Posts

Email security has always been a challenge. It’s not enough to just encrypt the messages to prevent hackers and spammers from exploiting it. This is where the concept of what is DMARC evaluation comes into play. DMARC uses DNS to specify how to treat emails that fails to authenticate SPF, DKIM, or both. 

This blog will discuss what is DMARC, why do you need it, and how to resolve the 521 5.2.1 failed DMARC evaluation error.

What is DMARC?

DMARC is short for Domain-based Message Authentication, Reporting & Conformance, an email authentication protocol that’s built on SPF and DKIM protocols. Messages are sent from authorized servers to the DMARC compliant domain’s SPF record and/or DKIM signature. If either of the checks are successful, the message is delivered. However, the message returns undelivered if it doesn’t pass both as it didn’t meet the SPF or DKIM requirements.

As of 2021, the number of valid DMARC policies observed in use increased by as much as 84%, to a total of nearly 5 million unique records, compared to 2020.

What is SPF

SPF is short for Senders Policy Framework, an email authentication protocol that detects and provides email spoofing security. It lets you create a DNS TXT record where you enlist all the IP addresses allowed to send email using your domain. SPF helps ISPs or email servers validate messages from a particular domain.

What is DKIM?

DKIM stands for Domainkeys Identified Mail, a protocol that allows you to sign your email digitally. It’s done using a unique identifier using public key cryptography and not an IP address. So, receiving server always compares the private and public hashes to see if they match.

If they match, the message is validated; otherwise, it’s marked as spam.

How DMARC Depends on SPF and DKIM?

DMARC depends on both SPF and DKIM email authentication protocols. It allows you to describe how the recipients servers should manage unauthorized emails coming from your domain. DMARC defines another DNS record where the public key for the sending domain is stored. These records allow the receiving email server to do the following:

  • Verify the sender’s authentication to send email from the source domain using SPF.
  • Authenticate emails by verifying using the digital signature set by establishing DKIM.
  • Decide how the unauthenticated emails should be treated by the receiver’s mail server.

Although email system administrators try to be cautious about unauthenticated mail, DMARC helps them decide how these can be treated. This works by setting one of the three policies; none, reject, or quarantine. 

However, you should train your team about how to prevent phishing and BEC attacks to mitigate the risk. 

How DMARC Limits My Messages

Here are some messages you might see on failed DMARC evaluation.

“521 5.2.1 failed DMARC evaluation: This message failed DMARC evaluation and is being refused due to provided DMARC policy.”

“550 5.7.1- Unauthenticated email from domain.tld is not accepted due to domain’s DMARC policy. Please contact the administrator of the domain.tld domain if this was a legitimate mail. Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative. 62si14044909itw.103 – gsmtp”

You see these messages due to DMARC errors. This typically happens when the mailbox providers don’t accept messages where the From domain is one of their addresses, and the message is sent from an unauthorized mail domain service provider. 

That’s why Twilio SendGrid’s accounts aren’t allowed to send messages using a Gmail, AOL, or Yahoo’s From address to any domain that verifies DMARC beforehand. These complications make it critical to know what is DMARC evaluation and how to resolve failed evaluation. 

If you still want to send emails, you’ll have to change your email address to a different non-protected email address. It’s best to use your own email domain as it’s legitimate. You can also use a vendor’s legitimate email domain. Then, you can set the Reply-To field as the original address that was earlier set as the From address.  

It’s to be noted that emails with failed DMARC evaluation may be discarded and tracked as Blocked. If you want to send it without fail, adjust your From address as stated above, and then try resending from your end. 

Syntax Error

While learning what is DMARC evaluation, you may also want to know about syntax errors in DNS records. Common SMTP errors begin with the 554 code indicating the transaction’s failure. It’s a permanent error, and the server doesn’t resend the message.

  • A 554 5.7.5 permanent error evaluating dmarc policy (Protonmail) reads like this; 

The response from the remote server was: 

554 5.7.5 permanent error evaluating DMARC policy

  • A 521 5.2.1 error evaluating dmarc policy reads like this:

This message failed DMARC Evaluation and is being refused due to provided DMARC Policy 

  • A 550 5.7.1 error evaluating dmarc policy reads like this:

Unauthenticated email from example.com is not accepted due to the domain’s dmarc policy

How to Resolve 521 5.2.1 Failed Dmarc Evaluation Error?

What steps can you take to resolve the ‘this message has failed DMARC evaluation’ error? 

To use DMARC, you’ve to align SPF and a custom DKIM signature. Next, you must ensure all the email servers that use your domain are updated. This also includes the ones your company uses locally before publishing a DMARC policy. You need to update the policy if you receive a bounce message specifying a message that failed DMARC evaluation due to no SPF or DKIM alignment. 

You can consult our team of DMARC experts for proper guidance and configuration.