DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is a proposed standard for email authentication and handling of fraudulent emails. It's the next step to taking control of your email deliverability and to increase security to prevent phishing/fake emails from getting through. Using SPF and DKIM, the DMARC policy instructs email servers to accept or reject email from spoofers pretending to be you, or simply notify you when this type of email is received. While not all email servers check your domain for a DMARC record, major ISPs such as Yahoo, Gmail, Microsoft, and AOL are beginning to check for this authentication. More and more are jumping on the bandwagon. This isn't a fad that soon will pass but yet one more step in the quest for better email security.
What does DMARC do?
Your DMARC policy can do several things.
- Notify you of email sent from your domain that fails the authentication check.
- Instruct email servers to junk or reject email failing the authentication check.
- Improve your sending reputation and successful delivery using this added security and spoofing prevention.
The DMARC record is added to your domain's DNS, as you would add the TXT records for SPF and DKIM or the CNAME for your Custom Tracking Domain. **Before moving forward, first create your SPF record and DKIM.
At the end of this process, your DMARC record may look something like this:
v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com
You must decide how you want messages that fail the authentication check to be handled. Should they be delivered? Do you want to be notified? Should they be junked or rejected? These decisions dictate what your resulting DMARC record will be.
Step 1: "v=DMARC1"
This tag instructs the recipient server to run the DMARC authentication check.
Step 2: "p=none" "p=quarantine" "p=reject"
There can only be one "p:" tag. This instructs the recipient server what to do with email messages that fail this authentication check. Options include: to do nothing ("p=none"), to move the message to spam ("p=quarantine"), or reject the message outright ("p=reject"). If you use "p=none", you can still receive reports of who is sending the failed email, giving you insight into how your domain is being used by others.
Step 3: "rua=mailto:firstname.lastname@example.org"
This tag instructs the recipient server to send daily aggregate reports of DMARC failures to any address you specify here.
Step 4: "ruf=mailto:email@example.com"
This tag instructs the recipient server to send the details of each individual DMARC failure that it receives to an address at the domain using DMARC. (This address cannot belong to another domain.)
Email Addresses with Free Providers
Free email providers such as AOL, Yahoo, and Gmail have implemented or are implementing reject policies in their DMARC records. Email sent with an @yahoo.com From Address that fails the SPF and DKIM check will be rejected. Any email sent from a third party ESP like JangoMail will not pass this check so if you're still using an address like this, contact Support for help getting your own domain set up!
- Return Path has more information on additional/optional tags in this blog post.
- Extensive FAQs can be found on the DMARC.org website.