserves email authentication results across subsequent intermediaries (“hops”) that may modify the message, and thus would cause email authentication measures to fail to verify when that message reaches its final destination. But if an ARC chain were present and validated, a receiver who would otherwise discard the messages might choose to evaluate the ARC results and make an exception, allowing legitimate messages from these indirect mailflows to be delivered.
That is, despite an indirect mailflow which causes an email to fail DMARC authentication, an ARC-enabled server can still check if there is any preserved positive email authentication result available, and if so, the email is considered authenticated regardless of the DMARC authentication failure.
Protect Your Business Email
Get a 14 day trial. No credit card required.Create Account