If you read email industry and deliverability-related blogs, you know that there's a lot out there talking about email encryption and authentication technologies like DKIM and DMARC. Here I've put together a very quick primer on what every Salesforce Marketing Cloud client needs to know about both of these and how they're going to affect your ability to send email in 2016.

DKIM (Domain Keys Identified Mail) is a type of email authentication that works based on applying a cryptographic signature to an email message. This "DKIM signature" is invisible to the end user, but it indirectly helps your ability to get to the inbox by making it easy for Internet Service Providers (ISPs) and webmail providers to tell good mail from bad mail. The signature, when processed by the receiving ISP, tells that ISP that mail from a client's domain truly was sent by somebody authorized to send mail from that domain. Gmail, Yahoo, AOL, Hotmail and many other ISPs now recognize DKIM-authenticated mail.

DKIM is not required to get mail delivered to the inbox. DKIM helps ISPs more easily tell the good mail (your mail) from the bad mail (forged and spoofed mail). Thus, if your mail is signed with DKIM, you're better positioned for deliverability success. Also, you effectively need DKIM if you plan to implement DMARC (see below).

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that you add on top of existing email authentication technology such as DKIM. DMARC's primary benefits are twofold. First, it can be used to tell ISPs to reject or discard mail that purports to be from you but isn't from you. Second, it can be used to tell ISPs to send you reports regarding mail that purports to be from you but isn't from you. DMARC can be a bit scary if you get it wrong; if misconfigured, you can accidentally tell the world to reject some or all of your legitimate mail. For clients who want to implement DMARC, we recommend that they work with a company that specializes in DMARC-focused email fraud production, such as Return Path. You'll need guidance and assistance on the best possible DMARC policy for you, and you'll need collection, reporting and analysis of DMARC-related reports, and these are things that Salesforce Marketing Cloud does not provide today.

DMARC Frequently Asked Questions (FAQ)

Q: I've heard that all ISPs are going to require DMARC in 2016. Is this true?

A: Not exactly. As of yet, no ISP has said that they're going to require that your email domain have DMARC implemented or else they're not going to accept their mail.

Q: I've heard that some ISPs have implemented restrictive DMARC policies. What does that mean?

Yahoo, AOL and Mail.ru are examples of major ISPs that have implemented a restrictive "p=reject" DMARC policy. This doesn't impact your ability to send mail to those domains. It means that those ISPs are restricting who can use their domain names in a from address and restricting where that from address can be used. The primary net effect for Marketing Cloud clients is that you should never use a from address in a domain that you don't own.

A secondary effect for Marketing Cloud clients is that if you use our Reply Mail Management (RMM) email reply forwarding functionality, some replies from ISPs like Yahoo and AOL may not make it back to you, because those domains have restrictive DMARC policies that make email forwarding more complicated. We have a fix available for this; simply contact support or your client success manager and ask for help enabling the RMM DMARC setting. This will make the RMM email forwarding process rewrite email headers as necessary to work around any domain restrictions.

Q: I heard Google was going to require DMARC in order to be able to send email to Gmail users in June 2016. Is this correct?

A: Not exactly. Google has indicated that they're going to add a restrictive "p=reject" DMARC policy at some point in 2016. As noted above, this policy does not impact your ability to send email to Gmail users. It may impact RMM's reply forwarding, but this is fixable as also noted above.

Google has not said that they're going to require that senders must implement DMARC to reach the inbox reliably. However, that could change in the future, so stay tuned. In the meantime, we recommend that you implement our Sender Authentication Package (SAP) solution, which allows you to map your custom domain to our email platform, providing you a dedicated IP address, complete domain mapping over link tracking and image hosting. Most importantly, it provides DKIM authentication, which indirectly helps with your deliverability, and is a necessary first step if you plan to implement DMARC in the future.

Looking for more tips and tactics for reaching the inbox? Check out this recorded webinar: 7 Email Marketing Secrets to Stay Out of Email Jail.