Creating DMARC-compliant messaging in NetSuite
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an anti-spoofing technology that makes it possible for domain owners to use the Domain Name System (DNS) to inform receiving servers of their DMARC policy. This policy specifies how the domain owner wants the receiving mail server to handle messages claiming to be sent from their domain, but cannot be authenticated as having actually originated from it. DMARC has become a widely-recognized standard and is being implemented by major ISPs and mail service providers. This is a positive move and will go a long way to enhancing the email reputation of commercial organizations. In this article, we'll show you how DMARC works, and then how to configure a DMARC policy for incoming and outgoing mail messages in NetSuite.
How Does DMARC work?
DMARC a “policy layer” that sits on top of two email authentication technologies known as SPF and DKIM. SPF is used to authenticate the origin of an email. That is, it asks the question “Does this mail come from where it says it does?” DKIM looks at authenticating the actual message content. That is “Is this the same message as the one which the sender sent—has it been tampered with?”
DMARC looks at authentication from an end-user perspective and tries to answer the most commonly posed question, whether the “FROM” name that users see in their inbox is actually authentic and originates from the domain it claims to be. DMARC uses the FROM address as the basis for performing what’s known as an “alignment check” against SPF and DKIM.
DMARC works by testing and enforcing an “alignment check” on the incoming mail’s SPF and DKIM headers against the From domain in the mail header (known as RFC5322.From). DMARC requires that only one authenticated identifier (either SPF or DKIM) needs to match the From domain to be considered in alignment.
How is email handled in NetSuite?
If you have enabled the Capture Email Replies feature, a special NetSuite-generated “reply to” address is added to your email message. This address is used by NetSuite to log the communication when a customer replies to you. First the message is routed to NetSuite, where it is recorded in the system, and then it is forwarded to your regular email address (the one specified in your User Preferences). This process is done seamlessly by NetSuite.
With DMARC alignment, forwarded email in NetSuite may cause an alignment check failure. This is because if NetSuite’s SMTP IP addresses are not recorded in the originating domain owner’s SPF record, then the SPF alignment check in DMARC will fail. Likewise, the DKIM alignment check will also fail in situations where NetSuite does not have access to the domain owner’s private key. If either of these two checks fail, it will not pass DMARC since at least one authentication method needs to be aligned in order for it to pass the mail. Recently, inbound messages to NetSuite originating from Yahoo and some of the larger ISPs and mail service providers have been failing DMARC alignment. Since Yahoo does not include NetSuite on its SPF record nor is it possible to have their private key for DKIM authentication, forwarded mail are not able to pass DMARC.
This is only the case for inbound forwarded mail. Outbound mail in NetSuite is unaffected, assuming that the account owner has full control of the SPF records and DKIM signing, and it has been correctly configured. Similarly outbound mail is unaffected if the account owner does not have SPF and DKIM enabled on his email domain.
Yahoo and DMARC
Yahoo has implemented DMARC on both outbound and inbound messaging as part of a determined effort to combat phishing attacks originating from spoofed addresses on their domain. Part of this strategy is to implement what’s known as a DMARC “reject policy”. Domain owners can choose three options in DMARC to inform mail receivers what to do with misaligned mail originating from their domain: none (report only),quarantine, and reject. Email providers that choose to adopt a hard line reject policy have reduced the number of phishing incidents, but legitimately spoofed email (that is, forwarded mail from a third party such as NetSuite) is also being blocked by these email providers.
Implementing DMARC-compliant messages in NetSuite
In NetSuite Version 2015 Release 2, we released two system preferences that enable users to create DMARC-compliant messages when sending outgoing mail from NetSuite and for forwarding email replies using the Capture Email Replies feature. These preferences not only enable a DMARC-compliant mail stream from NetSuite, but also delivers an effective resolution to the reject policy issue outlined above.
Domain owners should already have Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) records set up and have full access to their domain DNS before proceeding with this setup. SPF and DKIM are DNS records of the TXT type. Your domain administrator or someone who has access to your domain registrar can create and make changes to these records.
You must have the SPF record set up correctly and published with your domain provider. Verify the SPF record contains “include: mailsenders.netsuite.com”.
Selecting the DMARC compliance preferences will disable the Hard Bounce tracking feature; the envelope sender is aligned with the from sender and therefore cannot use the @bounces.netsuite.com domain.
To setup DMARC compliance on outgoing mail in NetSuite:
Go to Setup > Company > Email Preferences.
Compose DMARC Compliant Email Messages box in the Domain Keys column.
To setup DMARC compliance on forwarded mail in NetSuite:
Go to Setup > Company > Setup Tasks > Enable Features.
Check the Capture Email Replies box in the Marketing column.
Go to Setup > Company > Email Preferences.
Check the Forward email replies in DMARC compliant format box in the Domain Keyscolumn.