New DMARC Apple setting – emitter warning

Home » Best practices » Deliverability » Apple updates DMARC – Warning for senders

Recently Apple announced they are switching their DMARC domain policy from “p=none” to a “p=quarantine” on the following domains:

  • com
  • com
  • com

What it implies?

It means delivery issues will be present if you send mails outside Apple’s network.

Al Iverson of Spam Resource states that:  “If you have an email address in these domains, your ability to send outbound mail using an email service provider or other, non-Apple email platform to send mail, deliverability won’t look so good. Mail may not be blocked outright (Apple didn’t move to “p=reject”) but moving to “p=quarantine” means it’s much more likely that your mail could end up in the spam folder.”

What does DMARC stands for?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. In the same way as SPF & DKIM, DMARC is an email validation method designed to detect and prevent email spoofing (it discourages people from using your domain without your permission). DMARC is more advanced however, in that it allows the sender to control what happens to email that does not pass DMARC.

How does DMARC work ?

DMARC builds on alignment of the From domain with SPF and DKIM authentication, on top it adds a reporting function between the emitters and receivers to improve and monitor protection of the domain from fraudulent email.

DMARC in unique in that it lets the sender tell the receiver what to do if the DMARC does not pass – like “None” (no action), “Quarantine” (sends to junk) or “Reject” (block it). This removes some of the guesswork from the receiver’s handling of the failed messages, lowering or eliminating the user’s exposure to potentially fraudulent & harmful messages at the same time. DMARC  provides a way for the receiver to report back to the sender about messages that fail DMARC. Senders can now see a report of who is using their domain without permission.

AOL and Yahoo were the first large email providers to apply DMARC policy of “Reject” back in April, 2014. Both of them modified their DMARC policy asking all mail services to reject email claiming to come from their domains.

What to do?

The best solution is to use your own domain name. If you don’t own your own domain, it’s time to do it. The best way to avoid being affected by changes like these in the future is by using your own domain when you send email, and is something we’ve always recommended.

If people sign up at www.megastore22.com, the email should come from an email address that ends in @megastore22.com  (not an @Aol, @icloud or @yahoo address).

With your own domain, you have full control. No more worrying about ISPs affecting your delivery by changing their DMARC policies.

Why Apple started doing this?

When mischievous people copy a brand, such as Apples in an attempt to get your personal details, it can trick people into thinking it is real. DMARC is one of the ways receivers can check to see if the sender is really who they say they are therefore, preventing scamming and fishing.

Visit https://dmarcian.com/dmarc-what for more details on what DMARC is and what it does to identify the sender.

Are Gmail or Outlook going to do this as well?

While they both have DMARC records in place, Gmail and Hotmail (Outlook) are not set to block anyone just yet. Gmail said they would incorporate the “Reject” policy in 2016, but no change was made. While Yahoo, AOL and Apple may have been the first to take concrete action by changing their DMARC policies, it short time others will follow. Here is a current list of domains current deployed with a “p=reject” DMARC policy:

yahoo.*

ymail.com

rocketmail.com

aol.com

adp.com

aetna.com

airbnb.com

americanexpress.com

aexp.com

americangreetings.com

applemusic.com

box.com

britishairways.com

chase.com

jpmchase.com

citibank.com

dhl.com

evernote.com

facebook.com

fedex.com

gap.com

groupon.com

instagram.com

linkedin.com

oldnavy.com

paypal.com

pinterest.com

pch.com

rollingstone.com

squarespace.com

twitter.com

ups.com

ftc.gov

senate.gov

usps.gov

usaa.com

wachovia.com

wellsfargo.com

whatsapp.com

How will this affect me?

I made a test in 2015 using our servers From a @Yahoo address and it was clear DMARC was present. I sent a bulk email  to over 600 test accounts all over the world and over 56% of the mail sent to the United States went missing (32.2% worldwide).

The list of ISPs that were completely blocked were:

Gmail

Yahoo (worldwide)

Hotmail/Outlook

AOL

ATT

Rogers

Bellsouth

British

Telecom

Comcast

CompuServe

Netscape

SBC

Cantv.net

I reapeted the experiment in 2018. The results were exactly the same with the difference that apple 3 domains were completely blocked.