Emails sent from your website not passing DMARC
Audience
This article is meant for those who maintain websites for RMTT customers.
Issue
As part of the services we provide to our mutual customer, we’ve been monitoring emails sent on behalf of their domain – including any that are sent via their website (often Contact Us forms). We’ve identified that those messages are not DMARC aligned.
Why is this important
Our goal is to set the DMARC policy for our mutual customer to ‘Reject’, meaning that unless an email comes from an authorized source, it will be rejected. This is a highly effective scamming prevention tool. Until messages sent via the website are DMARC aligned, we are unable to make this policy change.
What if there are only a few forms filled out per month?
Unfortunately, it doesn’t matter. To the mechanisms that detect whether or not a message is safe from a DMARC perspective, an unaligned message from the Contact Us form on a website looks the same as a threat actor sending a malicious email.
How to get DMARC aligned emails from a website
This is the tricky part as it depends on where the website is hosted. We recommend reaching out to the webhost’s support team to determine the follow:
- DKIM records
- SPF records
- How to set a Return Path that mirrors the domain (this can also be referred to as Bounce Address, and Envelope From: address)
Once you have this information, corresponding DNS records need to be created. We’re happy to help you apply those.
How do I test once changes have been made
This is also a bit difficult. If you use WordPress, here’s a sneaky trick to verify. Otherwise, let us know when you’ve made the changes and we can do some testing together.
RMTT is here to help
Please reach out if you have questions, need help creating and modifying DNS records, or just want to chat this through in general. We’re here to help! 303.732.3200.
