Has the recent news about DMARC from Google & Yahoo left you puzzled about the next steps? You must’ve read that DMARC records will ensure your email campaigns don’t land in spam in the future.
But what is DMARC, and how to comply with this policy change to ensure the best deliverability rates? In this blog, we’ll share everything about DMARC and how you can ensure your campaigns are on the right side of the fence.
Why Care About DMARC Now?
Back in October, Google and Yahoo announced that bulk email senders must comply with DMARC guidelines by January 31st. They want to make emails more secure and prevent cyber crimes or data breaches from happening.
If you send 5000 emails or more without having a DMARC record in your DNS, your emails might get blocked or go to spam, hurting your deliverability.
However, we strongly recommend configuring it for all senders; it’ll only take 15 minutes of your time, but this strongly helps with your, as a sender, reputation and deliverability.
Understanding DMARC, DKIM & SPF Records
Starting February 1st, all significant providers and ISPs, such as Google and Yahoo, will perform DMARC checks before delivering emails.
When thinking or reading about email deliverability, you must have encountered SPF and DKIM records. Let’s quickly examine them before moving on to DMARC.
SPF Record
SPF record defines the IP address that can be used to email your domain’s behalf. Whenever you send an email, receiving ISPs and email providers check if the email is sent from the authorized IP address or server using the SPF record.
- This record lists all authorized IP addresses associated with your domain;
- It also authenticates the servers/apps allowed to send emails on your behalf.
Passing SPF authentication ensures that emails reach the destination inbox.
DKIM Record
DKIM record is an additional authentication footprint – a unique record for every domain name you own.
- Every email you send is signed with this private key;
- The receiving email server retrieves this key in DKIM records to authenticate your signature or footprint.
If an attacker or spammer tries to change the email between sending and receiving, DKIM records will fail to verify, and a potentially malicious email will not be delivered to the receiver.
What’s DMARC, then?
DMARC, or Domain-based Message Authentication, Reporting, and Conformance is an email authentication protocol to verify your domain identity.
See it as an upgraded version of the SPF and DKIM authentication protocol that links your sender (from) domain to how unauthenticated emails will be treated if the authentication fails.
Basically, the DMARC records will protect and improve your domain (and your subscribers) from fraudulent emails. When you send an email to someone, DMARC records ensure that it is sent by a legitimate domain owner.
Imagine it as an ID badge but for emails. Just as an official ID confirms your identity in front of authorities, DMARC records tell email providers that the emails are sent by you (and not any spammer or imposter).
But how do you tell email providers that you’re authentic and not an imposter? You can simply add DMARC records in your domain name’s DNS settings.
When the DMARC records are in place, emails you send land in the inbox, bypassing the filters set by email providers to block unverified and potentially harmful emails.
Read more about SPF, DKIM & DMARC parameters here
Setting Up DMARC Policy for Your Domain
DMARC records are tied to your domain name and tell receivers that you’re a genuine and authentic sender, allowed to send emails. Your DMARC policy is built on the SPF and DKIM you set in your DNS records.
For setting up your DMARC records, you should:
- Contact your hosting provider or DNS record admin;
- Confirm you’ve deployed DKIM and SPF records in your DNS settings already;
- Ask your hosting provider/admin to create a new TXT record under DNS settings;
- Add the following string to the newly created TXT record for DMARC:
| v=DMARC1; p=none; fo=1; rua=mailto:<enter your email address>; ruf=<enter your email address> For example, v=DMARC1; p=none; fo=1; rua=mailto:info@sender.net; ruf=mailto:info@sender.net |
The above DMARC policy record may seem like a confusing puzzle. But it simply tells the email service providers that you’re compliant (“v=DMARC1”), and what you want to do with suspicious emails. Let’s break it down into three parts:
- Start safe with “p=none”: Think of this as your training wheels. It tells email services, “Hey, if my emails don’t pass your checks, it’s cool, don’t sweat it.” You’ll begin here and watch how things go. As you get a grip on the results, you’ll be ready to level up.
- Move up to “p=quarantine”: Before you use Brand Indicators for Message Identification (BIMI), which is a way to make your brand logo appear in emails, you’ll want to add the quarantine tag to your DMARC record. It’s like telling email providers, “If my emails seem sketchy, keep them in the ‘maybe’ pile (a.k.a. the junk folder).” But, it’s not just a switch flip. You’ll need to adjust the ‘pct’ tag to slowly increase how many of your emails get this particular scrutiny, starting from just 1% and going up to 100%. It’s like turning up the heat slowly so you don’t get burned.
- Go full shield with “p=reject”: This is the highest level of security. It tells email services to outright reject emails that don’t pass muster, sending them back where they came from before they even get a chance to reach an inbox. Like quarantine, you’ll adjust the ‘pct’ tag to gradually increase the percentage of emails scrutinized from a cautious 1% to a full-on 100%.
Important Tips
- If you plan to send emails, your domain must be properly set up in the DNS (with records like A, MX, or AAAA). And don’t rush into “p=quarantine” or “p=reject” immediately. Use the insights from monitoring and reports to guide your journey toward tightening your DMARC policy. This way, you’re not flying blind but making informed decisions to protect your email integrity.
- Set up a unique email mailbox for the DMARC records and monitor it regularly for alerts regarding DMARC compliance.
- Verify your records on every solution or tool that sends emails on your behalf. Create a list of all the sending services and remember to validate each one.
