What is DMARC and Why Should You Use It?

The recipients of your email messages can use the SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records you have created to validate your email and apply policies once they recognize your email as authentic and reject email that purports to come from you but isn’t. This help builds trust in the email messages you send.

There is another email technology that you might not have considered that takes these two, SPF and DKIM, and extends them by giving you more control and influence on how they are used by your email message recipients. It’s called DMARC (Domain-Based Authentication, Reporting and Conformance) and it can help you take greater control of what happens with your emails once you send them.

Why use DMARC?

There are two main reasons to consider using DMARC for your sending domains:

1. You can tell your recipient’s email admins what to do with email that has failed authentication.

If you send email messages out that you are concerned may be spoofed, you can explicitly tell recipients that if the SPF/DKIM checks fail they should reject or quarantine that message. This is useful if you want your recipients to be 100 percent sure that email that says it is from one of your sending domains is actually from you. This will always build trust in your domains and your brand.

2. You can get feedback and reporting on your authentication from the recipients you send to.

DMARC produces two kinds of reports. Aggregate reports give you the email message header data and the reported information, such as the disposition of the messages, that show what the recipient actually did with the messages.

Forensic reports are similar to abuse reports that go through the email server Feedback Loops (FBL). They are edited copies of the actual email messages that have failed SPF, DKIM or both. These are helpful in tracking down any snags along the way as DMARC is implemented.

There are also products out there that will help you analyze your DMARC reports from companies such as Dmarcian, ValiMail, ReturnPath, 250ok and many others.

What does a DMARC record look like?

In some ways, DMARC records look a lot like SPF records. They are a DNS TXT record with tags that have a name and a value. They will always have the _dmarc subdomain, so it is easy to check whether a sending domain has DMARC already. For the fictitious domain domain.tld, the DMARC record would be at _dmarc.domain.tld.

If you see you have already implemented DMARC and have a DMARC record for your sending domain(s) that has a policy of quarantine or reject, and you haven’t already configured ClickDimensions to support it (it will be a name/value pair that looks like p=quarantine or p=reject; ), you will want to reach out to us in a support ticket. We can check that you have everything in place and, if you don’t, start the process of setting up a supporting configuration for you.

An example record could look like:

In this case, the DMARC record has values for the:

There are other tags that are used as part of DMARC, such as alignment modes and more. You can delve deeper into the technology at https://dmarc.org.

What are the steps for implementing DMARC?

Like any marketing technology project, DMARC should be planned for, but the technology is mature and well-understood, and the path should be straightforward:

1. Deploy SPF.

2. Deploy DKIM.

3. Test to be sure that all your sent email messages are correctly aligning the appropriate identifiers.

4. Publish a DMARC record with the “none” flag set for the policies, which requests data reports.

5. Observe and analyze the data you receive and modify email configuration if needed.

6. Modify your DMARC policy flags from “none” to “quarantine” to “reject” as you gain more data and are confident that every email you send out is being correctly authenticated.

DMARC is a powerful tool that can help you to analyze all your outbound email, no matter the platform you sent it from.

Happy Marketing!