- What does DMARC mean and what is it?
- What does the DMARC record look like?
- How does DMARC work?
- Why do I need to use DMARC?
- Is this a record that needs frequent updating?
- Additional Resources
What does DMARC mean and what is it?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance.
It is a DNS text record that uses the SPF and DKIM DNS records to authenticate your email and reject email that does not pass that same authentication.
When properly set up, DMARC will delete email not coming from an authorized server prior to entering most of the major ISPs around the world.
What does the DMARC record look like?
_dmarc.yourdomain.com txt v=DMARC1; p=none; fo=1; rua=mailto:firstname.lastname@example.org,mailto:email@example.com; ruf=mailto:firstname.lastname@example.org,mailto:email@example.com
How does DMARC work?
The receiving server looks at the various DNS records including SPF, DKIM and DMARC. There is a part of the DMARC record that tells the receiving server what to do with any message that fails to pass DMARC.
There are 3 different settings within the DMARC record:
p=none – Don’t do anything with the message but log it for me
p=quarantine – Move the messages to the bulk folder
p=reject – Bounce the message before entering the domain of the ISP
If the message passes SPF and DKIM, and the domain aligns with each record, the message would pass DMARC and get delivered.
If the message fails SPF and/or DKIM, then the receiving server does whatever the DMARC record says to do based on p=x where x is none, quarantine, or reject. There are different levels of passing depending on variables within the DMARC record.
Why do I need to use DMARC?
Having DMARC in place does several things.
- Greatly reduces the ability to have your “from” domain phished by spammers. If someone in another part of the world uses your domain, it will likely fail SPF and DKIM so the message never makes it to your recipient.
- By eliminating “fake” emails, your recipients are more likely to open your mail.
- The ISPs love to see a DMARC record in place. The ISPs love anything that helps to catch spammers.
- Allows you the opportunity to get a BIMI DNS record in place. This record gets your logo next to your message in the inbox at Yahoo. This also increases the level of confidence your clients will have knowing the message you sent is legitimate.
Is this a record that needs frequent updating?
Once you have moved from p=none to p=reject, your DMARC record will not need to be updated. All changes will occur within the SPF or DKIM record. If you choose to send your reports to different/additional email addresses, the DMARC record will need to be updated.