Email Authentication Series: Episode 4 – DMARC – Zap Knowledgebase
Skip to content

Email Authentication Series: Episode 4 – DMARC

4 min read

This is it: the finale! Thanks for sticking with us.

Of course, this won’t make much sense if you haven’t read the previous articles in the series. Before you get started, make sure you’ve had a peek at:

If you’re confident with that stuff, let’s get cracking with DMARC.

Spoofers trick recipients into thinking a message is from an authentic person/business. They do this by forging an email sender address, which most people take at face value, and respond. In this way, spoofers gain access to personal information they can use. Nasty.

But the good news is you can help to prevent spoofing. You can also make sure everyone knows your emails aren’t spoofs, but the real deal.

That’s where DMARC comes in.

1. What is DMARC?⚡ #

‘Domain-Based Message Authentication, Reporting, and Conformance’ (catchy, huh?) prevents spoof messages from ever reaching your inbox. This means it makes a great companion to SPF and DKIM.

2. How does it work?⚡ #

DMARC helps recipients determine if messages align with their understanding of the sender. It also supports them with guidance on how to handle messages that don’t fit the remit.

3. How do I set it up?⚡ #

  1. Create a mailbox, for DMARC reports to arrive in. You may receive quite a few of these, so it’s good to keep them separate.  You might call this [email protected]
  2. Write your DMARC record. This is the set of instructions for what to do with emails.

    For example: 

v=DMARC1; p=reject; rua-mailto: [email protected] mailto:[email protected] ; pct=100; adkim=s; aspf=s

⚠️The v and p tags must be listed first. Others can be listed in any order. ⚠️

4. KEY⚡ #

  1. v=DMARC1 – this is a DMARC code
  2. p=reject – the system should reject emails with the following information. You can substitute these to ‘quarantine’ (to send emails to spam) or ‘none’ (to let them pass). We recommend setting it to ‘none’ at first, and just generating reports. This way, you can keep an eye on patterns, and update it to quarantine later. 
  3. rua-mailto:[email protected] – this tells it to generate a GENERALISED report and send it to the specified email address.
  4. mailto:[email protected] – this tells it to generate an IN-DEPTH report, and send to the specified email address.
  5. pct=100 – this means ‘100%’, so it knows you mean ALL emails
  6. adkim=s – this refers to how strict the policy should be. ‘S’ is ‘strict’; you can substitute this for ‘r’, meaning ‘relaxed’.
  7. aspf=s – this relates to the SPF framework. ‘S’ means ‘strict’, ‘r’ means ‘relaxed’. Strict mode will only accept exact matches of the senders you’ve listed in your SPF code. Relaxed mode will accept partial matches.

It’s worth knowing this, so that you can double-check results. However, if this is confusing, we recommend using an online DMARC Record Generator. It will create it for you, but can also clarify how to do so, and what each step entails.

8. After that, set up your code. It’s very similar to the other methods we’ve looked at.

To set up a DMARC code, you need to create a specific TXT record, within your domain’s DNS settings.

  1. Log into your Domain Registrar’s DNS settings page
  2. Create new TXT record 
  3. Add or update the TXT record:
  4. HOST – _dmarc.example.com [example is your domain name]
  5. VALUE – the code you’ve just made
  6. Save changes. 
  7. Verify your DMARC is set up using one of the free tools you can find online. 
  8. Over time, use the reports it sends you to analyse passing, failing, or missing sources. These reports show you which sending sources are being used to send messages using your domain. 
  9. After a few months, you should be able to add all the legitimate sending sources to your SPF list on the DNS. This will mean that only these messages pass DMARC.

    When you’ve achieved this, update the domain policy to quarantine. Only legitimate messages will pass through. The rest will go to spam, keeping your sender reputation healthy.

⚡Hashtag nofilter #

The aim of all of this authentication is to make sure your emails are delivered safely. No pesky spam filters can get in the way of your marketing efforts!

However, if you’ve authenticated your domain, and are still seeing deliverability issues, it might be worth heading back to:  How to improve email deliverability – MOLLY.

We know that this aspect of email marketing can be confusing, but rest assured: our highly skilled team is always around to help. 

Make your emails unstoppable: get in touch today.

 

What are your Feelings

  • Happy
  • Normal
  • Sad

Pavilion 2, Finnieston Business Park, Minerva Way
Glasgow, G3 8AU

© Think Zap Limited 2009-2024
Registered in Scotland: SC509259 | VAT Reg Number: 270887176