By Louis Pelosi |

Domain-Based Message Authentication, Reporting & Conformance (DMARC) Policy

BNL Cyber Security has implemented an email authentication policy called DMARC, a domain-based message authentication, reporting, and conformance policy that relies on the DKIM (DomainKeys Identified Mail) and SPF (sender policy framework) email authentication protocols.

The DMARC policy has been implemented as part of a directive issued by the U.S. Department of Homeland Security to combat email forgery, phishing, and spam. For more information about DMARC, refer to its frequently asked questions (FAQ) section.

In short, DMARC guarantees the authenticity of an email sender's domain or organization and encodes headers into each outgoing email to ensure that messages claiming to have been sent from a domain in fact have been sent from that domain.

The DMARC implementation also may have an undesirable side effect as some emails sent to list servers or forwarded to third parties may be "bounced," or rejected by remote servers due to a mismatch between the third-party sender’s domain and the original sender’s encoded domain.


The following are suggestions to mitigate any possible problems with DMARC and outgoing email:

  • If you are sending email from your SDCC or BNL account, ensure that the SDCC or BNL SMTP server is configured as your outgoing email server. Instructions are available for configuring a client for sending SDCC email. Refer to BNL ITD's page on email services for non-SDCC information.
  • If you receive a rejection message from an intended destination at a non-BNL domain, it likely is a result of forwarding a message from a DMARC header-encoded domain. Contact the intended recipient about the rejection. You may need to resend the forwarded message by copying its text into a newly composed email in your client.
  • If an email is marked as spam by your intended recipient's client, the recipient's incoming email provider either has not adopted a DMARC policy or has a policy that does not properly recognize the BNL.GOV domain. Contact the intended recipient and share that the email was marked as spam. You also can request that their email provider assess its DMARC policy and configuration.