DMARC-Compliant Messaging in NetSuite

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an anti-spoofing technology that lets domain owners use the Domain Name System (DNS) to inform receiving servers of their DMARC policy. This policy specifies how the domain owner wants the receiving mail server to handle messages claiming to be sent from their domain, but that can't be authenticated as having originated from that domain. DMARC is a widely-recognized standard and is being implemented by major ISPs and mail service providers. This is a positive move and will help enhance the email reputation of commercial organizations. This topic explains how DMARC works. It also provides links to information and resources about setting up a DMARC policy for incoming and outgoing mail messages.

How Does DMARC work?

DMARC is a policy layer that sits on top of two email authentication technologies known as SPF and DKIM.

• SPF helps verify the email's origin. Does this mail originate from where it says it does?

• DKIM helps verify the message content. Is this the same message as the sender sent, or was tampered with?

DMARC verifies from the user's perspective whether the FROM name in the inbox is authentic and comes from the domain it claims. DMARC uses the FROM address to perform what is known as an alignment check against SPF and DKIM. In the alignment check, DMARC tests and enforces alignment between the incoming mail’s SPF and DKIM headers and the From domain in the mail header (known as RFC5322.From.).

For more information about DMARC, go to dmarc.org. DMARC requires that only one authenticated identifier (either SPF or DKIM) needs to match the From domain to be considered in alignment. While visiting the DMARC website, you may want to read the following articles:

• DMARC and the Email Authentication Process section of the Overview page. dmarc.org/overview.

• How Many From: Addresses Are There?

How is email handled in NetSuite?

If you've enabled the Capture Email Replies feature, NetSuite generates and adds a special reply to address to your email message. NetSuite uses this address to log the communication when a customer replies to you. First, the message is routed to NetSuite, where it's recorded in the system. Next, it's forwarded to your regular email address (the one set in your User Preferences). NetSuite handles this process seamlessly.

With DMARC alignment, forwarded email in NetSuite may fail the alignment check. That's because if the NetSuite SMTP IP addresses aren't in the originating domain owner’s SPF record, the SPF alignment check in DMARC will fail. The DKIM alignment check will also fail if NetSuite doesn't have access to the domain owner’s private key. If either check fails, the message won't pass DMARC because at least one authentication method needs to be aligned for DMARK to pass the mail.

Consider setting up a DMARC policy record for your company’s entire email infrastructure.

See also Domain-based Message Authentication, Reporting and Conformance (DMARC).

Both DKIM and DMARC policy records must be published for email messages to be recognized as DMARC-compliant. See DomainKeys Identified Mail (DKIM).

In the past, messages forwarded by NetSuite from Yahoo and some of the larger ISPs and mail service providers could fail DMARC alignment. Because Yahoo doesn't include NetSuite on its SPF record, nor is it possible to have their private key for DKIM authentication, forwarded email can't pass DMARC. In these cases, the sending domain is overwritten. See FROM Headers in Email Can Be Rewritten.

For more information about DMARC:

• Go to https://dmarc.org/overview. You may find the Anatomy of a DMARC resource record and How Senders Deploy DMARC in 5-Easy Steps sections of that page particularly helpful.

• See also the DMARC specification, RFC 7489.

General Notices