Domain-based Message Authentication, Reporting & Conformance (DMARC) is a critical component of a truly secure email program, helping brands protect their customers, employees, and partners from phishing and spoofing attacks.
In 2022, it’s estimated that more than three billion phishing emails are sent daily. DMARC is an essential line of defense for a domain owner against these fraudulent emails. But despite its importance, very few email marketers know how to effectively use DMARC to improve their email security.
To help you strengthen your email security, let’s explore how to get started with DMARC and answer a few common questions about the protocol.
History of DMARC
Introduced in 2012, DMARC is the most important protocol to be added to the list of email authentication standards.
DMARC builds on two common email validation protocols—Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)—and was designed to provide greater email security for senders and email domain owners alike.
DMARC was initially used by high-value online industries like financial services, but is now universally recommended for email marketers across all industries. DMARC is supported by all major mailbox providers and is key in both protecting email from malicious activity and improving deliverability. However, its adoption has been hindered due to its complexity and multi-tiered implementation approach. If you’re confused by the more technical aspects of DMARC, we’re here to help!
Why use DMARC for email?
DMARC is the biggest safety check for your email program and is significantly harder for spammers to crack than SPF—which defines which IP addresses are authorized to send mail from your domain—and DKIM—which “signs” your messages in a verifiable way for mailbox providers (MBPs).
Can you confirm that there is no unauthorized mail originating from your domains? With DMARC, you get instant insight into the performance and actual sending activity from your domains. With this protocol in place, you can rest assured that any malicious mail potentially coming from your domain is automatically routed away from your recipients—which helps protect your brand reputation and saves your customers from email attacks.
How does DMARC work?
At its core, Domain-based Message Authentication involves a series of checks to ensure emails are being sent by trustworthy sources (or authorized IP addresses). If the email fails either its SPF or DKIM check, it is filtered to a spam folder or rejected entirely by mail servers depending on how the DMARC is set up.
The most important elements of DMARC are alignment and reporting.
Alignment ensures there is no spoofing of a critical authentication signal: the “header from” address. DMARC domain alignment indicates the “header from” domain name matches the “envelope from” domain, as determined by an SPF check. This is how DMARC builds on the basic security of SPF.
Then, DMARC verifies if the “header from” domain matches the “d= domain” in the DKIM signature. That’s where DKIM plays its critical role.
Putting this all together, a message is required to pass SPF authentication and prove SPF alignment, plus DKIM authentication and DKIM alignment in order to pass DMARC authentication. If it fails both signals of alignment, the message fails.
Who can use DMARC and how do you get started?
Everyone can—and should—use DMARC. If you’re an email marketer without any kind of authentication standards set up for your mail, you need to take a few steps before using DMARC, including:
- Properly configure both SPF and DKIM. DMARC cannot perform its validation function without those two elements.
- Publish the SPF and DKIM records for your domain.
It will take some up-front work to qualify for DMARC, but it’s an essential way to protect your email program.
Mitigate the impact of spoofing with DMARC
Just because a message fails DMARC doesn’t mean it won’t be delivered. This simply indicates a lack of alignment between SPF and/or DKIM checks.
If you (the domain owner) are receiving and analyzing DMARC reports (which we’ll explain later), you’ll be able to determine how you’d like messages that fail DMARC to be handled. But unless you choose to enforce DMARC, the mailbox provider (MBP) won’t follow the action you outline for emails failing DMARC.
DMARC commonly involves three mail receiver policies:
Monitor policy: p=none
The starter policy for DMARC is one of basic monitoring. Creating a record with p=none enables nothing but the ability to get visibility into DMARC results. You’ll receive daily reports with the information so you can determine how much of the failing mail is legitimate and how much is not.
Failures can indicate several things:
- Your domain might be spoofed
- People within your organization are sending email from your domain without your knowledge
- You haven’t specified a DKIM signature
Using the monitor policy reports that are sent to the domain owner, you can understand your DMARC results and work to resolve any issues identified.
While many email marketers implement p=none and leave it at that (assuming this level of protection is adequate enough), without providing instruction to the receiving server, you don’t have any control over the handling of failed messages and you don’t provide any interference in the potential delivery of malicious mail. This brings us to the next two receiver policies.
Quarantine policy: p=quarantine
Going one step further from p=none, you can instruct MBPs to segregate mail failing DMARC from those that don’t. This is a quarantine policy indicated by a p=quarantine in your DMARC record. While you have to begin your DMARC journey with p=none, p=quarantine is the next escalation activity in truly protecting your recipients from possibly harmful communication from your brand.
After the receiving server checks the DMARC record to confirm alignment, it will follow the next course of action determined by your policy. With a policy of p=quarantine, mailbox providers will follow your direction and filter the mail into a quarantine or spam folder.
This step is very important in keeping phishing and spoofing scams away from your recipients. By protecting message recipients, you better protect your brand from reputation damage and negative impacts on your email deliverability as a whole.
Once you implement a p=quarantine policy, you’re at DMARC “enforcement.” This means you’re eligible to use BIMI, an email specification that allows brand logos to display within the inbox of supporting email clients.
Reject policy: p=reject
If you want to provide the fullest protection DMARC can offer, you should enforce DMARC at its strictest policy level: p=reject. Much like it sounds, if a message from your domain fails DMARC, a p=reject policy instructs the MBP to reject the email entirely.
This level means you’ve taken every step available to make your DMARC record work for you. The reject policy allows monitoring for illegitimate or harmful mail by refusing it definitively and reporting back to you on this activity every day.
Surprisingly, adoption of DMARC itself is relatively low, and for marketers using it, few are using it at its p=reject power.
Learn more about DMARC, the value it provides, and the requirements to begin your implementation.
What is a DMARC record and what does a DMARC record look like?
DMARC records don’t need to be intimidating. To make building a DMARC record easier, there are specific components you’ll need to understand.
First, DMARC code relies on tags. These tags provide directions to receiving mail servers regarding how to treat incoming email. Only two are required:
- v: Version. This identifies the TXT record as DMARC, making it distinguishable from other TXT records. It needs to have a value of “DMARC1” and must be listed as the first tag in the whole record. Without the tag listed first or the value equaling DMARC1, the receiver will simply ignore it.
- p: Requested Mail Receiver Policy. This is where your policy level matters. Your DMARC record must include a p= value so the receiver knows what actions to take when running the DMARC check. You can have p=none, p=quarantine, or p=reject.
You can also format the DMARC record to protect your top-level (or main) domain. Any subdomain you use from there will also be protected. For example, if we send mail from validity.com but we also have a webstore sending email from store.validity.com, a DMARC record to protect validity.com will apply to the store subdomain as well.
If you’d like subdomains to have a different enforcement policy than your top-level domain, you can designate that within the record. For instance, validity.com should be at reject, but store.validity.com should be at none. The record would read “v:DMARC1; p=reject; sp=none” to properly apply the policies. P indicates the primary policy and sp designates the subdomain policy.
Within the record, you can designate where to send your DMARC reports, both aggregate and forensic.
There are several other tags you can use in your record to change default values assumed when the server is checking for DMARC alignment. These don’t need to be manipulated, but you can if you want a more customized report. We walk you through how to understand your DMARC record and the optional tags here.
There are several issues you might run into after implementing DMARC. For instance, you might see your email consistently being placed in the spam folder or repeatedly rejected by receiving servers.
A smart early step in troubleshooting DMARC is to confirm the record is configured properly. If you can verify there are no problems with the record itself, move on to analyzing your SPF and DKIM records. Remember, DMARC checks for alignment for both SPF and DKIM.
You should also check your email headers to understand whether or not they’re passing SPF and DKIM. If there are issues there, you don’t truly have a DMARC problem.
This guide can help you understand how to achieve DMARC compliance and help you ensure alignment in your identifiers.
DMARC can greatly improve your ability to see issues and take appropriate action as quickly as possible. You’ll be more likely to notice a spoofing or phishing incident with DMARC enabled, meaning your email reputation won’t be quietly damaged without your knowledge.
You will also benefit from the decrease in incidences of SPF and DKIM failures because the only mail coming from your domains can be verified on your end as legitimate. A steady stream of threat-free email is always a boon to your email reputation, and your delivery rates should improve along with the trend.
What do DMARC reports look like?
It is integral you understand how to interpret the information a DMARC policy will provide you. Without the ability to turn insight into action, you’re not using the standard to its fullest extent.
These are your daily reports. They’ll show you all the information gleaned from your email deployments. This includes the IPs from which the emails originated, plus your SPF and DKIM results. What you learn from these reports allows you to confirm your legitimate email is being categorized as such, and you’ve got all your appropriate IP addresses authorized.
You’ll receive a forensic report when an email you sent fails SPF and DKIM authentication. Thanks to the added layer of information DMARC can provide, you’re able to get details about the incident. You’ll see which address it came from and where it went, plus a subject line. You might get the email header as well.
As you can imagine, every authentication failure report can begin to pile up. After you’re comfortable with your aggregate reports, you might want to only enable reports when a spoofed email is detected.
Automate your DMARC reporting with Everest to quickly identify and respond to issues that could cause significant damage.
Do I need DMARC?
Everyone can benefit from DMARC. Unfortunately, the majority of senders don’t use DMARC, which puts not only their brand and sender reputations at risk, but also their email recipients. You’ll know if you have SPF or DKIM failures, but you won’t benefit from the granularity of DMARC reports unless you’ve done the legwork to implement DMARC. Without DMARC, you’re leaving lots of information on the table, and without those insights, your email program could be at risk.
Can I set up DMARC by myself?
Yes! That being said, it can be tricky and stressful. You’ll need a high level of confidence in your ability to build a functional record. You also might need help making sense of the reports you’ll receive, or how to solve the issues you’re seeing in them. If you’re not feeling confident enough to take on DMARC by yourself, there are lots of tools to help you get up and running. For example, Everest, Validity’s email success platform, can assist you in the set-up, implementation, and interpretation of DMARC.
What if I don’t use DMARC?
Technically, there is no penalty. MBPs aren’t unfavorably treating mail without a DMARC policy associated with it, but you certainly won’t benefit from the additional signals DMARC can send to the receiver. You also put yourself at a greater risk for reputational damage because you could be spoofed without your knowledge. If you have SPF and DKIM set up, it can be relatively simple to add DMARC to the mix. However, if you don’t want to add DMARC, you don’t necessarily face a crash-and-burn scenario with your email program.
Does Gmail use DMARC?
Gmail and other email providers including AOL, Comcast, Hotmail and Yahoo! Mail all enable DMARC. You can learn more about using DMARC in Gmail in this guide on its help center.
Is DMARC free?
DMARC itself is free, however you will need to dedicate time and resources to setting up your protocols and performing ongoing monitoring of your alignment and deliverability. We recommend you adopt an email marketing and deliverability solution like Everest to help your team more quickly implement and manage DMARC.
Do I need DKIM if I have DMARC?
DMARC requires you to enable both DKIM and SPF, as it relies on these protocols to know if an email is safe and legitimate.
What is DMARC versus DKIM?
DKIM and DMARC are both security protocols for email, and DMARC relies on both DKIM and SPF to assess if an email is legitimate and, if not, where it should go.
Can DMARC pass if SPF fails?
A message cannot pass DMARC if it fails either SPF or DKIM. This is why DMARC is regarded as the highest level of security for email.
Ensure all emails are received safely
By enabling DMARC in their email marketing strategies, domain owners can better identify and prevent potentially malicious activity and protect their email recipients. However, email deliverability can be affected by a multitude of factors that go beyond Domain-based Message Authentication.
Discover how Everest can help you set up and monitor proper email authentication to keep your program safe and secure.