Setting up DMARC for your Corporate Environment

You’ve spent so much time protecting the sending reputation of your email program, but what about your corporate environment? Doesn’t it deserve the same type of anti-fraud methods you’ve implemented for your marketing and/or transactional emails? One way you can be an anti-fraud champion is by educating your company about SPF, DKIM, and DMARC.

Setting up a DMARC record for any sending environment should follow the same basic enforcement principles – start in monitor mode, progress to quarantine mode, and graduate to reject mode to stop the fraudulent emails from reaching the inbox or bulk/spam folders. Though, you may find that you spend more time in monitor mode with your corporate environment, as there may be multiple third-party senders you’re unaware of. For example, perhaps employee benefits, retirement planning, and/or time management system are sent from several third-party MTAs that use your sending domain.  So take your time auditing your DMARC reports to ensure that you’ve properly accounted for all the authorized IPs and domains.

Although there’s no one size fits all DMARC record for corporate environments, you may find the following example helpful.

  1. Say, you are the domain owner for
  2. WageWorks is an authorized third-party sender that emails on your behalf, but from their own MTAs.
  3. You delegated authority for them to send email from, which will show up in their From: and Return-Path: email headers.
  4. WageWorks creates and publishes an SPF record for in their DNS.
  5. You update the SPF record for, so that WageWorks’ IPs have been listed.
  6. You create a DKIM private/public key pair. You give WageWorks the private key and you publish the public key in the zone file.
  7. You are responsible for creating the DMARC record, not WageWorks because your record will cover and when you create the DMARC record listed below. Ensure that WageWorks doesn’t create a DMARC record too, especially if it contradicts your policies.
  8. You’ll create an entry in DNS for the zone file with:

  1. The DMARC record will look like this:

              “v=DMARC1; p=none; rua=mailto:[email protected]

  • Always start the DMARC record with the version (v), as it is a required tag.
  • Set the policy (p) to monitor mode (none).
  • Request for aggregate reports (rua) in the beginning, as many people often find the forensic reports (ruf) challenging to fully understand due to the magnitude of data that is included.
  • If you want WageWorks to also receive the reports, add their email address as well so that it looks like this:

“v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:[email protected], mailto:[email protected]

  • At this point, you might be wondering about domain identifier alignment, because and aren’t exactly identical. It is actually considered to be “aligned” by default. This can get confusing, but bear with me. There are these optional DMARC tags, called aspf and adkim, that can be adjusted to force domain misalignment when undergoing the SPF and DKIM checks. If these tags are set to strict (s) mode, then the WageWorks emails would fail DMARC because and would be considered misaligned. However, the default setting is relax (r), which makes it aligned. Since the aspf and adkim tags are optional in the first place and we want its default values, there’s no need for us to include it in the DMARC record.

What other situations have you encountered with your corporate environment?

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time