We're pushing a change today, August 4, 2015 at 12:00pm UTC (see this in your time zone), that makes domain verification mandatory when you add a new sending domain and set up SPF and DKIM. This change won't be applied retroactively, so if you added a domain to your Mandrill account before today and set up SPF and DKIM, we'll still sign your mail as usual. However, we still urge you to verify any sending domains for your account.
We have a lot of users who own private domains who were concerned about setting up SPF and DKIM because it would allow any Mandrill user to send mail authenticated for their domain. To address that concern, over two years ago we added support for domain verification, but it was optional. To further protect domain owners, we'll start requiring verification before signing emails for a domain. This change protects domain owners who are using Mandrill, have SPF and DKIM set up, but don't want all Mandrill users to be able to send from their domain and have mail signed for that domain.
How it Works
Now, when you send from a new domain or add a domain manually in your Mandrill account and also set up SPF and DKIM for that domain, you'll need to verify it. By verifying your domain, you confirm ownership of that domain and prevent other Mandrill accounts from sending mail authenticated by your domain. Once you verify a domain in your account, any other Mandrill user that wants to sign with that domain will also need to go through the verification process. If they don't verify the domain, the email will still be delivered, but will be signed with a generic
One thing domain verification doesn't do is prevent other Mandrill users from sending email from your domain. Instead, regardless of how you send email (or which ESP you might use), for an added level of protection from phishing and spoofing, we strongly recommend setting up DMARC in addition to SPF and DKIM. When you set up DMARC, as the domain owner you can explicitly tell receiving mail servers how you want them to handle email from your domain that doesn't authenticate. For example, you might have a DMARC policy that tells receiving servers to reject any email from your domain when SPF and DKIM checks don't pass.
And for now, if you're the domain owner, but you don't have a Mandrill account, you'll need to work with the Mandrill account holder who's sending from the domain to request verification and verify the domain.