Hey lemlister! 👋
Welcome to your go-to guide on the DMARC policy—what it is, why it matters, and, most importantly, how to set it up for your domain.
We’ll dive into the details behind DMARC, breaking down its key components and explaining the benefits it brings to your email deliverability and security. If you're just here to learn how to set it up, don’t worry—we’ve got you covered! Skip ahead for a straightforward, step-by-step guide to configuring your DMARC policy.
Q: How do I publish a DMARC record?
To publish a DMARC record, follow these steps:
Ensure that SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are set up for your domain. If not, set them up first and allow them to propagate for at least 48 hours.
Once SPF and DKIM are running properly, you can proceed to set up the DMARC record.
Then, go to your DNS hosting provider, and follow these steps:
Add your DMARC record to your DNS by creating a new record.
Use the TXT record type — this will likely be in a dropdown menu.
Enter _dmarc in the Name or Host field.
Enter the required tag value pairs (v= and p=) as well as any optional tag values needed.
Example of a simple record
v=DMARC1; p=reject; rua=mailto:[email protected]
Save, or create, the DMARC record.
Validate that the DMARC record has been set up correctly by running a DMARC Record Check.
For those who are looking to find out a bit more about the DMARC policies and what they stand for you, can read below:
Q: What is DMARC and why is it important?
DMARC is a technical specification used in email authentication. Its purpose is to protect sending domains from unauthorized use. By that we specifically mean it helps prevent phishing, business email compromises (BECs), and other email scams.
For mailbox providers… DMARC provides information about how to filter messages that fail authentication. This is what your domain’s DMARC policy does. When mailbox providers are unclear about how to handle unauthenticated messages, they may lean toward delivering them. That’s because recipients will be more upset about not receiving real emails than dealing with spam. This is how potentially dangerous emails sneak through.
All major mailbox providers support DMARC. That includes Gmail, Outlook, Yahoo, Apple Mail, and AOL. In fact, implementing DMARC is a signal to these providers that you’re a responsible and reputable sender they can trust.
For email recipients… DMARC makes the inbox a safer place because it prevents malicious phishing attempts and brand spoofing emails from getting delivered. Specifically, it stops emails with forged information in the “from” field of an email header.
For email senders … DMARC helps protect brand reputation and also provides valuable reports on the IP addresses that are sending mail on behalf of your domain. This lets you monitor for email spoofing and find out if legitimate emails are encountering authentication issues that impact deliverability.
You can set up DMARC so that you get daily reports from servers receiving any emails claiming to be from you.
Q: What is a DMARC policy?
When implementing DMARC, email senders have three policy options:
p=none
: This tells mailbox providers to take no specific action on emails that fail authentication. They will most likely be delivered unless it is very obviously spam. A p=none DMARC policy leaves the decision up to mailbox providers.p=quarantine
: This policy informs mailbox providers to send emails that fail authentication to spam or junk folders. These messages may also be blocked.p=reject
: This is the strongest DMARC policy value. It ensures all malicious email is stopped dead in its tracks. If a message fails DMARC when set to “reject” will not be delivered at all.
Here’s a quick explanation of all DMARC tags:
v= | The version of DMARC used (DMARC1). |
p= | The DMARC enforcement policy: none, quarantine, or reject. |
rua= | A list of email addresses where DMARC aggregate reports are sent. |
pct= | The percentage of messages that are subject to the enforcement policy. Default is pct=100. |
aspf= | Defines the alignment mode for SPF, which could be strict or relaxed with pass/fail scenarios. |
adkim= | Defines the alignment mode for DKIM, which could be strict or relaxed with pass/fail scenarios. |
sp= | Represents different enforcement policies for subdomains. |
ruf= | Lists email addresses for sending DMARC failure/forensic reports, which are more detailed than aggregate reports. |
fo= | Indicates the options for creating a DMARC failure/forensic report. |
rf= | Declares the forensic reporting format for message-specific failure reports. |
ri= | Sets the interval for sending DMARC reports, which is defined in seconds but is usually 24 hours or more. |
Q: What’s in a DMARC report?
The aggregate DMARC reports show up in XML format. These can be tough to analyze. You may need a tool that can interpret these reports and present them in a readable way. Here’s a list of some tools that read DMARC reports.
The aggregate DMARC report will arrive daily (unless otherwise specified) in the email addresses listed in your rua tag. You may want to create a special email address just for this purpose, so it doesn’t clutter up your inbox.
Q: What do DMARC reports show?
All domains sending emails using your domain in their From field
The sending IP for each of these
The number of emails being sent each day
Results from SPF and DKIM authentication
DMARC results
Emails that failed authentication and were quarantined (if you used p=quarantine)
Emails that never got delivered (if you used p=reject)
Forensic/failure reports (if you use the ruf tag)
The information in DMARC reports gives you incredible insights into how messages are moving through the email ecosystem as well as how often bad actors are trying to forge emails and impersonate your brand.
Q: What’s the difference between ruf and rua reports?
There are two different types of DMARC reports: aggregate (rua) and forensic (ruf).
Aggregate DMARC Reports | Forensic DMARC Reports |
Combines data on groups of emails. | Sends data for individual messages. |
Delivered daily by default | Delivered in real-time by default |
Contains no personally identifiable information (PII) | May contain personally identifiable information (PII) |
Reports are in XML format | Reports are in plain text |
Only certain mailbox providers will send forensic reports, but since they are for every email you send, it can become a lot to review.
DMARC reports can be very useful for security and compliance concerns. You only need a DMARC policy of p=none to receive reports. However, reporting shouldn’t be your only reason for using this email specification. DMARC is meant to improve email security and make the inbox a safe place for your subscribers.
Why Should You Enforce Strong Authentication For Maximum Deliverability?
Stronger authentication = Better deliverability
We’ve already explained how DMARC helps mailbox providers filter fake emails, protects your subscribers from phishing, and helps you avoid brand reputation damage. But there’s one more potential benefit of a strong DMARC policy… deliverability.
At first glance, it may seem that enforcing a strong DMARC policy would have a negative impact on your deliverability. Some senders hesitate to enforce strict DMARC policies due to this fear. While an incorrectly configured DMARC record or other authentication issues may cause deliverability problems, the truth is that email authentication can lead to better deliverability.
The use of email authentication is a strong signal to mailbox providers that you are a responsible and reliable sender. When you’ve got a good email reputation, you are less likely to get blocklisted, less likely to get filtered into the junk folder, and more likely to land in the inbox.
Enforcing a strong DMARC policy is a clear signal that you are working to do the right thing. It strengthens your reputation as an email sender because it makes it easier for mailbox providers to identify your messages as legitimate and messages from spammers and scammers as malicious.
What is DMARC and How Does it Work?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It's an email authentication protocol that helps to verify the identity of the sender and protect recipients of email from malicious spoofing. It works by leveraging existing authentication methods such as SPF and DKIM.
With DMARC, domain owners can publish clear authentication policies for which emails they want to send from their domain and how those emails should be authenticated. When an email is sent from the domain, the receiver can then check whether the mail is authentic based on the domain owner's published policies.
If the email fails to authenticate properly, the receiver can reject the message or send it to the spam folder, depending on the domain owner's instructions. This prevents sensitive emails from being intercepted by attackers.
How Do I Implement DMARC for Maximum Deliverability?
In order to implement DMARC for maximum deliverability, you have to create and publish a DMARC record. The DMARC record is a text record in your domain’s DNS that specifies the authentication policy for email sent from your domain. It includes the domain names you will be sending email from, which authentication methods you will use, and what the receiver should do if the email fails authentication.
It's also important to ensure that DKIM and SPF are properly configured. DMARC relies on these methods to authenticate email, so it's essential that they are working properly. Once you have a DMARC record in place and your other authentication methods are configured correctly, you can start to enforce your DMARC policy. This will improve your deliverability because mailbox providers will have more confidence that your emails are coming from a legitimate source.
Conclusion
Implementing a strong email authentication policy with DMARC is essential for improving your deliverability. Not only does it demonstrate to mailbox providers that you are a legitimate sender, but it also helps to protect your subscribers from malicious emails that impersonate your domain. It's a win-win situation, so start implementing DMARC today.
If you need help with this or anything else don't hesitate to contact us, but please note your DNS records are solely up to your providers.