What is DMARC policy
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email sender authentication policy based on the DKIM and SPF protocols. This policy determines how the recipient email server should process incoming emails if the sender’s address is not identified.
Why DMARC is important
DMARC policy protects domain owners from harmful effects of fraudulent activities. Attackers send fraudulent emails from domain names of reputable companies. Recipients mark such emails as spam, and as a result, the reputation of the domain from which they are sent suffers.
How DMARC works
When an email is sent by the domain, the recipient's email server verifies whether or not the email address in the "From" line matches the SPF record and DKIM signature. If yes, the email is sent to the recipient’s inbox. If the email fails authentication checks, it is processed according to the selected DMARC policy:
- none — the email falls into the recipient’s inbox. The domain name owner receives a report with information about sending such messages to analyze who sends them and whether they are allowed to do so.
- quarantine — the email server of the recipient moves the email to the spam folder, and domain owners continue to analyze the data.
- reject — emails that do not pass the DMARC check are rejected and are not delivered at all. If you set this type of policy, make sure that third parties who are allowed to send messages from your domain are added to the whitelist. Otherwise, their emails will also be rejected. This also applies to CRM systems and email services providers.
Email campaigns and DMARC policy
Some free email clients, such as AOL, Yahoo use DMARC policy to prohibit email campaigns through third-party email services providers. Therefore, SendPulse, like other email service providers, limits sending email campaigns from addresses with such domain names.
We recommend registering your domain and setting up an email address for it. You can also use an email client that has not yet implemented DMARC policy. But such a solution does not guarantee the delivery of emails to recipients and they can still land into the spam folder.
How to set up DMARC
- Revise emails sent from your domain, including system emails from servers and other equipment, email delivery reports (DSN and NDR), internal mailing lists, and the like, and add all legitimate email addresses to the white list.
- Configure the SPF and DKIM records for the required domain.
- In the DNS zones management section of the domain, publish a DMARC record with the policy set to "none."
v = DMARC1; p = none; rua = mailto: firstname.lastname@example.org; ruf = mailto: email@example.com; fo = s
v is a protocol version, equals DMARC1. This parameter should be the first one in the record and means that this record defines the DMARC policy.
p is the email processing policy. It is set to none, quarantine or reject.
rua is an email address to receive statistical reports. The address has to belong to the same domain for which the DMARC record is configured.
ruf is an email address to receive reports of failed authentication checks. Since each error generates a separate report, it is better to specify a different email box for them.
fo determines when the reports will be sent to the domain owner.
Possible fo values:
0 — the report is sent if SPF and DKIM checks are failed. It is the default value.
1 — the report is sent if one of the checks fails, either SPF or DKIM.
d — the report is sent for each failed DKIM key verification.
s — the report is sent for each failed SPF check.
- Analyze the data and change the DMARC policy flags from “none” to “quarantine” or “reject,” depending on how you want the messages from unauthorized senders to be processed by the recipient server.
Published: 11 Apr 2019 Last Updated: 06 May 2019