How do I achieve DMARC compliance?

minute read

Post Image

So you decided to implement a stricter DMARC policy to protect yourself from a recent spoofing attack. Great job! But upon review of your non-complaint mail sources, you realize there is an authorized vendor, but they are not DMARC-compliant. What do you do?

One of the more important details to identify during the DMARC authentication setup process is identifier alignment, often seen in non-compliant mail sources. Before we get into the alignment discussion, we need to understand the domains authenticated during a DMARC policy check.

Process of DMARC authentication step by step

Example of a DMARC Header:

Example of a DMARC header

For mail to authenticate successfully with DMARC, either the DKIM signature or the SPF check need to return a DMARC pass. This would be sufficient for those simply on DMARC monitoring mode (p=none). But once you move to a stricter policy (p=quarantine or p=reject), you would also need to ensure the domains mentioned in the headers align or match each other.

For email to be considered DMARC compliant, the policy domain (Header.FROM) should match either the SPF domain or the DKIM domain. This is called identifier alignment. The alignment can be specified in either strict mode (an exact match) or relaxed match (match of organizational domain).

Coming back to the original question, you have a few options when sending from third-party sources.

  1. Delegate a subdomain so they can put their own DKIM and SPF records in the DNS. The third-party sender does not need to publish a DMARC record, as your record under the organization name will cover it.
  2. Give the third party a private DKIM key to sign the email and publish the public key in your DNS, and/or add their sending IP (maybe via an SPF include) to your SPF record.

There might be a scenario in which the vendor is not capable of DKIM-signing the email. Create a subdomain specifically for these email flows. Using a specific subdomain with a p=none policy will allow you to monitor non-compliant email, and allow your primary domain to publish a p=reject policy without blocking non-compliant emails.

You might be feeling a little overwhelmed at this point, but that’s totally ok. That’s why we’re here! Reach out to us and we’ll help you figure out what’s going right, what’s gone left, and how to get your DMARC into tip-top shape!



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time