We have taken many steps to protect our users from common attacks such as spoofing or phishing. However, such emails might still find their way to your inbox. While we do have conventional protections and other measures in place, they sometimes fall short. We have therefore decided to enforce DMARC policy of senders. Read more about Mailfence DMARC enforcement strategy below.
What is DMARC?
DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”. It allows senders to define a policy, for their domain, on what receiver should do when SPF and/or DKIM fails. DMARC also checks if messages Header-FROM field is aligned with the SPF and DKIM checks (*). Domain owners can also receive aggregated and/or forensic reports from receiver service, essentially listing a summary of DMARC results for their domain (**). This allows domain owners to make necessary changes for passing legitimate senders, or to see where malicious emails may be coming from.
When DMARC fails, based on the sending domain policy, the message is quarantined in your spam folder or rejected. When DMARC is enforced by receiver side, users can be protected from phishing, spoofing and other kind of unwanted emails.
Mailfence now enforces DMARC policy of senders
To ensure that users of Mailfence can also utilize, among others, the anti-impersonation and anti-phishing benefits of DMARC, we have decided to start enforcing DMARC policy of senders.
Why did Mailfence not enforce DMARC before?
There are several reasons. Firstly, the adoption of DMARC policy (alongside with SPF and DKIM checks) was slow. Secondly, a large number of domains opted for monitoring mode (p=none) and did not switch to an actionable DMARC policy. Thirdly, to avoid losing legitimate emails failing DMARC due to implementation error on sending side or when coming from a mailing list (using old or not adapted software).
What exactly will happen to emails I receive?
If DMARC check fails, the email will be placed in your spam folder. We presently do not refuse DMARC-failed emails when the policy of sending domain is reject, to compensate possible implementation errors (on sending side).
This will change once we see enough senders with no DMARC-failures due to implementation errors.
What if I whitelist a sender address?
The DMARC-failed email from whitelisted sender address will arrive in your inbox folder. In such case, please be aware of the possible risk of getting malicious DMARC-failed emails directly in your inbox.
Notes
(*) Sender DMARC policy is enforced by only checking whether SPF or DKIM check passes. We do plan to support Header-FROM field alignment check.
(**) Sending DMARC aggregated and/or forensic report is not supported.
Mailfence’s DMARC policy
Mailfence has defined its own DMARC policy as ‘quarantine’. This means that, if the DMARC check fails, mail servers at the recipient side should put email to the recipient’s spam folder. This reduces phishing, spoofing or other forms of impersonation attacks. Similarly, it also contributes in maintaining our domain name reputation.
We could have set up the policy as ‘reject’. However, this could negatively impact the delivery of legitimate emails. For example, a message might fail DMARC if it is sent to a mailing list (using old or not adapted software) relaying the message to all participants. This might change in the future, with the uptake of DMARC and DKIM support, along with ARC.
Custom domain owners are also encouraged to define the DMARC policy for their domain.
Feel free to share your feedback and report any issue concerning Mailfence DMARC enforcement strategy.
We thank you for your support. Learn more about Mailfence on our press page.
