DMARC

Email providers such as Google now require sending domain names to have SPF, DKIM, and DMARC records within their DNS settings for authentication purposes. Failing to do so may result in your messages bouncing if you are a high volume sender. We’ve provided a brief guideline below on DMARC and how you can construct your own DMARC record. We recommend you familiarize yourself with it, but you can also skip to the ‘Short Version’ section at the end for a quick resolution if your email is already bouncing.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication policy and reporting protocol used on top of the SPF and DKIM protocols. Fundamentally, it specifies what to do with email that fails SPF and DKIM checks, and it adds a level of “alignment” ensuring that domains and/or email addresses line up so what the receiver sees matches the envelope and technical details.

Alignment requires that the technical information used to check SPF and DKIM matches what the user sees in the FROM header shown in the email message, and can be specified as either strict or relaxed. SPF alignment requires the RETURN PATH header, also called the “envelope FROM”, to match the message FROM header which the end uses sees when he/she reads the email, with relaxed alignment only the domain name part of the email addresses must match, while with strict alignment the addresses must match in their entirety. For DKIM alignment, the domain indicated in the d= field of the DKIM record is required to match the domain from the message FROM header, with strict alignment, meaning the match must be exact, while relaxed allows for d= to be a subdomain of the from the domain.

DMARC specification allows for the fact that email-sending infrastructure can be complex and that for an organization to implement this all at once could result in lost email due to several causes, including 3rd party providers with different configurations. It includes several methods for gradually implementing DMARC, so that organizations can ease into full deployment over time.

To implement DMARC safely, it is best to follow the steps below:

1. Deploy DKIM & SPF.
2. Ensure that your mailers are correctly aligning the SPF and DKIM identifiers as outlined above.
3. Publish a DMARC record using “p=none”, including the rua field to make sure you receive data reports.
4. Analyze the data and modify your mail streams as appropriate.
5. Modify your DMARC policy from “none” to “quarantine”, and then on to “reject” as you gain experience. It is advisable to use the pct= field to gradually increase the percentage of emails which is subject to quarantine or reject actions.

DMARC records need to be created under the hostname _dmarc.example.com, and consist of a TXT record including some or all of the following fields.

Tag Description Example

• v
  Protocol version v=DMARC1
• pct
  Percentage of messages subjected to filtering pct=20
• ruf
  Reporting URI for forensic reports ruf=mailto:forensic@example.com
• rua
  Reporting URI of aggregate reports rua=mailto:aggregate@example.com
• p
  Policy for organizational domain p=none, quarantine, reject
• sp
  Policy for subdomains of the OD sp=none, quarantine, reject
• adkim
  Alignment mode for DKIM adkim=r(relaxed), s(strict)
• aspf
  Alignment mode for SPF aspf=r(relaxed), s(strict)

A typical DMARC record might look like

“v=DMARC1;p=reject;pct=50;rua=mailto:postmaster@example.com”

This would indicate that 50% of DMARC failures should be bounced, and the aggregate reports should be sent to postmaster@example.com.

SHORT VERSION

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication policy and is used on top of  SPF and DKIM records. To implement DMARC you’ll need to do the following:

1. We recommend using a ‘professional’ email address based on a custom domain name you own. For example, you’ll want to send an email from you@mydomain.com instead of you@gmail.com.
2. Before you can enter a DMARC record you will need to create an SPF and DKIM record.
   
   If you are using our easyMail service and need to enable these records then go HERE for further instructions on how to do so. Users with third-party email providers will need to get these records from their current email provider and enter them within their DNS settings. For further details on how to make updates to your DNS, please go HERE.
3. Enter your DMARC record or use the following generic record under the TXT Records:

HOST
_dmarc.yourdomain.com

VALUE
v=DMARC1; p=none; rua=mailto:you@youremail.com; ruf=mailto:address@example.com