Should ESPs force DKIM and DMARC on paid customers, and what are the implications and downsides?

Summary

The consensus is mixed on whether ESPs should mandate DKIM and DMARC for paid customers. While email authentication protocols like DKIM, DMARC, and SPF enhance deliverability and security by preventing spoofing and phishing, forcing their implementation presents challenges. Increased onboarding friction and technical complexity are significant concerns, particularly for small businesses and less technical users. DMARC's impact on mailing lists is another key consideration, potentially disrupting functionality. Furthermore, it's also important to acknowledge the costs of the implementation, as well as the businesses that monetise from DMARC.

Key findings

  • Improved Security & Deliverability: DKIM, DMARC, and SPF enhance email security and improve deliverability.
  • Increased Onboarding Overhead: Forcing DKIM/DMARC can increase the initial setup burden, especially for non-technical users.
  • Technical Complexity: Implementation can be complex and creates barriers for some users.
  • Negative Impact on Mailing Lists: DMARC can negatively impact mailing list functionality and delivery.
  • Increased Implementation costs: Forcing implementations increases the costs to the ESP and the user.

Key considerations

  • User Support & Education: Offer comprehensive support, simplified tools, and educational resources to ease the transition.
  • Tiered Service Options: Consider offering tiered service options to accommodate varying customer needs and technical expertise.
  • Potential Delivery Issues: Carefully configure DMARC policies to avoid blocking legitimate emails.
  • Mailing List Compatibility: Address potential impacts of DMARC on mailing lists and consider alternative solutions.
  • Cost Implications: Acknowledge and address the increased costs associated with implementing and supporting these protocols.

What email marketers say
11Marketer opinions

The question of whether ESPs should force DKIM and DMARC on paid customers elicits varied opinions. While mandating these protocols is generally seen as beneficial for improving email deliverability, enhancing sender reputation, and reducing the risk of spoofing and phishing, it's also recognized that this approach presents potential challenges. These challenges include increasing onboarding friction, particularly for smaller businesses or clients with limited technical expertise. Some suggest offering tiered support, simplified implementation tools, and comprehensive educational resources to mitigate these difficulties. There are also technical challenges involved that could cause delivery problems for transactional and marketing emails if implemented incorrectly. Furthermore, the cost of implementation is increased for users.

Key opinions

  • Improved Deliverability: DKIM and DMARC significantly improve email deliverability and sender reputation.
  • Security Benefits: These protocols help prevent spoofing and phishing attacks, benefiting both ESPs and customers.
  • Onboarding Challenges: Mandating DKIM/DMARC can increase onboarding friction, especially for less technical users.
  • Technical Complexity: Implementing DKIM, DMARC, and SPF can be complex, creating barriers for some users.
  • Implementation Costs: These protocol implementations can increase costs for the user as well as the ESP providing support for the implementation.

Key considerations

  • Tiered Support: Consider offering tiered support and pricing models to accommodate diverse customer needs.
  • Simplified Tools: Provide simplified implementation tools or guides tailored to different technical skill levels.
  • Educational Resources: Offer comprehensive assistance and educational resources to ease the transition.
  • Potential Delivery Issues: Acknowledge and mitigate potential delivery problems for transactional/marketing emails due to incorrect implementation.
  • User Expertise: Many users simply don't have the expertise to deal with DNS, SPF or DMARC settings which can potentially cause huge issues if not configured correctly.
Marketer view

Email marketer from Email on Acid shares that while mandating DKIM and DMARC improves security and deliverability, ESPs should consider offering tiered support and pricing models to accommodate diverse customer needs. Some clients may require more hands-on assistance, while others may prefer self-service options.

January 2025 - Email on Acid
Marketer view

Email marketer from Reddit shares that mandating DKIM/DMARC could create hurdles for certain clients, particularly those lacking technical knowledge or those using third-party services that may not fully support these standards. They recommend offering comprehensive assistance and educational resources to ease the transition.

March 2021 - Reddit
Marketer view

Email marketer from GMass Blog shares that implementing DMARC, DKIM, and SPF can be complex, especially for small businesses. While it is beneficial for deliverability, forcing these protocols could create barriers to entry for some users. ESPs should consider providing simplified implementation tools or guides tailored to different technical skill levels.

August 2024 - GMass Blog
Marketer view

Email marketer from Litmus says although DMARC, DKIM and SPF implementations improve email security, it can often cause delivery problems for transactional and marketing emails if implemented incorrectly by ESP's.

January 2024 - Litmus
Marketer view

Email marketer from SparkPost Blog explains that adopting DKIM and DMARC is crucial for maintaining a positive sender reputation and improving email deliverability. While it is beneficial, the requirement could negatively impact smaller businesses with less technical expertise. They suggest providing simplified resources for onboarding.

June 2024 - SparkPost Blog
Marketer view

Email marketer from Quora shares that many users simply don't have the expertise to deal with DNS, SPF or DMARC settings which can potentially cause huge issues if not configured correctly.

October 2021 - Quora
Marketer view

Email marketer from Email Geeks shares experience that their company didn't force DKIM or DMARC at Maropost for 8 years, but made DKIM setup with alignment standard, and almost all customers did it and today, they'd definitely make DMARC standard.

March 2023 - Email Geeks
Marketer view

Email marketer from Email Geeks says that requiring DKIM and DMARC is the right thing to do, as it's only a matter of time before deliverability depends on alignment and having DKIM and DMARC has no downside.

May 2024 - Email Geeks
Marketer view

Email marketer from Mailjet Blog explains that forcing DKIM and DMARC can significantly improve deliverability by authenticating emails and protecting sender reputation. It reduces the risk of spoofing and phishing attacks, which is beneficial for both the ESP and its customers. However, it could potentially increase onboarding friction, requiring more technical expertise from customers.

October 2024 - Mailjet Blog
Marketer view

Email marketer from Email Marketing Forum shares that although it increases security, forcing DKIM/DMARC increases cost to users who now need to implement it as well as increased work/cost on the ESP side to support all clients with this change.

April 2024 - Email Marketing Forum
Marketer view

Email marketer from Email Geeks asks for opinions on forcing all paid customers to complete DKIM and DMARC, feeling it's needed with updates from Google and Yahoo.

May 2023 - Email Geeks

What the experts say
12Expert opinions

Forcing DKIM and DMARC on paid ESP customers presents a complex scenario. While it aligns with current trends and improves an ESP's setup, there are significant implications and downsides to consider. Increased onboarding overhead arises from requiring customers to authenticate their domains. Furthermore, DMARC can negatively impact mailing lists, causing delivery problems, breaking functionality, and creating complexity. DMARC's complexity is a downside, particularly for end-users and those with less technical experience and it also relies on companies who are making money directly off the complexity of it.

Key opinions

  • Increased Onboarding Overhead: Forcing DKIM/DMARC increases the initial setup burden for customers.
  • Mailing List Problems: DMARC interacts poorly with mailing lists, potentially causing delivery issues and breaking functionality.
  • Technical Complexity: DMARC setup can be challenging, especially for end-users and those with less technical experience.
  • Negative Impact on Indirect Mail Flows: DMARC breaks indirect mail flows, affecting how email is used by real people.
  • Business motivations: DMARC is being pushed hard by companies who are making money directly off the complexity of it.

Key considerations

  • Domain Purchase Requirements: Consider whether customers are forced to buy domains to comply with DKIM/DMARC requirements.
  • Mailing List Handling: Address the potential impact of DMARC on mailing list delivery and functionality.
  • Ease of Implementation: Balance security benefits with user experience, and simplify DMARC setup for end-users.
  • DMARC Policy Impact: Consider the effects of DMARC quarantine/reject policies on legitimate email delivery.
Expert view

Expert from Email Geeks warns that DMARC with a policy statement of quarantine or reject can cause delivery problems and issues with mailing lists, including replies off-list and sender identification.

November 2022 - Email Geeks
Expert view

Expert from Email Geeks explains that if your employer has published a DMARC record and you send mail to a mailing list then you are violating DMARC policy for all the receivers of that mailing list. They won’t see your mail - and if they reject it you’ll be bounced off the list.

May 2022 - Email Geeks
Expert view

Expert from Email Geeks explains that slack and forums are not replacements for mailing lists and she still has that history in her mailbox. Look at how much deliverability history and information has disappeared due to validity taking down the old RP blogs. OTOH, she can still retrieve information from mailing lists she was on in 2000 and that have since lived on and some of those are deliverability related.

November 2023 - Email Geeks
Expert view

Expert from Spam Resource explains that DMARC's complexity is a real downside, especially for end-users. Setting up DMARC can be challenging, and incorrectly configured policies can cause legitimate emails to be rejected. ESPs need to balance security benefits with the user experience.

September 2024 - Spam Resource
Expert view

Expert from Email Geeks explains that DMARC breaks indirect mail flows which breaks a lot of functionality inherent in how email is used by real people to communicate with one another and it does it at great expense and with very little obvious benefit.

July 2021 - Email Geeks
Expert view

Expert from Spam Resource explains that, from a list owner's perspective, DMARC policies are making it harder to run mailing lists. Mailing lists often modify headers which will make DMARC fail if the email has a strict DMARC reject policy.

July 2023 - Spam Resource
Expert view

Expert from Email Geeks explains that even adding p=none in a DMARC record may change the behavior of mailing lists for subscribers from your domain.

July 2024 - Email Geeks
Expert view

Expert from Email Geeks says that forcing customers to complete DKIM and DMARC is becoming the norm, and the interesting question is whether ESPs are forcing them to buy domains.

April 2023 - Email Geeks
Expert view

Expert from Email Geeks explains that DMARC companies lobby against fixing and mitigating things in the dmarc standard, and that a lot of people who are financially invested in DMARC hand wave away real objections by saying things like 'mailing lists don't matter and need to be replaced'. She goes on to say to show her the numbers that DMARC will make an impact on security or improve the situation with phishing and even how to collect the data but was told it's too hard.

March 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that making customers authenticate with their own domain increases onboarding overhead, but sets ESPs up well for the future and a lot of the reason we're in this situation is that a decade ago many ESPs decided not to force customers to sign with their own domain.

April 2022 - Email Geeks
Expert view

Expert from Spam Resource explains that forcing DMARC on users is tricky because it interacts poorly with mailing lists. Mailing lists can break DMARC authentication and cause issues for subscribers and list owners. Also, DMARC record implementation can be overly complex for non-technical users.

November 2022 - Spam Resource
Expert view

Expert from Email Geeks explains that DMARC breaks basic email functionality and the main reason DMARC is being pushed hard is by companies who are making money directly off the complexity of it and it also was originally designed for bulk mail only.

September 2021 - Email Geeks

What the documentation says
4Technical articles

DMARC, DKIM, and SPF are key email authentication methods. DMARC uses DKIM and SPF to authenticate, allowing domain owners to specify how recipient servers should handle unauthenticated emails, thus preventing spoofing. DKIM adds digital signatures for verifying sender authenticity and message integrity, while SPF specifies authorized mail servers for a domain. Enforcing these protocols provides comprehensive authentication, but requires careful setup, monitoring, and key management and for high volume sends, DMARC is a necessity.

Key findings

  • DMARC Authentication: DMARC relies on DKIM and SPF for email authentication and helps prevent spoofing.
  • DKIM Signature: DKIM adds a digital signature to emails to verify sender authenticity and message integrity.
  • SPF Authorization: SPF specifies authorized mail servers for a domain, helping prevent unauthorized sending.
  • High Volume send requirements: For high volume sends, DMARC, DKIM and SPF are requirements.

Key considerations

  • Setup Complexity: Requires careful setup, monitoring, and key management to avoid blocking legitimate emails.
  • SPF Limitations: SPF alone doesn't provide the same level of protection as DKIM and DMARC combined.
  • High volume sends: When sending high volumes of email, DMARC, DKIM and SPF are requirements.
Technical article

Documentation from RFC Editor explains that DMARC relies on DKIM and SPF to authenticate email. DMARC policies allow domain owners to instruct recipient mail servers on how to handle unauthenticated emails (e.g., quarantine or reject). This helps prevent email spoofing, but requires careful setup and monitoring to avoid legitimate emails being blocked.

April 2023 - RFC Editor
Technical article

Documentation from DKIM.org explains that DKIM adds a digital signature to outgoing emails, allowing recipient mail servers to verify the sender's authenticity. This process helps ensure that messages haven't been altered in transit and are genuinely from the purported sender. Implementing DKIM can be complex and requires proper key management.

June 2022 - DKIM.org
Technical article

Documentation from Google explains that senders must have DMARC setup to send over 5000 emails a day. They must also have DKIM and SPF setup along with valid hostnames. This documentation is important for email marketers looking to send high volumes of email as well as implementing the correct policies.

December 2022 - Google Support
Technical article

Documentation from AuthSMTP explains that Sender Policy Framework (SPF) records specify which mail servers are authorized to send email on behalf of a domain. While SPF helps prevent spoofing, it doesn't provide the same level of protection as DKIM and DMARC. Requiring SPF, DKIM, and DMARC ensures comprehensive email authentication but could pose technical challenges for some users.

November 2021 - AuthSMTP