How can we help?

Cordial DNS Records: DMARC

Overview

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is a DNS text record that uses the SPF and DKIM DNS records to authenticate your email and reject email that does not pass that same authentication.

When properly set up, DMARC will delete email not coming from an authorized server prior to entering most of the major ISPs around the world.

What does the DMARC record look like?

_dmarc.yourdomain.com     txt     v=DMARC1; p=none; fo=1; rua=mailto:dmarc@rua.yourdomain.com,mailto:dmarc_agg@dmarc.250ok.net; ruf=mailto:dmarc@ruf.yourdomain.com,mailto:dmarc_fr@dmarc.250ok.net

How does DMARC work?

The receiving server looks at the various DNS records including SPF, DKIM, and DMARC. There is a part of the DMARC record that tells the receiving server what to do with any message that fails to pass DMARC.

There are three different settings within the DMARC record:

  • p=none – Don’t do anything with the message, but log it for me.
  • p=quarantine – Move the messages to the bulk folder.
  • p=reject – Bounce the message before entering the domain of the ISP.

If the message passes SPF and DKIM, and the domain aligns with each record, the message would pass DMARC and get delivered.

If the message fails SPF and/or DKIM, then the receiving server does whatever the DMARC record says to do based on: p=x, where x is none, quarantine, or reject. There are different levels of passing depending on variables within the DMARC record.

Why do I need to use DMARC?

Having DMARC in place does several things:

  • It greatly reduces the ability to have your “from” domain phished by spammers. If someone in another part of the world uses your domain, it will likely fail SPF and DKIM so the message never makes it to your recipient.
  • By eliminating fake emails, your recipients are more likely to open your mail.
  • The ISPs love to see a DMARC record in place because it helps to catch spammers.
  • It gives you the opportunity to get a BIMI DNS record in place. This record gets your logo next to your message in the inbox at Yahoo. This also increases the level of confidence your clients will have knowing the message you sent is legitimate.

Is this a record that needs frequent updating?

Once you have moved from p=none to p=reject, your DMARC record will not need to be updated. All changes will occur within the SPF or DKIM record. If you choose to send your reports to different/additional email addresses, the DMARC record will need to be updated.

Additional resources

Official DMARC Website
Open SPF
Gmail's Bulk Senders Page
BIMI Specs
BIMI Group

Comments

0 comments

Please sign in to leave a comment.