Non DMARC Capable Sources
When deploying DMARC, you may occasionally encounter email vendors that do not support DMARC authentication on your outbound email. While most email service providers have implemented and adopted DMARC as a best practice, some vendors have not caught up.
To help users deal with Non-DMARC capable sources, dmarcian classifies these email streams as “Non-Capable” (or “Non-Compliant”). This is done for two reasons:
- To save our users time trying to get a source of email to send DMARC compliant email when it is unable to.
- To raise awareness of sources that haven’t yet figured out how to send DMARC compliant email.
What To do about Non DMARC Capable Sources
Verify the Source is Not DMARC Capable.
When you are aware that you have legitimate email sending from a Non compliant source, you have a few options. First, ensure that the source of email is indeed still not capable of sending DMARC compliant email. As vendors are moving to adopt DMARC as a standard, many eventually become DMARC capable. Verify by visiting your vendors website, or contacting support.
Send Traffic Through a DMARC Capable Source.
The best option when dealing with a non DMARC Capable source is to try and send this traffic to a source that is DMARC capable. Although this not always may be the easiest option, it will ensure that all of your domains are authenticated and protected by your DMARC policy.
Send Non-Compliant Email Through a Subdomain.
If you are unable to relay your traffic through a DMARC Capable source, another option is to create a subdomain specifically for these email flows. Using a specific subdomain with a
p=none policy will allow you to monitor non-compliant email flows and allow your primary domain to publish a
p=reject policy without blocking non-compliant emails. Be aware, because the subdomain publishes a
p=none policy, email coming from this domain cannot be protected by DMARC.
To learn more about how dmarcian classifies non-compliant and other sources, visit How does dmarcian classify sources.