DMARC Regulation 

Gmail and Yahoo have announced new email-sending regulations mandating that domains sending over 5000 emails daily must implement a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy. This policy aims to bolster email security and combat email spoofing and phishing attacks.

Chargebee prioritizes the successful delivery of your emails to your customers' inboxes without any interruption. To meet these new requirements and ensure the security of your email communication, you need to set up your DMARC policy and make some additional changes as discussed in this document.

Before we discuss the action items, let us understand what DMARC and its policy are.

Introduction to DMARC 

DMARC is a crucial regulation for authenticating email senders and safeguarding against malicious activity that could harm your sender's reputation. It tackles the issue of email spoofing, where senders forge the From email address, particularly focusing on the Envelope From email address.

By leveraging authentication protocols like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), DMARC ensures robust protection against spoofing attempts.

To pass DMARC, a message must pass at least one of these two checks (SPF or DKIM). Let us understand these:

1. SPF authentication & SPF alignment : With SPF, alignment compares the domain authenticated by SPF (called the Return-Path address) to the domain in the message header From address.
2. DKIM authentication & DKIM alignment : With DKIM, alignment compares the value in the DKIM-signature domain field (d=) in the message header to the domain in the message From: header.

Let us look at examples of a successful and a failed DMARC alignment check:

Example 1: Where DMARC alignment is successful

In this example:

• SPF authentication passed (highlighted)
• SPF alignment passed because 1 is equal to 2
• DKIM authentication passed (highlighted)
• DKIM alignment passed because 1 is equal to 3

Example 2: Where DMARC alignment fails

Remember, an email fails the DMARC check only it fails both the checks:

1. SPF authentication (or SPF alignment)
2. DKIM authentication (or DKIM alignment)

In this example:

• SPF authentication passed (highlighted)
• SPF alignment failed because 1 is not equal to 2
• DKIM authentication passed (highlighted)
• DKIM alignment failed because 1 is not equal to 3

DMARC strengthens existing email authentication methods like SPF and DKIM by adding extra checks to ensure that the sender's domain matches the From address. It also provides reporting tools to keep track of any suspicious activities, making it easier to protect your domain from email spoofing.

DMARC record 

A DMARC record is a crucial aspect of email authentication, composed of multiple tag-value pairs published in the DNS as a TXT resource record. It serves as guidance for email receivers, on how to handle non-aligned emails effectively.

Consider an example DMARC record for the domain "receiver@acme.com" that looks like this: v=DMARC1;p=reject;rua=mailto:receiver@acme.com

• v mandatory: Denoting the DMARC protocol version, typically set as DMARC1 by default.
• p mandatory: Signifying the DMARC policy applied to emails failing the DMARC check. This policy can be set to 'none', 'quarantine', or 'reject'. Refer to this section for more details.
• rua optional: A list of URIs for Email Service Providers (ESPs) to send aggregate reports to.
  Note: This is not an email address list but a set of URIs formatted as 'mailto:test@example.com'.

In the provided example, the sender requests that the receiver takes no action on non-aligned messages (p=none) and sends a report in a specified aggregate format about the status of the emails to a designated address ('mailto:receiver@acme.com'). This allows the sender to collect DMARC reports and understand the current email flows without impacting the delivery of emails. However, during configuration testing, the sender may choose to adjust the policy to 'quarantine' or 'reject' based on their preferences and requirements.

Additionally, several other optional tags can be included in a DMARC record, that define how strictly DMARC should check messages for alignment and how the ESP should behave when sending DMARC reports. These optional tags provide further customization and fine-tuning of the DMARC policy to suit specific organizational needs and preferences.

Setting the DMARC policy 

A DMARC policy, indicated by the "p" tag within a DMARC record, instructs email service providers (ESPs) on handling emails failing DMARC checks. A DMARC record looks like this:

V=DMARC1; p=none; rua=mailto:johndoe@acme.com

The 'p' tag as shown in the above sample record can be set to one of three values:

1. none: This signifies monitoring mode, where no action is taken on unaligned emails. DMARC reports are generated for analysis to identify senders using your domain.
2. quarantine: Unaligned emails are placed in the spam folder by the ESP. Analyze the data to identify unauthorized senders.
3. reject: ESPs reject all emails failing DMARC checks, preventing them from reaching the recipient's mailbox. While this blocks domain spoofers, it can also block legitimate emails, such as those from internal sources using third-party email services not authorized to send on behalf of your domain.

Let us learn more about a DMARC record and its elements in detail.

Required Action 

Chargebee prioritizes the successful delivery of your emails to your customers' inboxes without any interruption. To meet these new requirements and ensure the security of your email communication, we kindly request your cooperation in completing the following action items:

1. Set Up a DMARC Policy mandatory: If you haven't already, establish a DMARC policy for your domain by publishing a DMARC record. This policy dictates how email providers handle messages that fail authentication checks. You can opt to monitor, quarantine, or reject such emails according to your preferences.
   • It is recommended  to begin with the monitor option (p = none) when implementing DMARC. Under this setting, messages that fail DMARC checks are not acted upon by the receiving server, ensuring normal delivery to recipients. While your policy is set to none, regularly review DMARC reports to monitor how your emails are authenticated and delivered.
2. Opt to receive DMARC Reports optional: Consider adding the optional ‘rua' and/or ‘ruf' tags to your DMARC record to receive DMARC reports. Regularly monitoring these reports provides insights into the authentication status of your emails. They help identify potential issues and enable corrective actions to improve email deliverability. Once you've gained an understanding of how your mail is authenticated and delivered, you can choose to adjust your policy enforcement option to quarantine or reject accordingly.

Frequently Asked Questions 

1. How can I ensure DMARC compliance when using Chargebee's SMTP server to send emails from my domain to Gmail and Yahoo mailboxes?

Take the required action to ensure DMARC compliance when using Chargebee's SMTP server for sending emails from your domain to Gmail and Yahoo mailboxes.

2. Do I have to enable some settings in Chargebee to publish a DMARC record?

No, a DMARC record cannot be published by Chargebee. It needs to be published in your domain's DNS hosting provider. Examples of popular hosting providers are GoDaddy, Namecheap, DNS Made Easy, Cloudflare, and more. Here is a detailed guide on publishing a DMARC record for your domain.

3. Do I need a DMARC policy for my domain if I send less than 5000 emails per day into Gmail or Yahoo mailboxes through Chargebee's SMTP server?

If your domain currently sends less than 5,000 emails per day into Gmail or Yahoo mailboxes, then you will not be affected. But please note that:

• In case you use multiple third-party email service providers for sending emails on behalf of your domain, those emails will also count towards this daily limit. 
• If you're also hosting your domain on Google Workspace, your internal message volume will likely count toward this daily limit.

Therefore, it's still advisable to set up a DMARC policy for your domain with the monitor option (p = none). The monitor option dictates that messages that failed DMARC checks should not be acted upon by the receiving server and therefore it ensures normal delivery to the intended recipients' inboxes.

4. How can I monitor the number of emails sent through Chargebee's SMTP server that end up in spam folders?

Chargebee does not track this data. If you're interested in getting these details, we recommend that you opt-in to receive DMARC reports by adding the optional 'rua' and/or 'ruf' tags to your DMARC record.

5. How can I test the functionality of my DMARC record after publishing it for my domain?

You can use a DMARC Check Tool to test your DMARC record functionality.

5. I use an email service provider like Gmail and I have not configured my SMTP in Chargebee. Will I be affected?

• In case the merchant utilizes an @gmail.com sender address, Chargebee will seamlessly modify the sender information to ensure there are no disruptions in email deliverability.
• Conversely, if the merchant prefers to retain the @gmail.com address, they have the option to integrate their email provider's SMTP server (such as Gmail SMTP) with Chargebee.

If you are using a From Address like Yahoo or Gmail and you have not configured your own SMTP in Chargebee, email notifications sent to your Customers from Chargebee will be from Your Name < no-reply@chargebee-mailer.com >. When customers reply to your email notification, the From Address configured in Chargebee will be used in the reply-to field.

Email Headers will be changed to: