Categories
Ask a Deliverability Expert

Ask a Deliverability Expert: Should I Set Up DMARC?

DMARC is one of the best ways to keep your email communications and reputation secure. Here’s what you need to know about setting it up for your brand.

This story was updated on October 7, 2023, following the news that Gmail and Yahoo would require DMARC for anyone who sends 5,000 or more emails per day to their users.

In today’s digital world, email fraud and phishing attacks are on the rise, causing significant financial and reputational damages to businesses and individuals alike. Email authentication is a critical line of defense against such attacks, and there are several techniques that can be used to verify the authenticity of your email messages. One of the most effective ways to do this is through DMARC. 

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is a widely-adopted authentication protocol that helps prevent email spoofing and phishing attacks. With DMARC, you can tell the inboxes where you’re sending email from, and tell them what to do if they spot someone trying to spam, spoof, or phish a reader using your email address.

As Dan Oshinsky wrote about in a guide to email authentication, the history behind DMARC is pretty interesting:

Brands like PayPal wanted a way to stop others from spoofing their domain — they wanted the inboxes to block any illegitimate emails that might come from, for instance, a paypal.com address. And that’s where DMARC comes in. Once you’ve turned it on, you can set what’s known as a “level of enforcement.” There are two levels of enforcement: “Quarantine,” which requires the inbox to send those illegitimate emails to the spam folder, or “Reject,” which blocks them from the inbox entirely.

Once you’ve got DMARC turned to enforcement, only legitimate emails from your domain will reach the inbox. 

Other email authentication tools, like SPF and DKIM, help you clearly identify which of your emails are legitimate. But only DMARC lets you stop others from impersonating you.

That makes it something that any big brand or email sender should turn on. By establishing a policy for handling unauthenticated messages, you can prevent your emails from being rejected or marked as spam by mailbox providers. In addition, DMARC can help to detect and block phishing attacks that use your domain name, protecting both you and the recipients from harm.

And there’s one more reason to turn it on: Starting in February 2024, both Gmail and Yahoo will require anyone who sends 5,000 emails or more per day to have a DMARC policy in place. Even for small organizations, that’s a low threshold to clear — they’re going to need to turn on DMARC.

So let’s talk about what DMARC does, the benefits of DMARC, and discuss how to turn it on.

The benefits of DMARC

To understand the importance of DMARC, it’s important to first understand the two primary email authentication protocols that form the foundation of DMARC: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

  • SPF verifies that an email message’s sender is authorized to use a particular domain’s email service. 
  • DKIM authenticates the message’s content by using digital signatures to confirm that it has not been altered during transit.

On some email platforms, like Ghost or Substack, the platform will take care of SPF and DKIM for you. With other ESPs, you can take control of these protocols to clearly identify that your emails are actually coming from your brand.

If you’re not sure what your newsletters are currently set to, here’s a simple way to check: Open one of your newsletters in Gmail. Click on the three dots next to the date in the top right corner of the message. Then click on “Show Original.”

You’ll see a few options listed: SPF and DKIM. (If you’ve set up DMARC, you’ll see that listed, too.) “PASS” means you’ve set up these options correctly. “FAIL” means you’ve got issues you need to fix right away.

An image of the message data, including SPF, DKIM, and DMARC for an Inbox Collective newsletter.
Here’s what this looks like for Inbox Collective emails. SPF, DKIM, and DMARC are all passing — a good sign!

While SPF and DKIM can work independently, they are most effective when combined with DMARC. SPF and DKIM are the initial level of identification that the inboxes use to spot which emails are really coming from you. DMARC gives the inbox instructions on what to do next. It’s a way of saying: If you see authentic emails from us, make sure those pass through to the inbox, and if you see someone trying to impersonate our domain, here’s what we want you to do with those spammy emails.

That makes DMARC incredibly valuable for anyone who sends a lot of email — it’s one of the best tools you have to prevent email fraud and phishing attacks using your email domain.

And there are additional benefits to DMARC. There’s another email authentication protocol that’s gained popularity in recent years, known as BIMI, or Brand Indicators for Message Identification. BIMI enables companies to display their brand logo in the email recipient’s inbox. It works by allowing email providers to verify the authenticity of an email message using DMARC. If DMARC is set up, and if you’ve gone through the full process of setting up BIMI — you can read through all the steps here —  then you can display your company’s logo in a reader’s inbox. Yahoo and Gmail will also display a verified checkmark next to your brand’s name, which reminds readers that your emails are legitimate.

An email from Pew, including the blue checkmark verifying BIMI.
Pew Research Center is BIMI-certified, so readers will see a blue checkmark in Gmail when they open a Pew email.

BIMI can be beneficial for both senders and recipients. For senders, it provides an additional layer of brand recognition and increases the likelihood of their email being opened. For recipients, it helps identify legitimate emails and prevents spoofed emails from being delivered. But in order to turn on BIMI, you’ve first got to set up DMARC — it’s the building block on which BIMI is built.

What do all the different pieces of a DMARC record mean?

Before you set up your record, it’s important to understand all the different pieces of the DMARC record you’ll be creating. The record contains several components, including the policy, the reporting email address, and the domains to which the policy applies.

At first glance, a DMARC record isn’t all that easy to understand, so let’s give one a closer look:

v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1

In the above example, we see the following components:

  • v=DMARC1 identifies the version of DMARC being used. (This is the most common option.)
  • p=none is the policy level. It states what action to take on emails that do not pass the DMARC check. (There are two other options for the policy level, which we’ll get to in just a few paragraphs.)
  • rua is the reporting URI (Uniform Resource Identifier). This tells the email receiver where to send the DMARC reports.
  • ruf is the forensic URI. This tells the email receiver where to send forensic reports.
  • fo is the failure option. This tells the email receiver which types of reports to send if DMARC fails.

The “p” and “fo” tags in a DMARC record are related but serve different purposes. The “p” tag stands for “Policy,” which indicates what the DMARC policy is for a domain. The “fo” tag, on the other hand, stands for “Failure Options,” which determines when a failure report should be sent if authentication fails.

The “p” tag has three possible values, which tell the inbox how to enforce your DMARC policy: 

  • None — When set to “none,” the inbox will decide where to put the email — even if it comes from an unauthenticated source. With p=none, someone could spoof your email domain and still land in the inbox. (Heads up: Some DMARC tools refer to this setting as “Monitor only” instead of “None,” but they mean the same thing.)
  • Quarantine — With “quarantine,” you’re telling the inbox that messages that fail DMARC evaluation should be marked as potentially suspicious. These messages will be delivered directly to a reader’s spam or junk folder — a reader won’t see them in their main inbox.
  • Reject — When DMARC is set to “reject,” you’re telling the inbox that any email that fails DMARC evaluation should be completely rejected. Those emails won’t land in the inbox or the spam folder — they’ll be blocked.

“Quarantine” and “Reject” are also known as the two levels of DMARC enforcement — when set to one of those options, the inbox will automatically take action against any emails it sees that aren’t fully authenticated.

The “fo” tag helps you identify what kind of report you’d like to be sent if DMARC fails:

  • 0 — Generate a DMARC failure report if both SPF and DKIM fail. (If you don’t select an option yourself, your record will default to this.)
  • 1 — Generate a DMARC failure report if either SPF or DKIM fail.
  • d — Generate a DKIM failure report if DKIM fails.
  • s — Generate an SPF failure report if SPF fails.

The “fo” tag is optional — you don’t have to set this up if you don’t want to. “0” is the default option.

What level of enforcement will Gmail and Yahoo require?

With Gmail’s announcement requiring DMARC for anyone who sends 5,000 or more daily emails to Gmail inboxes, starting in February 2024 — and with Yahoo following Gmail’s lead to enforce that policy — there’s been increased interest from brands in setting up DMARC.

The good news for any brand setting up DMARC for the first time: Gmail and Yahoo say that your DMARC policy can be set to “none” — you don’t need to turn your policy to “quarantine” or “reject.” That will allow you to set up DMARC quickly, and then decide at a later date whether you should turn your enforcement level to “quarantine” or “reject.”

Should I turn DMARC to enforcement right away?

You never want to turn DMARC to “quarantine” or “reject” right away. Always start with p=none — it’s part of the initial phase where you’ll want to monitor everything before turning DMARC to enforcement.

There are a few reasons why you’ll want to start with a monitoring phase. Here’s one: You’ll want to make sure you’ve authenticated every legitimate place you’re sending emails from.

You’re not going to forget to authenticate emails that come from your email service provider — that’s the No. 1 place you send emails from! — but you also need to identify all the other senders of legitimate email. For instance, lots of big companies use HR software, and the HR team may send emails (like a vacation approval request) from your domain. If you haven’t authenticated that software as a legitimate source of email, all of those emails would suddenly be blocked when you turn your policy level to “quarantine” or “reject.”

Any unauthenticated email sources can be exploited by cybercriminals to send fraudulent emails that bypass DMARC checks. Monitor everything, make sure you’ve identified all the legitimate sources of email, and authenticate them.

Or maybe you’ve set up DMARC but done it incorrectly. If the policy of “none” is in place, you’ll be able to see which sources aren’t correctly authenticated and make necessary changes.

During the monitoring phase, you can track all of this, and keep an eye out for fraudulent sources of email, too.

Once all legitimate email sources have been authenticated, the next step is to change your policy to “quarantine.” (With this enforcement level, an email could still be delivered to spam, which gives you the chance to catch any lingering authentication issues.) Finally, the policy can be set to “reject” once your organization is confident that all legitimate email sources have been authenticated.

How do I actually set up DMARC?

Generating a DMARC record is relatively easy. It helps that there are free tools to help you do so with a few clicks, including DMARC wizards from:

Both of those tools can walk you through the steps to help you create your new DMARC record.

You’ll then take that DMARC record and then enter it into the DNS (or Domain Name System) configuration of your domain. Yours might be hosted through a company like GoDaddy or Bluehost. You need to find the place in your domain where you can manage your DNS settings and add a TXT record. That’s how you’ll add the DMARC record.

In Bluehost, for instance, you’d scroll to “My Domains,” and then click “Manage.” Then you’d scroll down to the list of TXT records and click “Add record.”

You’d copy the host record that the DMARC wizard gave you, which will look like something like this:

_dmarc.example.com

Paste that into the host record slot.

Then copy the DMARC record itself, which looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1

Paste that into the TXT value slot.

Finally, you may need to select the TTL (or Time to Live) field, which controls how long it will take until the record is live. (You can choose the minimum time.) The result should look something like this:

Save the record, and then wait. You can use a tool like dmarcian’s DMARC Inspector to verify that everything’s set up correctly — though it may take a few hours for the record to update. (You can also send a test email to a Gmail address and use the instructions, listed earlier in this story, to check that things are updated.)

How do I monitor DMARC?

DMARC reports can be viewed either through an online tool or by receiving XML reports in your inbox.

For those who are less technical, you may want to use a free tool, like Valimail’s DMARC Monitor or Postmark’s DMARC tool, to keep tabs on your DMARC reports. (Both of these tools offer paid upgrades, though those are usually only necessary for organizations with advanced needs.) When using a monitoring tool, you’ll get email addresses to add to your “rua” and “ruf” fields, and the tools will turn all of that data into a series of reports that you can scan through to see what might need adjusting.

This is a screenshot showing which emails passed DMARC, and which didn't.
Here’s an example of what DMARC Monitor looks like. Sources in the green “Mostly Passing” category are in good shape; those in ”Partially Passing” or ”Mostly Failing” might need extra attention.

Or you can get XML reports sent to an inbox of your choice. So you know: You’re going to get a lot of reports sent every day, so you’ll want to filter these into a specific folder or set up a separate inbox just to monitor the reports.

The reports will include a lot of metadata that probably won’t make sense at first glance, so let’s take a closer look at a sample DMARC report that you would usually find in an XML file.

Report Metadata

This section provides information about the report itself, including the date and time the report was generated and the domain that the report relates to.

<report_metadata>
<org_name>Example Corp</org_name>
<email>noreply@example.com</email> <extra_contact_info>https://www.example.com/contact</extra_contact_info>
<report_id>1234567890</report_id>
<date_range>
<begin>2022-01-01T00:00:00Z</begin>
<end>2022-01-01T23:59:59Z</end>
</date_range>
</report_metadata>

Policy Published

This section shows the DMARC policy published by the domain owner. It indicates whether the policy is set to “none,” “quarantine,” or “reject.”

<policy_published>
<domain>example.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>

Results

This section provides a breakdown of the results of email authentication checks, including SPF and DKIM.

<record>
<row>
<source_ip>192.0.2.1</source_ip>
<count>10</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
</record>

Identifier Alignment

This section shows whether the domain used in the “From” header and the domains used in the DKIM signature and SPF checks are aligned correctly. Alignment is important because it ensures that the message is being sent from a legitimate source.

<identifiers>
<header_from>example.com</header_from>
</identifiers>

Authentication Results

This section provides the results of the SPF and DKIM checks. It shows whether the email passed or failed authentication for each mechanism.

<auth_results>
<dkim>
<domain>example.com</domain>
<result>pass</result>
</dkim>
<spf>
<domain>example.com</domain>
<result>fail</result>
</spf>
</auth_results>

Message Samples

This section shows examples of messages that were received and how they were processed by the email system.

<message>
<headers>
<from>user@example.com</from>
<to>recipient@example.com</to>
<subject>Important message</subject>
<date>2023-03-20T14:55:00Z</date>
</headers>
<body>Here is the body of the message.</body>
</message>

If you choose to receive these reports, review them a few times a week to make sure you’re seeing the results you expect. And remember: DMARC is not a set-it-and-forget-it solution. DMARC reports should be monitored regularly to reduce the chance of spoofing.

Let’s wrap this all up

DMARC is a valuable tool for businesses to implement to prevent email fraud and phishing attacks. By regularly monitoring DMARC reports, senders can identify unauthorized use of their domains and take steps to reduce spoofing, ensuring the security of email communications.

If you’re sending large volumes of emails, setting up DMARC is one of the simplest ways to keep your email communication and reputation secure. It does require a bit of technical work to set up, but it’s something every big brand or email sender should strongly consider implementing.

By Yanna-Torry Aspraki

Yanna-Torry is a Canadian-born, Netherlands-based email and deliverability specialist at EmailConsul, a new deliverability monitoring tool. In 2020, Litmus gave her their first-ever Coach Award for her work serving the email community. You can follow her on LinkedIn or Twitter.