I wouldn't think it an automatic fail by any means, but I could see it being a factor. Regardless, a mass vax site registration organization should have all their i's cross and t's dotted.
Conversation
Yes. But at the same time, I think the people who work on email auth standards could think a bit more about the complexity they introduce, since more complexity means it's harder for small orgs to do auth "right".
1
2
If they don't have DMARC, it's possible their domain is being spoofed for spam emails resulting in it having a bad reputation. It's possible that an enforcing DMARC policy is used as a heuristic but I doubt not having one really results in a much of a penalty.
2
1
SPF and DKIM are enough to prevent spoofing most of the time, which is why Gmail gives more reputation weight to mail with authenticated domains. But you're right, DMARC is almost never the determining factor for delivery.
2
1
DKIM is only involved if the mail is signed. There's no way to mark the domain as requiring DKIM aside from using DMARC.
The whole point of DMARC is requiring that either SPF or DKIM is valid and aligned to the domain. They don't really work meaningfully without having it.
2
I work with all three standards professionally, so I can tell you that failing DKIM in practice is enough to cause rejections a lot of the time, and lack of DKIM is usually a much stronger spam signal than lack of DMARC.
2
Plus, DKIM/SPF adoption rate is much higher than DMARC. So in practice, filters use whatever's available when assessing whether the mail should be delivered.
Don't get me wrong, DMARC is a good thing. But the real world isn't the RFCs.
1
1
The entire purpose of DMARC is enforcing that either SPF or DKIM are passing + aligned. Neither SPF or DKIM has a way to enforce that without DMARC. They do not prevent spoofing.
Using absence or presence of DKIM as a spam signal is much different from preventing impersonation.
1
Yes, I'm familiar with DMARC, so I know that's the use case for it.
But in the context of "why this mail went to spam", spoofing - at the scale that would affect the auth'd domain's reputation and delivery - is extremely uncommon. There are lots of much more likely causes.
1
twitter.com/DanielMicay/st
I don't think DMARC has a significant impact as a spam signal as I said either.
It is possible that the domain reputation was harmed if Gmail couldn't distinguish spam emails from the genuine emails due to lacking it though.
Quote Tweet
Replying to @ev_bjork @0xdaeda1a and @hacks4pancakes
If they don't have DMARC, it's possible their domain is being spoofed for spam emails resulting in it having a bad reputation. It's possible that an enforcing DMARC policy is used as a heuristic but I doubt not having one really results in a much of a penalty.
1
Doesn't mean I think that's what happened. It's a qualification on my statement that DMARC probably isn't the reason the mails are being considered spam.
I didn't want to say they were wrong when it's quite possible that it's part of what contributed to it happening.
Honestly the most likely cause? A few too many recipients marking it as spam. Only takes a few tenths of a percent, sometimes.
1