Most marketers would already be familiar with SPF and DKIM as security protocols, but only a few may know of the new kid on the block — DMARC. But what does this new protocol do that SPF and DKIM don’t?
Think of it this way: SPF is like a list of approved senders for your emails, and DKIM is like a unique signature for each email, making sure it hasn’t been tampered with. DMARC is a method to tell ISPs what to do with any email sent from your domain that lacks SPF/DKIM keys. DMARC also sends you reports on authentication failures.
We’re going to explain why DMARC is a blessing for all legitimate email senders, discuss its intricacies, and then show you how to set up DMARC on your domain with ease!
Table of Contents
- What is DMARC?
- Why You Should Implement DMARC Immediately
- The Benefits of DMARC
- How does DMARC Work?
- The Link Between SPF, DKIM, and DMARC
- Preparing to Implement DMARC on Your Domain
- DMARC Setup Guide
- DMARC Record Tags: What Do They Mean?
- Troubleshooting: DMARC Setup Problems
- Email Security at Campaign Refinery
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication protocol that helps protect organizations from email phishing and spoofing. DMARC builds on two other widely used email authentication protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
DMARC enables the domain owner to set policies for how their emails should be handled if they fail authentication checks. DMARC introduces the concept of alignment, which ensures that the domain in the “From” address aligns with the domains in the DKIM signature and SPF record. It also includes mechanisms for reporting back to the domain owner about emails that pass or fail authentication.
By implementing DMARC, you can:
- Authenticate your emails: Ensure emails sent on behalf of your domain are genuine and not forged.
- Specify policies: Define how email servers should handle emails that fail authentication (for example, quarantine or reject).
- Receive reports: Gain insights into who is sending emails on behalf of a domain and whether those emails are passing or failing authentication.
DMARC is an important tool in combating email fraud, phishing, and spoofing. It helps you protect your brand reputation and is a must for the security of your emails.
Why You Should Implement DMARC Immediately
Adding DMARC to your domain provides several benefits, primarily centered around enhancing the security of your email campaigns. An added benefit is that it’s good for your brand reputation, as many companies in recent times have added this security measure to their domains.
The biggest reason you should be considering DMARC implementation on a priority is due to a recent development. In October 2023, Gmail and Yahoo released a statement announcing that bulk senders should have DMARC in place by February 2024. This applies to all email marketers sending more than 5,000 emails a month. Considering the market share of email users between these two mailbox providers, you cannot afford to ignore this mandate!
But as a legitimate email marketing professional, this is something you should welcome. Spammers cannot add DMARC to their domains; having DMARC as a security protocol on your side immediately gives you a certain level of credibility.
You can keep sending emails without DMARC even after February 2024, but the biggest risk is to your deliverability rate. If Gmail or Yahoo filters have the faintest suspicion that your email may be spam and it lacks DMARC, it’s straight to the spam folder.
Now, let’s learn more about the benefits of adding DMARC to your domain.
The Benefits of DMARC
Besides the mandate from mailbox providers, you stand to gain a lot by embracing DMARC.
Implementing DMARC on your domain offers these 8 benefits:
- Improved deliverability: DMARC helps improve your email deliverability by ensuring your legitimate emails are authenticated and less likely to be marked as spam or phishing attempts.
- Brand reputation: DMARC safeguards your brand image by preventing unauthorized parties from sending emails that appear to be from your domain. This protection against email spoofing and phishing helps build trust with your subscribers.
- Reduced risk of phishing: By implementing this protocol, you actively protect your audience from phishing attacks that may use your brand identity for malicious purposes. It helps demonstrate your commitment to their data safety.
- Insightful reporting: DMARC provides valuable reporting mechanisms, giving you insights into who is sending emails on behalf of your domain. You can identify legitimate sources, detect potential threats, and refine your email security strategy for the best results.
- Policy enforcement: DMARC allows you to set flexible policies for how receiving mail servers should handle emails that fail authentication. You can either keep a minimalist policy or enforce strict policies, such as quarantining or rejecting, thereby minimizing the impact of phishing attempts.
- Compliance with industry standards: Many industry standards and email service providers recommend or require the implementation of DMARC. For example, we insist all Campaign Refinery customers implement SPF, DKIM, and DMARC on their domains.
- Positive impact on conversions: With improved email deliverability and increased trust among your audience, you’re likely to see a positive impact on your conversion rates.
Adding DMARC to your email security system is a strategic move that takes on cyber threats and contributes to your email marketing success.
How does DMARC Work?
Here’s a simple explanation of how DMARC works: It provides a framework for email authentication and establishes policies for how receiving mail servers should handle emails that claim to be from your domain. To do this, it relies on two existing email authentication protocols: SPF and DKIM (we’ll explain the connection between the three shortly).
For DMARC to work, you have to publish a DMARC record in your DNS (Domain Name System). This record includes information about your DMARC policies and authentication mechanisms. The DMARC record also specifies how receiving mail servers should handle emails that fail authentication.
There are three possible policies:
|Monitor and report, but take no action
|Mark the email as spam or quarantine it.
|Reject the email outright.
DMARC also offers a reporting mechanism through which receiving mail servers can send aggregate and forensic reports back to you, the domain owner. These reports include information about the volume of authenticated and unauthenticated emails, details about the sending servers, and more.
Once you publish the DMARC record, receiving mail servers will use it to authenticate incoming emails. The domain owner (you) can monitor the reports to gain insights into the email landscape, identify legitimate sources, and take action against potential threats.
Mail admins typically implement DMARC gradually; they start with the “monitor and report” policy, which allows you to monitor and collect data without taking immediate action. This phase helps ensure that legitimate email sources are properly authenticated. Once you are confident in the results, you can consider moving to a more restrictive policy like quarantine or reject.
Alignment in DMARC
A key feature of DMARC is an alignment check. The purpose of this feature is to enhance the overall security of the email authentication process by verifying that different elements of the email match and are consistent.
There are two types of alignment checks in DMARC:
- SPF Alignment: This verifies that the “From” domain in the email header aligns with the domain specified in the SPF record of the sending server. There are two possible outcomes: Pass or Fail.
- DKIM alignment: Here, it verifies that the “From” domain in the email header aligns with the domain covered by the DKIM signature. Like the SPF alignment test, the outcomes are either Pass or Fail.
Alignment checks are crucial in preventing attackers from abusing the email authentication mechanisms. For example, if an email claims to be from “campaignrefinery.com” in the “From” address but the SPF record or DKIM signature is associated with a different domain, it could indicate a potential phishing attempt or email spoofing.
In such a scenario, DMARC allows domain owners (us, in this example) to specify how receiving mail servers should handle emails that fail these alignment checks, providing an additional layer of protection against email-based threats.
Domain owners can configure DMARC to either strict or relaxed alignment, where the former requires both SPF and DKIM to individually pass alignment checks, whereas only one of the two needs to pass for a relaxed alignment check.
DMARC Reports: What Do They Tell You?
Once you’ve set up DMARC to run efficiently, you will receive reports. But what do these reports look like, and what can you learn from them? Let’s answer these questions and more.
A DMARC report provides information about the authentication status of emails claiming to be from a specific domain.
DMARC reports come in two types:
- Aggregate reports (RUA),
- Forensic reports (RUF).
RUA and RUF provide different information that is equally important, so let’s examine the specifics of these two types of DMARC reports.
Aggregate Reports (RUA)
Aggregate reports provide summarized information about the volume of email traffic associated with a domain and the results of authentication checks (SPF, DKIM, and DMARC) for a specified time period. Email receivers (such as ISPs or email service providers) generate these reports and send them to the email address specified in the DMARC record’s “rua” tag.
Key information in aggregate reports includes:
- The number of emails received with the domain’s authentication results — pass and fail reports.
- Details about sending sources (IP addresses and domains).
- Information on SPF, DKIM, and DMARC results for each email.
Aggregate reports are valuable to gain insights into the email landscape associated with their domain, identify legitimate sources, and detect potential issues such as phishing or unauthorized use of their domain.
Forensic Reports (RUF)
Forensic reports provide detailed information about individual emails that fail DMARC authentication checks. Email servers are configured to send forensic reports when they encounter an email that violates the DMARC policy.
Forensic reports are sent to the email address specified in the DMARC record’s “ruf” tag.
Key information in these forensic reports includes:
- The complete email message (headers and body).
- Details about authentication results (SPF, DKIM, and DMARC).
- Information on the sending source and the reason for the failure.
Forensic reports help mail administrators to investigate specific incidents, understand the nature of authentication failures, and take corrective actions to address potential threats.
The Link Between SPF, DKIM, and DMARC
SPF, DKIM, and DMARC work together as a team to enhance security and prevent email fraud. Before we explain the link between the three, let’s study how SPF and DKIM work.
SPF allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain. The domain owner publishes an SPF entry in the DNS (Domain Name System) records that contains information about the authorized mail servers.
When an email is received, the recipient’s mail server can check the SPF record of the sender’s domain to verify if the sending server is authorized to send emails on behalf of that domain.
DKIM involves the use of cryptographic signatures to verify the authenticity of an email message. The sender signs the email with a private key, and the recipient can use the public key published in the DNS records to verify the signature.
DKIM helps ensure that the email has not been tampered with during transit and that it was actually sent by the claimed sender.
Next, let’s look at how these two protocols work in tandem with DMARC.
SPF, DKIM, and DMARC: Teamwork
Here’s a breakdown of the authentication process involving all three:
- SPF and DKIM act as individual authentication methods, each addressing specific aspects of email authentication. While SPF verifies the sending server’s IP address, DKIM verifies the integrity and authenticity of the email’s content.
- Now, it’s time for DMARC to bring these two authentication methods together. DMARC ensures the domains in the “From” address (also referred to as the “5322.From address”) align with the domains in the DKIM signature and SPF record. This alignment enhances the overall security of the email authentication process.
- If an email faces any security incident on the way to the end user’s mailbox, DMARC gives domain owners insights into the issue thanks to the reporting mechanism.
This three-pronged approach is a highly effective measure against email fraud, phishing, and unauthorized use of domains in email communication. The three protocols work together to create a robust defense against email-based threats.
The next big thing in email security is BIMI or Brand Indicators for Message Identification, which allows you to display a brand logo in your subscribers’ inboxes, next to your brand name. While it isn’t mandatory yet, it has a lot of benefits for email senders — so we recommend you check it out.
SPF vs DKIM vs DMARC: What’s the Difference?
Here’s a table that simplifies the relationship between these three protocols:
|Authorizes sending mail servers for a domain.
|Verifies the authenticity of the email’s content and sender’s identity.
|Provides a framework for email authentication policies and reporting.
|Checks the source IP address against the published list of authorized servers.
|Uses cryptographic signatures to verify the integrity of the email content.
|Coordinates and aligns SPF and DKIM, adds policies, and checks alignment.
|SPF records published in DNS.
|DKIM public keys published in DNS.
|DMARC records published in DNS.
|Verifies the source of the email (sender’s IP address).
|Verifies the integrity of the email’s content and sender’s domain.
|Verifies alignment of the “From” domain with SPF and DKIM, enforces policies.
|Enforces alignment between the “From” domain, SPF, and DKIM.
|Provides feedback on authentication results through aggregate and forensic reports.
|You can implement SPF independently.
|You can implement DKIM independently.
|Typically implemented after SPF and DKIM, as it coordinates and enforces policies.
|Used in DMARC alignment checks.
|Used in DMARC alignment checks.
As you can tell from the table, you need all three security protocols running efficiently on your domain for maximum security. As malicious individuals get smarter, it is vital to keep up with the times; as of now, these three protocols do a great job of defending your messages!
Preparing to Implement DMARC on Your Domain
Before implementing DMARC on your domain, take preparatory steps to ensure a smooth and effective deployment.
Here’s the list of steps you should complete before implementing DMARC:
- Have a clear understanding of your email infrastructure. Identify all legitimate sources sending emails on behalf of your domain — this could include your own mail servers or your ESP.
- Before deploying DMARC, it’s recommended to implement SPF and DKIM. Ensure you configure these protocols correctly for your domain.
- Clearly define your DMARC policies. We recommend you start with a monitoring-only policy (“p=none”) to collect data before enforcing policies. Determine your preferred policy for handling failed authentication, such as “p=quarantine” or “p=reject.”
Once you’ve checked off all items on this list of prerequisites, it’s time to set up DMARC on your domain.
DMARC Setup Guide
Implementing DMARC on your domain involves several steps but is simpler than SPF or DKIM deployment. You will have to create a DMARC TXT record and add it to your DNS, publish it, set a policy, and then test your settings.
Let’s review the steps one by one:
- Log in to your DNS management console — this is typically provided by your domain registrar or hosting provider. If you don’t manage the DNS, ask your DNS provider to create the DMARC record for you.
- Locate the page where you configure DNS settings.
- Here, create a new record and then choose the record type as TXT.
- Time to add your DMARC record!
Your record will look something like this:
_dmarc.yourdomain.com. IN TXT “v=DMARC1; p=none; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org;”
- Next, save the changes in your DNS management console to publish the DMARC record. Note that changes to DNS records may take time to generate. You can create separate DMARC policies for subdomains, but if you don’t, any subdomain will inherit the parent domain’s DMARC policy.
- The final task is to monitor the DMARC reports received at the email addresses specified in the record. Analyze the reports diligently and refine your DMARC policy.
It’s best to set ‘p’ to “none” at the beginning, because you may detect unknown mailing services or mail servers sending emails on your behalf, which you may have ignored during the SPF or DKIM setup process. With time, you can add these to SPF/DKIM records to ensure alignment checks for DMARC work smoothly.
If you encounter any issues, reach out to your ESP’s support team. We know this because we help our clients sort out their technical issues, too!
DMARC Record Tags: What Do They Mean?
Depending on your requirements, you can add various tags and assign values to the DMARC TXT record. A few of these are optional but you must include the ‘p’ and ‘v’ values in the order demonstrated in the example above. Use semicolons to separate the different tags.
Here’s a table explaining what the various tags in your DMARC record mean:
|Specifies the DMARC version.
|Specifies the policy to apply. Options include:”p=none””p=quarantine””p=reject”
|Specifies the email address where aggregate reports (RUA) will be sent. Eg.: “email@example.com.”
|Specifies the email address where forensic reports (RUF) will be sent. Eg.: “firstname.lastname@example.org.”
|Specifies the percentage of emails to which the DMARC policy should be applied. Useful for gradually implementing DMARC and monitoring its impact.
|DKIM alignment mode
|Specifies the DKIM alignment mode. Possible values are “r” (Relaxed) or “s” (Strict). Relaxed allows for subdomains to align, while strict requires an exact match.
|SPF alignment mode
|Specifies the SPF alignment mode. Like adkim, the possible values are “r” or “s” for relaxed and strict, respectively.
|Specifies the DMARC policy to be applied to subdomains.
|Specifies the interval (in seconds) for sending aggregate reports.
These tags are included in the DMARC DNS record for your domain and define how the DMARC policy should be applied and where reports should be sent. Remember, you can always refer to DMARC record checkers online to validate the syntax and correctness of your DMARC record.
Troubleshooting: DMARC Setup Problems
Once you set up your DMARC, things may take time to smooth out.
Here are common issues mail admins face while configuring DMARC and the fixes:
- Incorrect syntax: This is usually the most common reason your DMARC implementation isn’t working correctly. There are numerous tools available online that can check your code for you, so feel free to use those. Just google for “dmarc syntax check” and use one of them. Don’t forget to include the ‘p’ and ‘v’ values — they’re mandatory.
- Incorrect domain: As one of the more common errors, we had to list this one separately. When you mention your domain, write it as “_dmarc.yourdomain.com” and not just “dmarc.yourdomain.com.” That underscore symbol is critical.
- False positives: If legitimate emails from your domain are incorrectly classified as phishing/spam and get quarantined or rejected, start with a monitoring policy (p=none), and identify any false positives. With time, move to a more restrictive policy.
- DNS Record Issues: Ensure you are saving the TXT record correctly in your DNS management console.
- Incorrect SPF/DKIM records: If there are errors in your SPF or DKIM records, it will also cause DMARC to fail. Double-check the DNS records on both of those.
- Excessive DMARC failure reports: If you receive an overwhelming number of DMARC failure reports, adjust the reporting interval (ri tag) in your DMARC record. Consider a longer interval to receive aggregate reports less frequently.
Ensure you regularly monitor DMARC reports, stay informed about best practices, and with time, you will iron out the kinks in your DMARC implementation.
Additional Tips to Avoid DMARC Issues
Remember that DMARC requires constant monitoring for the reports system to work efficiently.
For example, if you work with numerous third-party vendors, you will need to ensure SPF, DKIM, and DMARC data is regularly updated on all relevant records. Mail administrators often make changes to email infrastructure and forget to update SPF, DKIM, and DMARC information. Eventually, these cause email failures.
Another common point of failure is related to DMARC records on subdomains. If you operate multiple subdomains, you have to test each of its records separately and run alignment checks on the respective SPF and DKIM records. Use the ‘sp’ tag to set a specific policy for subdomains and gradually implement DMARC to monitor reports for alignment issues.
Email Security at Campaign Refinery
Campaign Refinery takes email security very seriously; we have multiple measures in place to protect our data, client data, and their customer data, too.
We do our best to ensure our deliverability is the best in the business, and the implementation of security protocols plays a big part in this. Mailbox providers love us because we play by the rules; our reward is stunning inbox placement rates and engagement.
Adding security protocols is a walk in the park if you work with Campaign Refinery. We have multiple guides to help you set up SPF, DKIM, and DMARC, and we also have customer service reps ready to guide you through the entire process. We will tackle any technical challenges you face until you’re ready to hit the Send button on your first campaign!
If you want to experience elite and secure email performance, apply to be a Campaign Refinery customer immediately.
Wanting to learn all about email security and best practices is a mindset we appreciate and respect — so we have a treat for you, today! We’d like to share a guidebook that simplifies technical processes like warming up your IP, domain and DNS settings, best practices for sending emails, and other pro tips for email marketers. And you can access this playbook for a whopping $0!
That’s right, it’s 100% free, no catch. It’s called the The Inbox Formula, and you should download it today!
Until we see you on the next in-depth topic — happy emailing!