DMARC: What is it? How to set it up?
.png)
Email deliverability is crucial for any sender reaching out to leads, customers and audiences via email. However, technical aspects need to be addressed to ensure your emails reach their intended recipients. One of these crucial technical aspects is setting up DMARC records.
In this article, we'll explore:
What a DMARC record is and why it's important
Who needs to set up their DMARC record
How to set up your DMARC record for:
Common questions on DMARC Records
What is a DMARC record?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is a protocol that checks emails to make sure they're legit. It uses SPF and DKIM records to do this.
By using a DMARC record, the receiver of an email can check that the email is really from the claimed domain and that it aligns with both the SPF and DKIM records. The main goal of DMARC is to make email more trustworthy and secure.
What does DMARC do?
DMARC leverages the authentication results of both SPF and DKIM.
For a DMARC check to pass, it requires not only SPF or DKIM to pass but also a domain alignment. The domain in the 'From' address should match or align with the SPF or DKIM domain.
The DMARC policy (published in a DMARC record within the domain's DNS) specifies how to handle emails that fail this check.
The policies can be:
→ p=none (do nothing)
→ p=quarantine (potentially put it in spam)
→ or p=reject (discard the message).
Who needs to set up their DMARC records?
DMARC offers visibility into email flows, which helps in identifying potential attackers trying to spoof your domain. Implementing DMARC best practices is crucial for any company aiming to protect its brand and its customers.
1. For any company sending emails to their audience: It'll help protect your brand from fraudulent emails.
2. For e-commerce platforms & banks: It'll ensure that transactional emails are genuine and reduces the risk of phishing attacks.
3. For Email Service Providers: It'll improve the delivery of genuine emails by authenticating them.
How to set up your DMARC record on Google?
Step 1: Sign in to your domain provider
Step 2: Navigate to the page to edit your domain’s DNS records
It can sometimes be called “DNS Management”, “Name Server Management”, or “Advanced Settings”.
Step 3: Add your DMARC to your DNS records
They will look something like this:
Step 4: Check that your new setup works
You can test your technical setup here. Also make sure to use a warm-up and deliverability booster like lemwarm to monitor your deliverability. It will also alert you in case of any deliverability issues.
How to set up your DMARC record on Microsoft?
Step 1: Sign in to your domain provider
Step 2: Navigate to the page to edit your domain’s DNS records
It can sometimes be called “DNS Management”, “Name Server Management”, or “Advanced Settings”.
Step 3: Add your DMARC to your DNS records
They will look something like this:
Copy-paste the following text:
Step 4: Check that your new setup works
You can test your technical setup here. Also make sure to use a warm-up and deliverability booster like lemwarm to monitor your deliverability. It will also alert you in case of any deliverability issues.
How to set up your DMARC record on Zoho mail?
Step 1: Sign in to your domain provider
Step 2: Navigate to the page to edit your domain’s DNS records
It can sometimes be called “DNS Management”, “Name Server Management”, or “Advanced Settings”.
Step 3: Add your DMARC to your DNS records
They will look something like this:
Step 4: Check that your new setup works
You can test your technical setup here. Also make sure to use a warm-up and deliverability booster like lemwarm to monitor your deliverability. It will also alert you in case of any deliverability issues.
How to set up your DMARC record on other providers?
Step 1: Sign in to your domain provider
Step 2: Navigate to the page to edit your domain’s DNS records
It can sometimes be called “DNS Management”, “Name Server Management”, or “Advanced Settings”.
Step 3: Add your DMARC to your DNS records
They will look something like this:
Step 4: Check that your new setup works
You can test your technical setup here. Also make sure to use a warm-up and deliverability booster like lemwarm to monitor your deliverability. It will also alert you in case of any deliverability issues.
Common DMARC questions
1. How to fix 554 5.7.5 permanent error evaluating DMARC policy?
If you get the error "554 5.7.5 Permanent error evaluating DMARC policy" when sending emails, it means the receiving server couldn't check your DMARC policy.
This can stop your emails from being delivered.
Here's what you can do to fix it:
- Check your DMARC record:
Use online tools to check your DMARC record and make sure there are no mistakes. The only valid policies are p=none, p=quarantine, and p=reject.
- Check SPF and DKIM:
Use online tools to verify your SPF and DKIM setups. Make sure the sending IP is listed in your SPF record and that the public key in the DNS matches the private key on the sending server.
- Check for Alignment:
Make sure the domain used in SPF or DKIM matches the domain in the 'From' header.
- Review DMARC Policy:
If your policy is set to p=reject or p=quarantine, consider changing it to p=none while you troubleshoot. Once issues are fixed, you can revert to a stricter policy if desired.
- Monitor DMARC Reports:
Check DMARC reports to see which servers are sending emails on your behalf and if they're failing or passing DMARC checks.
- Ensure your Mail Server's Clock is Correct:
Check that your mail server's clock is accurate to prevent DKIM signature issues.
If none of these steps solve the error, reach out to your email provider for more details.
2. How to set up DMARC on GoDaddy?
If you're using GoDaddy as your DNS provider, follow the specific instructions in this linked guide. Typically, you will log in to your GoDaddy account, navigate to the DNS management page, and add a new TXT record with your DMARC details.
Here are some more guides for:
How to add your DMARC records on Namecheap
How to add your DMARC records on Cloudflare
3. How to read a DMARC report
DMARC reports, specified by the "rua" tag in the DMARC record (for instance, rua=mailto:reports@example.org), provide insights on who is sending mail on behalf of your domain. These reports are invaluable for tuning and maintaining your DMARC policy.
The interval for reviewing DMARC reports may vary based on the volume of emails your organization sends. However, frequent checks enhance visibility and ensure attackers aren't exploiting your domain.
Understanding your DMARC reports is essential in tracking authentication success and potential issues.
You can use tools like SEMRush to analyze these reports, identifying:
- The IP addresses sending emails on behalf of your domain.
- The alignment success rate.
- Any ongoing or attempted phishing activities.
4. Is DMARC better than SPF?
SPF allows senders to specify which servers are permitted to send email on behalf of a given domain. It checks the return-path domain against a list of authorized sending IPs in the DNS. If a received email comes from an unauthorized server, it may be marked as spam or rejected.
DMARC, on the other hand, builds upon both SPF and DKIM. It introduces a policy that a domain owner can publish to guide receivers on how to handle emails that fail these checks. This can range from doing nothing (p=none), sending it to quarantine (potentially marking it as spam), or outright rejecting the email. Additionally, DMARC provides domain alignment features to ensure the authenticity of the sending domain and offers visibility into email flows through DMARC reports.
In essence, DMARC complements SPF by adding an additional layer of security, authentication, and reporting. So, it's not that DMARC is "better" than SPF; instead, when DMARC is used in conjunction with SPF (and DKIM), it offers a more comprehensive approach to secure email communication for an organization.
5. What is the difference between DKIM and DMARC?
DKIM:
- Authentication: DKIM lets senders sign emails, proving the email's content wasn't altered during transit.
- Verification: Email receivers check the DKIM signature using the sender's public key from their DNS.
DMARC:
- Policy: DMARC dictates how receivers should handle emails failing authentication (monitor, quarantine, or reject).
- Alignment & Reporting: Ensures the 'From' domain matches the SPF or DKIM domain and provides feedback via DMARC reports.
In essence, DKIM ensures email integrity, while DMARC sets the rules for handling and offers insights on email traffic. Both work together for robust email security.
In conclusion, DMARC records are an indispensable tool in the cybersecurity toolkit for any organization or individual. By understanding and implementing DMARC, you are taking a significant step towards more secure and trustworthy email communication. If you have any specific questions or need personalized guidance, don't hesitate to reach out to our team of experts.
What other technical settings do I need to complete?
If you've just set up your SPF records, congrats on the first step! To keep your emails out of spam and ensure they reach your audience's inboxes, there are 4 other technical settings to complete:
- SPF (Sender Policy Framework): This verifies that your emails have been sent from your domain.
- DKIM (DomainKeys Identified Mail): This guarantees that your emails are not changed after they are sent.
- MX Records: This helps providers know what servers accept emails for your domain. Without it, you won’t be able to receive emails.
- Custom Tracking Domain: This allows you to track open and click rates in your emails safely.
Once you've completed your setup, use this free Deliverability Tester to ensure all settings are in place!
