What is DMARC and how to configure it?

Starting in February 2024, Gmail and Yahoo are rolling up new authentication requirements which require using a custom DKIM authenticated domain with DMARC reinforced.

GetResponse strongly advises all senders to use emails addresses from own sending domains as a from field, and to configure both DKIM and DMARC.

For additional details on these modifications, refer to our blog post:
Gmail and Yahoo’s Authentication Changes: All You Need to Know

What is DMARC

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an email authentication, policy, and reporting protocol. It builds on the widely used SPF and DKIM protocols to improve and monitor the protection of a domain from fraudulent email, adding links to the FROM domains, published policies for recipient handling of authentication failures, and reporting from receivers to senders.

It also allows a domain owner to request notifications about emails that look like they’re sent from their domain, but they aren’t correctly authenticated.

Setting up a DMARC record

Before you begin configuring DMARC:

In the DMARC TXT record, the DMARC policy is defined. Configuring a DMARC policy sets the level of stringency for checking messages and what actions are recommended for a server receiving a message if authentication fails.

To set up basic DMARC functions, you need to add the appropriate record in your domain’s DNS server settings. Prepare a TXT record defining the basic text for the DMARC record and then add or update this file in your domain delivery DNS settings from which your email marketing campaigns are sent.

A DMARC policy can be set in one record. Here’s an example of the simplest record that can be used:

v=DMARC1; p=none;

The DMARC record name (host) should be _dmarc.yourdomain.com, where yourdomain.com needs to be replaced by actual domain URL.

Another example would be:

v=DMARC1; p=reject; rua=mailto:postmaster@example.com, mailto:dmarc@example.com; pct=100; adkim=s; aspf=s

Note: email addresses need to be changed to actual working emails you have access to. Tags used in this example might not be suited for everyone, please read their description below.

A DMARC record comprises mandatory and optional tags, defining policies for email authentication. A fundamental example of a DMARC record must include the following essential tags:

  • v tag – informs about DMARC versions, it is always set as DMARC1
  • p tag – contains information on what servers must do with messages that fail authentication, there are three policies to choose from:
    • p=none – monitors emails sent on your domain without altering the recipients’ email servers.
    • p=quarantine – redirects failing emails to junk or spam folders while still tracking sent emails.
    • p=reject – refuses failing emails, causing them to bounce and not reach any recipient folder, while also tracking sent emails.

If you’re new to DMARC, it’s best to configure your policy using the p tag with the value set to none.

Over time, after analyzing incoming reports to learn how your domain is authenticated by receiving servers, you can change the setting of this tag to quarantine or reject.

Optional tags provide further customization:

  • pct – describes the percentage of unauthenticated emails that should be subject to DMARC recording. The range is expressed from 0 to 100, where 0 means 0% of messages and 100 means 100%. The pct parameter is optional, but if you do not set it in the record, its default value will be 100, which will include all messages that are not authenticated.
  • rua=mailto:address@domain.com – specifies an email address for reports from participating mailbox providers, aiding in identifying domain issues.
  • adkim – specifies the DKIM identifier alignment
    • adkim=s – alignment will be strict, which means that the domain name must be exactly the same as the domain name entered in the DKIM mail headers.
    • adkim=r – alignment will be rough,where all valid subdomains used in the header will be accepted
  • aspf – works similarly to adkim, however it relates to the SPF values.
    • aspf=s – from email address must be exactly match the domain name
    • aspf=r – any valid subdomain might be used in the message header

Each domain you use for sending requires setting a separate entry and taking all the actions described above. For subdomains, DMARC policies cascade. If you set them for a domain and not for subdomains, they will automatically take over the settings of the parent domain. You can set separate rules for each subdomain using the sp parameter.

For more information on email authentication not only for beginners, please see our blog post, and for comprehensive information on DMARC functionality, visit dmarc.org.