Out of all the three major email authentication protocols, DMARC is the one that takes the authoritative action if SPF and DKIM on incoming emails fail.
So, DMARC is like the head of the email authentication, verifying the SPF and DKIM validated emails and taking the right action based on their pass and fail status.
This guide will cover all the nitty-gritty of DMARC, including how to set up and check if DMARC passes your domain.
Table of contents
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is a standard email authentication protocol that takes an authoritative action in case DKIM/SPF fails.
DMARC performs the following functions:
Adds linkages to the author's ("From") domain name.
Publishes policies for handling authentication failures on the part of the recipients.
Reports from receivers to senders.
Monitors and improvises domain protection from fraudulent emails.
An organization can easily incorporate the DMARC protocol into its existing inbound email authentication process. It ensures the email message aligns with the receiver's knowledge of the sender. If it doesn't match, proper guidelines are there to handle such non-aligned messages.
Why should you authenticate emails with DMARC?
The importance of DMARC is deeply tied to email security and deliverability. The major benefits for which you should set up DMARC are as follows:
Provides robust email authentication reporting
DMARC is the only authentication that reports how the incoming emails should be treated based on Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) pass/fail status. So, if an email is DMARC authenticated, it indicates that the sender is legitimate and the content of the email hasn't been tampered with.
Identify spammers quickly
With the help of the DMARC protocol, ISPs or internet service providers can identify spammers quickly. Therefore, it prevents any malicious emails from reaching recipients' inboxes.
DMARC tends to replace Author Domain Signing Practices (ADSP) by assisting in various other aspects such as subdomain policies (wildcarding), non-existent subdomains, slow rollout (such as percentage experiments), SPF, or quarantining mail.
Safeguard your domain from phishing
The DMARC uses the SPF and DKIM to determine an email's authenticity. It helps in reducing email malpractices to a great extent.
The protocol reduces the phishing practices that deliver fraudulent emails to the recipient's inbox. It further minimizes the false positives.
How does DMARC work in email infrastructure?
As discussed earlier, DMARC relies on the validation status of SPF and DKIM, two of the most useful authentication protocols. Besides, the Domain name system (DNS) also plays a major role in DMARC validation.
Briefly, the process looks like this:
Every domain administrator has a DMARC policy that defines email authentication practices and how receiving mail servers should handle email if that policy is violated.
This DMARC policy is listed in that domain's DNS record.
When a receiving mail server receives an incoming email, it uses DNS to look up the DMARC policy for the domain contained in the message's "From" (RFC 5322) header. The receiving server then evaluates the message for three key factors:
Does the message's DKIM signature validate?
Did the message come from IP addresses allowed by the sending domain's SPF records?
Do the headers in the message show proper "domain alignment"?
With this information, the server is ready to apply the sending domain's DMARC policy, which includes whether to accept, reject, or otherwise flag the email message.
After using the DMARC policy, the receiving mail server will report the outcome to the sending domain owner.
Note: The sender domain must pass DKIM. The envelope domain must pass SPF., Or the sender domain is a sub-domain of the envelope domain or vice versa.
How to set up DMARC?
Implementing DMARC policy on your domain name involves a set of processes. Here, changes are made in the DNS records at the domain registrar. Then, an optimal configuration takes place at the end of email providers to send the signed emails.
The basic steps included in the execution process are as follows:
Set up SPF on the envelope domain.
Set up DKIM on the sender domain.
Add the DMARC record.
Test and verify (preferably set the policy to none at this stage).
What is a DMARC record?
A DMARC record is found in an organization's DNS database. A DMARC record is a specially-formatted version of a standard DNS TXT record with a particular name, namely "_dmarc.mydomain.com"
Following is an example of a DMARC record:
_dmarc.mydomain.com. IN TXT “v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.com\; ruf=mailto:dmarc-afrf@mydomain.com\; pct=100”
v=DMARC1 specifies the DMARC version
p=none tag is the policy (meaning what action to take if the message fails DMARC), and
rua=[mailto:dmarc@yourdomain.com](email to:dmarc@yourdomain.com) tag is the email address to send DMARC aggregate reports to.
ruf=mailto:dmarc-afrf@mydomain.com is the mailbox to which forensic reports should be sent
pct=100 is the percentage of mail to which the domain owner would like to have its policy applied
Keep monitoring the overall performance to understand the logistics of the email domains and generate better results.
How to add a DMARC record to your DNS provider?
After setting up SPF and DKIM properly, the DMARC policy will be tested and verified. The DMARC record must be added to your domain's DNS settings.
Here's how you can set up the DMARC DNS:
1. Visit your DNS hosting provider
Firstly, you have to log in to your DNS hosting provider. Different servers have different interfaces. You can also go to the manage/configure DNS settings option. Once logged in, check for the 'Creating a new record' prompt.
2. Create a new DMARC record
Search for the 'TXT' section to create and edit a new record.
3. Enter values
Fill in values for the following fields:
Host/Name: Input the value'_DMARC' in this column. If you enter a DMARC record for a subdomain, then put in '_dmarc.subdomain'. The hosting provider will add the domain or subdomain after the value, respectively.
Record Type: Here, you have to select the 'TXT' DNS record option from the drop-down list.
Value: Every DMARC record requires two tag-value pairs. First is "v" and second, "p." The former "v" has only one tag-value pair provided as v=DMARC1. Three options for the "p" tag pair are usually available: ' none,' 'quarantine,' or 'reject.' The entry of these tag-value pairs will be: 'p=none'; 'p=quarantine' or, 'p=reject'.
4. Tap on create/save
Click on create/save option to generate and submit the DMARC record.
5. Validate record
The step involves direct testing of the new DMARC record. Check and verify the syntax and values added are working correctly. Test all the defined policies to ensure they are performing as required. Hence, there's no scope for any legitimate email to get blocked.
What is DMARC policy?
The DMARC policy specifies how the email servers will deal with and handle the SPF and DKIM. It gives the domain administrators the reporting mechanism to identify any email failure or spoofing attempt on the domain.
A report by IETF Datatracker explains how it's done:
Monitor policy: p=none
This DMARC policy instructs email receivers to send DMARC reports to the address published in the RUA or RUF tag of the DMARC record. This is known as a Monitoring only policy because you gain insight into your email channel with this (recommended starting) policy.
The none policy will give insight into the email channel but does not instruct email receivers to handle emails failing the DMARC checks differently; this is also known as the monitor policy. The none policy only gives insight into who's sending email on behalf of a domain and will not affect the deliverability.
Quarantine policy: p=quarantine
The second policy is the quarantine policy: p=quarantine. Besides sending DMARC reports, the DMARC policy quarantine instructs email receivers to put emails failing the DMARC checks in the receiver's spam folder.
Emails that pass the DMARc checks will be delivered to the primary inbox of the receiver. The quarantine policy will already mitigate the impact of spoofing, but spoof emails will still be delivered to the receiver (in the spam folder).
Reject policy: p=reject
The third policy is the reject policy: p=reject. The DMARC policy was rejected.
Besides sending DMARC reports, the DMARC policy instructs email receivers not to deliver emails failing the DMARC checks. Emails that pass the DMARC checks will be delivered to the primary inbox of the receiver.
Best DMARC analyzer tools
You can check the status of your DMARC authentication using the following DMARC checker tool:
1. Mimecast DMARC Analyzer
Mimecast is one of the pioneers of DMARC, and its analyzer tool is one of the best to keep track of DMARC authentication. The tool offers a 14-days free trial; after that, you can ask for a quote based on the features you'll be using.
2. Glock Apps
Glock Apps is a free DMARC analyzer tool offering you 10,000 DMARC messages monthly. But, if you want more advanced features, you can get their paid plans starting at $15.
3. Dmarcian DMARC Report Analyzer
This tool offers a 14-days free trial without any credit card requirement. The tool will make the DMACR report easy to read and analyze to identify how emails are sent and from your domain.
4. MxToolBox
DMARC checker by MxToolBox is simple and free to use as all you have to do is upload an XML file of your DMARC record. The tool will make the file human-readable by parsing and aggregating them by IP address into readable reports.
Getting your domain DMARC approved with Mailmodo
With Mailmodo, you can easily set up DMARC and start sending out interactive AMP emails. The Mailmodo team assists you in incorporating the DMARC to protect your company's domain name easily and reap the benefits of interactive AMP emails.
What you should do next
Hey there, thanks for reading till the end. Here are 3 ways we can help you grow your business:
Talk to an email expert. Need someone to take your email marketing to the next level? Mailmodo's experts are here for you. Schedule a 30-minute email consultation. Don't worry, and it's on the house. Book a meet here.
Send emails that bring higher conversions. Mailmodo is an ESP that helps you to create and send app-like interactive emails with forms, carts, calendars, games, and other widgets for higher conversions. Get started for free.
Get smarter with our email resources. Explore all our knowledge here and learn about email marketing, strategies, best practices, growth hacks, case studies, templates, and more. Access guides here.