Getting started with DMARC
Domain-based Message Authentication Reporting, & Conformance
Get visibility and control of your email.
DMARC, an open source standard, uses a concept called alignment to tie the result of two other open source standards, SPF (a published list of servers that are authorized to send email on behalf of a domain) and DKIM (a tamper-evident domain seal associated with a piece of email), to the content of an email.
If not already deployed, putting a DMARC record into place for your domain will give you feedback that will allow you to troubleshoot your SPF and DKIM configurations if needed. If you haven’t deployed SPF or DKIM yet, we have tools to help.
Adopting DMARC involves creating a DMARC record, publishing it, and using the information that is generated to gain insight and control over the way your domains are handling email.
DMARC helps legitimize your email by doing two things:
- Gives feedback about the email itself, including information about SPF and/or DKIM alignment.
- Tells email receivers (like Gmail and Yahoo) how to handle messages that fail to align with those protocols.
For a deeper understanding of how DMARC works and the protections it offers an organization, we have created DMARC Academy, a free curriculum to help people understand and deploy DMARC.
It is important to first assess the size and complexity of your organization’s email infrastructure. Email domains are a shared resource within most organizations, with use spanning multiple departments, third-party vendors, and even the organization’s own internet-facing applications. Because domains are shared, a successful DMARC project requires strong cross-departmental communication and clear domain management processes.
When deploying DMARC, it’s best to roll it out across all of an organization’s domains instead of focusing on individual domains. Deploying DMARC across your entire domain portfolio provides organizational visibility, and managers get new tools to ensure all email is sent in compliance with the organization’s standards.
To begin, gather a list of all of your organization’s domains so you can systematically put DMARC into place. It will also be important to understand who in the organization uses the domains and has ownership of the third party vendors for that domain, as you will need their support so mailstreams are not disrupted.
A DMARC policy allows a domain owner to indicate that their messages are protected by SPF and/or DKIM, and tells the recipient what to do if none of these are verified on a particular piece of email, such as marking it as junk mail or rejecting delivery of the message. Domain owners can set their DMARC policy (referred to as “p=”) to determine what is done to non-compliant email:
- Monitoring (p=none) no impact on mail flows (only DMARC feedback is collected).
- Quarantine (p=quarantine) messages that fail DMARC (e.g. move to the spam folder)
- Reject (p=reject) messages that fail DMARC (don’t accept the mail at all).
DMARC policies typically start at a state of p=none, which is a monitoring phase that gives visibility into how your domain is being used and how SPF and/or DKIM are functioning, and moves towards a policy of p=reject.
Before advancing your DMARC policy, make sure that all of your sources are in alignment, where the domain found in the “From:” header must match the domain validated by SPF and/or the source domain found in a valid DKIM signature.
To start generating DMARC data, you must first publish a DMARC record for each domain you wish to monitor. dmarcian’s DMARC Record Wizard makes it easy to create a DMARC record.
A DMARC record exists as part of your Domain Name System (DNS) record, which routes traffic on the internet. Your domain’s DMARC record is a text entry within the DNS record that tells the world your email domain’s policy based on the configured SPF and DKIM protocol. The DMARC record also indicates an address where DMARC reports should be sent—part of the valuable feedback DMARC provides.
Here are instructions on how to publish a DMARC record with your DNS host.
Once you’ve published DMARC records, DMARC data will typically begin to generate within a day or two in the form of reports that give you insight into the way your domains are handling email.
These reports are XML-based and can be difficult for humans to read and make sense of, especially when they can number in the thousands.
dmarcian’s DMARC Management Platform specializes in processing these reports and identifying areas of improvement so that DMARC can be more easily deployed throughout an organization. You can test dmarcian’s platform over a free, 14-day trial. We categorize sources of email and present you with DMARC compliance status (based on email sources, DKIM and SPF), and we alert you if there are any potential threats to or abuse on your domains.
The p=reject DMARC policy instructs email receivers to refuse email that fails DMARC. By default, email that fails under a reject policy is not accepted. The p=reject policy is the ultimate control to prevent unauthenticated messages from being delivered from your domain. Read more about advancing your DMARC policy.
The value of DMARC is the visibility it provides into the health of your domain catalog. For active sending domains, data should appear within 24-48 hours of publishing a DMARC record, dependent on DNS propagation.
If you are having issues receiving DMARC data, check out this article for common issues and their solutions.
It is estimated that only 30% of organizations who start the process of deploying DMARC ever finish.
The challenge isn’t the specification itself but with the email ecosystem and the interpretation of the feedback DMARC provides. Deploying DMARC is a project that requires whole-organization planning, communication, and execution to achieve the goal of gaining visibility and control of your email domains. The process of an organization adopting DMARC can be daunting; with the proper partner, it can be easily managed.
If you find that you need some assistance with getting DMARC in place, we offer a few options.