Policy: SMTP Relay for Third Party Sender DMARC Compliance

How can you eventually move to a p=reject policy when third parties are unable to send email properly on your behalf?

In many cases, a DMARC compliant SMTP relay server can be used to do the trick. In this article, we’ll explore some of the facets of sending DMARC compliant email from third parties, what to look for, and how common hosted solutions such as Google Apps, Office 365, Amazon Simple Email Service (SES), can be leveraged as SMTP relays.

In the world of Internet mail communications, there are many Email Service Providers (ESPs) or third-party senders out there who, by nature, send email for their clients. Hosted services come in many flavors, including mailboxes, productivity applications, marketing, CRM, HR, benefits, healthcare, purchasing, and transactional, to name a few. In a perfect world, they would all send authenticated email on behalf of their clients’ domains. Better yet, they would be DMARC compliant when doing so. For many reasons, most do not comply or do so with some misunderstandings. Consequently, there are many deliverability issues that arise. If you are new to DMARC or need to brush up on the benefits, we have several free videos.

There are also situations where a company no longer hosts mail servers in-house, but they do host on-premise Line of Business (LOB) applications which send email on behalf of the company. It may also make sense where implementing DMARC compliance on legacy in-house servers is not cost effective or will take too long. We work with many companies, small and large, who run into these challenges each day. To achieve DMARC compliance on your sending domain sooner, rather than later, we suggest you find the right SMTP relay provider, then instruct your Third Party to use the chosen relay service.

For SMTP relay service providers, the list is long, but they aren’t all capable or appropriate for the task. Here’s a list of some of the considerations when approaching an SMTP relay service provider.

  • They must be capable of sending DMARC compliant email on your domain’s behalf
  • They must be either SPF or DKIM compliant (preferably both).
  • They should be able to perform well, relative to the volume you will be sending
  • You need to understand their sending rules for limits and/or throttling
  • They should have a good sender reputation from their servers
  • Look at their documentation – is it easy to understand and configure for any device, email client or interface?
  • Do they have 24/7 support?
  • Are they easy to setup and maintain.
  • Ensure that the account setup is manageable and that they can include your domain in the From: header of all email sent on your behalf
  • Lastly, but certainly not least, it must be configured to provide reliable, authenticated, and secure service for you, employing the latest authentication standards .

Since many companies, small and large, already use the following services, we’ll provide some info on how to become DMARC compliant using them as an SMTP relay.

Google Apps

For organizations that use Google Apps, Google provides an SMTP relay setup within your Google Apps account and one or more configured users to send on behalf of your company. There are additional benefits and complexities to managing the limits, however, it’s a built-in option for most Google Apps subscribers.

Google has this document for SMTP relay service settings: support.google.com/a/answer/2956491?hl=en

Important note: In order to send DMARC compliant email in Google Apps, you must first setup DKIM and DMARC. Google’s process is fairly simple – here are some links to their articles.

Office 365

If you use Office 365, you have the option to use an Office 365 setup for your SMTP relay. Here’s an article from Microsoft that describes the implementation and the process: technet.microsoft.com/en-us/library/dn554323(v=exchg.150).aspx

This article explains the steps one needs to take to setup DMARC in Office 365. We will have an article soon, with screenshots of the process. In the meantime, here is what we know, from Terry Zink at Microsoft: blogs.msdn.com/b/tzink/archive/2014/12/03/using-dmarc-in-office-365.aspx

In a recent article by Terry Zink, Office 365 is including DKIM signatures, by default on all Office 365 (EOP or Exchange Online Protection) accounts. Here’s the article explaining the benefit: blogs.msdn.com/b/tzink/archive/2015/12/16/exchange-online-is-rolling-out-dkim-signing-to-everyone.aspx

Amazon Simple Email Service (SES)

Some may choose to use Amazon’s Simple Email Service (SES) as a relay service. Amazon has published this article regarding their service: aws.amazon.com/ses/details/

In this Amazon SES article, mention is made for SPF and DKIM. Although DMARC was not mentioned specifically, we can use DKIM to establish the necessary foundation for DMARC deployment and compliance. Amazon’s service uses SPF in a custom implementation and cannot otherwise be leveraged in the DMARC context.

Of course, there are many other SMTP relay services. If you find one or many that conform to the above requirements, we’d love to know. Please send them our way.


This article was written by Bob Pazden for dmarcian, inc.