The Email Deliverability Academy: DMARC as the Head Mistress

When one learns to dance, they learn steps. Some steps are foundational; they are basics. If you wanted to learn, say, ballet, you would first learn a few simple moves — plie, releve and saute. These basic moves would then allow you to learn more sophisticated moves, and, eventually, stitch them together in a magnificent display of your dancing prowess.
Although ensuring email deliverability is en pointe is not as artistic as ballet, it still requires a commitment to following the proper steps. Getting Domain-based Message Authentication, Reporting and Conformance (DMARC) enables businesses to have that final flourish that makes the whole routine gel.

Taking the Right Steps

Just as with ballet, ensuring email deliverability is a process. Every link in the chain must be dialed in to get the desired result. Salesforce Marketing Cloud users want to know that they are corresponding securely, so taking the right steps to button-up email deliverability is essential.
In a nutshell, there are four steps businesses need to follow to make sure emails are getting delivered: they need to test deliverability and allow a Salesforce IP, setup Sender Policy Framework (SPF), create a DomainKeys Identified Mail (DKIM) and finally they need to setup an email authentication protocol a.k.a. DMARC.

Step 1

Testing deliverability will show which IPs are working. Once an email is sent via Salesforce, it is funneled through one of Salesforce’s numerous IP addresses. However, the intended receiver may have one or more of those IPs blocked.

Knowing whether the person you’re trying to send an email to has all Salesforce IPs blocked can be tricky. By testing your deliverability — i.e., sending yourself an email from each of Salesforce’s IPs — businesses gain useful insight into which IPs are working, thereby increasing their confidence that their email will reach its intended target.

Salesforce IPs are ratified by regulatory agencies. Allowing Salesforce IPs prevents bad actors from redirecting internet traffic to errant sites. As a result, businesses need to stay up-to-date on Salesforce’s catalog of IP addresses.  

Step 2

Next, businesses need to get SPF in place. This process verifies which providers can send emails on a business’s behalf. Doing so will detect forged sender addresses in emails, also called spoofing. Because SPF makes it difficult for senders to mask their identity, this step cuts down on fraud and spam.

Businesses that send emails with a unique domain from a Salesforce app can create a record in SPF. That record allows Salesforce mail servers to authorize the unique domain, which means the email recipient can check the domain to tell if it’s valid. Validating using the SPF record in this manner bolsters the chance that an email will be delivered.

Step 3

Creating a DKIM lets Salesforce sign outbound emails sent on your company’s behalf. These signatures give recipients confidence that the email was handled in a way that’s consistent with your company.

This process is fairly straightforward, but some considerations merit mentioning. For instance, companies setting up a DKIM key need to be aware of industry-specific security regulations as well as the limitations of the email recipient. Further, if you use the alternate selector, Salesforce automatically alternates keys to prevent the keys being compromised by hackers.

Step 4

DMARC is a protocol that authenticates emails. It layers over SPF and DKIM, and, if either of those protocols are unable to authenticate an email, DMARC governs what happens to the message. Essentially, DMARC is a second layer of authentication.  

While SPF and DKIM perform this function, email environments are convoluted. They send email from various systems, including third-party providers, which often change. For example, DMARC can opt to send some messages and quarantine others if some pass muster and others don’t.

Further, if emails fail their DKIM or SPF checks — even if they aren’t rejected — DMARC allows the receiver to report back to the sender. That way, senders can get a handle on how many legitimate messages are going unauthenticated, allowing them to work with receivers to troubleshoot future messages. Reporting empowers senders to suss out fraud and to change their approach.

DMARC is not as straightforward to set up SPF or DKIM. It is one of those more sophisticated dance moves. Setting it up requires a bit of acumen on setting the contingencies. An experienced partner is like the mistress at a ballet academy, teaching you the fundamentals, understanding your capabilities and guiding you toward your desired goal.

A partner can assist, pulling the right levers that suit a given business’ needs, allowing you to stitch together all the moving parts of email deliverability to get you to that grand finale.