deliverability
Last Update
Reading Time
7 min.

What Is DMARC And How Can It Help You?

lemlist team

The technical setup is a crucial but kind of confusing step when you’re setting up the perfect domain.

We’ll see what DMARC is, how to set it up, and why it is so important.

What is DMARC

DMARC stands for "Domain-based Message Authentication, Reporting, and Conformance."

It is an email authentication and security protocol designed to help organizations protect their email domains from spoofing, phishing, and other email-based attacks.

DMARC builds upon two other email authentication protocols, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to provide a comprehensive approach to email authentication and validation.

DMARC is a technical specification used in email authentication.

Its purpose is to protect sending domains from unauthorized use. By that we specifically mean it helps prevent phishing, business email compromises (BECs), and other email scams.

Why is DMARC important?

Not all of us use email for the same purposes.

We’ve grouped email users into three different categories so you can understand how DMARC will appear useful no matter what your main job is.

  • Mailbox providers

Sometimes messages fail the authentication process.

DMARC policy offers all the information you need on how to filter these messages.

When in doubt, mailbox providers will typically send an unauthenticated message, as a customer is more likely to prefer deleting spam than missing out on an actual email that could have been useful and meaningful.

Which is why sometimes spam seeps into your inbox.

All major mailbox providers support DMARC. In fact, implementing DMARC is a signal to these providers that you’re a responsible and reputable sender they can trust.

All major mailbox providers support DMARC. For example:

Gmail: In order to successfully configure DMARC, DKIM and SPF should have authenticated messages for at least 48 hours.

→ Yahoo: According to Yahoo DMARC policy, all emails sent from a @yahoo.com account will be rejected if not sent directly from a Yahoo server.

WARNING: Starting February 1st 2024, there will be some changes that could affect your email sending from Gmail, Yahoo and AOL servers. So don’t forget to check them out.

Microsoft Outlook: You will need a Microsoft 365 admin center and access to your DNS provider to set it up.

→ AOL: Has a p=reject tag, so it works just as Yahoo. Be mindful of this if you’re currently using a cold or bulk email sending service.

Some other servers do not validate DMARC records, such as…

→ Mailchimp: Nonetheless, you can add it in addition to SPF or DKIM.

  • Email recipients

This group probably benefits the most from a good DMARC policy, as it will ensure that no malicious emails or spam will land in your inbox. It will also protect you from impersonation in the “from” field, which can typically lead to fraud.

  • Email senders

The best benefit senders receive from DMARC is a safe and protected email domain. Ensuring a high email deliverability will guarantee your domain’s reputation.

Additionally, you will receive reports on the IP addresses that are sending mail on behalf of your domain. This allows you to keep an eye out for email spoofing and find out if legitimate emails are encountering authentication issues that impact deliverability.

How does DMARC work?

DMARC comes last into action in a three-step authentication process.

First of all, you need to set up your SPF and DKIM.

SPF (Sender Policy Framework)

SPF allows the owner of a domain to specify which mail servers are authorized to send emails on behalf of that domain. Email receivers can then check the SPF records of incoming emails to verify their authenticity.

Setting up SPF is a critical step to help prevent email spoofing and phishing attacks.

Here are the steps to set up SPF:

  1. Understand SPF Syntax:SPF records are published as DNS (Domain Name System) TXT records for your domain. You'll need to specify which IP addresses or mail servers are allowed to send email on behalf of your domain using SPF syntax.SPF records are defined in a TXT record in your DNS settings.
  2. Determine Your Authorized Mail Servers:Before creating an SPF record, you need to identify the mail servers that are authorized to send email on behalf of your domain.This might include your own mail servers, email marketing services, and any other legitimate sources.
  3. Create Your SPF Record:Once you have identified the authorized mail servers, you can create your SPF record.SPF records are typically added to your domain's DNS records as a TXT record.The SPF syntax allows you to specify which servers are authorized to send mail from your domain.
  4. Here's an example of an SPF record:
  • v=spf1 indicates that this is an SPF record.
  • include:_spf.google.com allows any mail server listed in the _spf.example.com SPF record to send email on behalf of your domain.
  • ~all is a soft fail mechanism that tells receiving mail servers to mark emails from unauthorized sources as "failed SPF checks" but not necessarily reject them.

You can customize your SPF record based on your specific needs.

4. Add the SPF Record to DNS:Access your domain's DNS management interface, which is often provided by your domain registrar or hosting provider. Create a new TXT record with the name of your domain (e.g., example.com) and paste your SPF record as the record's value. Save the changes.

5. Test Your SPF Record:After adding the SPF record, it's essential to test it to ensure it's correctly configured. There are online SPF record testing tools like "SPF Record Testing Tools" by dmarcian, which can help you verify if your SPF record is set up correctly.

6. Monitor SPF Record Changes:Keep an eye on your SPF record, especially when making changes to your mail infrastructure. Incorrect SPF configurations can result in legitimate emails being marked as spam or rejected.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to outgoing emails, which can be verified by email receivers using the public key published in the domain's DNS records.

This helps ensure that the email's content has not been tampered with during transit.

Here's how to set up DKIM:

1. Generate a DKIM Key Pair:

a. Access your email server or hosting provider's control panel or interface. Many hosting providers offer an option to generate DKIM key pairs directly from their control panel.

b. If your email service doesn't provide this feature, you can use a DKIM key generation tool or an online generator to create a DKIM key pair. One popular tool is OpenSSL:

openssl genpkey -algorithm RSA -out private.pem -aes256 -outform PEM openssl rsa -in private.pem -pubout -out public.pem

These commands will generate a private key (private.pem) and a corresponding public key (public.pem).

2. Configure Your Email Server:

a. Access your email server configuration or control panel, and locate the section for DKIM settings.

b. Upload or copy the private key (private.pem) into your email server's DKIM configuration. The way to do this may vary depending on your email server software.

c. Ensure that the private key is kept secure and isn't exposed to unauthorized individuals.

3. Add a DKIM DNS Record:

a. After you have configured your email server with the private key, you need to create a DKIM DNS record. This DNS record will allow receiving email servers to verify the authenticity of your emails.

b. In your DNS management interface (provided by your domain registrar or hosting provider), create a TXT record with a name that follows the DKIM selector format. The DKIM selector is a unique name you choose, which is used in the DKIM signature. It's typically a short and descriptive name like "2024" or "default."

For example, if your domain is example.com and you chose "default" as your DKIM selector, your DNS record name might look like: 

default._domainkey.example.com


c. The value of this TXT record should be your public key (public.pem) enclosed in double quotes. It should look something like this:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy..."

Be sure to replace the example above with your actual DKIM public key.

4. Publish the DKIM Record:

After creating the DKIM DNS record, save your changes. DNS records may take some time to propagate across the internet, so be patient. You can use online DKIM checkers to verify that your DKIM record is correctly published.

5. Test DKIM Authentication:

To ensure DKIM is working correctly, send an email from your domain and check the email headers. You should see a DKIM-Signature header that indicates DKIM authentication is in place.

6. Monitor and Maintain:

Regularly monitor your DKIM configuration to ensure it continues to work correctly. If you make changes to your email infrastructure or rotate your DKIM keys, update the DNS records accordingly.

Implementing DKIM enhances email security and helps establish trust with email recipients by preventing email spoofing and ensuring the integrity of your outgoing messages.

Last, but not least… DMARC policies

DMARC helps organizations combat email spoofing and phishing attacks by providing a way to enforce authentication policies for their domains. It also allows domain owners to gain insights into email delivery and identify potential security threats through reporting and monitoring.

DMARC allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the "From:" field presented to end-users; how the receiver should deal with failures - and a reporting mechanism for actions performed under those policies.

Based on the results SPF and DKIM receive, there are three possible outcomes for DMARC:

1. "Quarantine" Policy:

The email will be delivered but it will be flagged as spam or directly sent to the spam folder.

  • Behavior: When you specify a DMARC policy of "quarantine," emails that fail DMARC authentication are typically delivered to the recipient's spam or quarantine folder. The exact behavior can vary depending on the recipient's email service provider.
  • Example DMARC Record:
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensics@example.com

2. "Reject" Policy:

These emails are blocked, therefore they cannot reach the recipients, nor can any other emails sent by the same sender.

  • Behavior: Under a "reject" DMARC policy, emails that fail DMARC authentication are outright rejected by the receiving email server. These emails are not delivered to the recipient's inbox, spam folder, or quarantine folder. Instead, they are rejected and may result in a bounce message to the sender.
  • Example DMARC Record:
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensics@example.com



3. "None" Policy:

The emails make it into the recipient's inbox and are ready to be opened and read.

  • Behavior: A "none" DMARC policy is essentially a monitoring policy. It instructs receiving email servers not to take any specific action based on DMARC results. Instead, it allows you to collect DMARC reports for analysis without affecting email delivery.
  • Example DMARC Record:
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensics@example.com


Under each of thse policies, DMARC also provides mechanisms to specify what actions to take when emails pass DMARC authentication. The primary focus of these policies is on how to handle emails that fail DMARC checks.

It's important to note that the exact behavior of email servers can vary, and not all email service providers fully enforce DMARC policies.

To ensure proper DMARC implementation and monitor its impact, it's essential to regularly review DMARC reports and adjust your policy settings as needed.

Additionally, organizations may start with a "none" or "quarantine" policy and gradually move to a "reject" policy as they gain confidence in their email authentication practices.

There are additional DMARC tags such as:

v= Version of DMARC used (DMARC1)
p= DMARC enforcement policy: none, quarantine, or reject
rua= List of email addresses where DMARC aggregate reports are sent
pct= Percentage of messages that are subject to the enforcement policy. Default is pct=100
aspf= Defines the alignment mode for SPF, which could be strict or relaxed with pass/fail scenarios
adkim= Defines the alignment mode for DKIM, which could be strict or relaxed with pass/fail scenarios
sp= Represents different enforcement policies for subdomains
ruf= Lists email addresses for sending DMARC failure/forensic reports.
fo= Indicated the options for creating a DMARC failure/forensic report
rf= Declares the forensic reporting format for message-specific failure reports
ri= Sets the interval for sending DMARC reports, which is defined in second but is usually 24 hours or more

How to publish a DMARC record

To publish a DMARC record, follow these steps:

  1. Make sure that you have previously set up your SPF and DKIM and that they have been running for at least 48 hours.
  2. Add your DMARC record to your DNS by creating a new record.
  3. Use the TXT record type
  4. Enter _dmarc in the Name or Host field.
  5. Determine the DMARC policy you want to implement and how strict you want your policy to be.
  • noneMonitoring-only mode. You collect DMARC reports without impacting email delivery.
  • quarantineFailing emails are delivered to the recipient's spam or quarantine folder.
  • rejectFailing emails are rejected and not delivered to the recipient's inbox.
  1. Create a DMARC Record

To create a DMARC record, you'll need to specify the DMARC version, policy, and other optional tags.

Here's an example of a basic DMARC record:

NOTE: Replace dmarc@example.com with your own email address.

You can include additional tags as needed to customize your DMARC policy.

  1. Log in to your DNS hosting provider's website or access your domain registrar's control panel where you manage DNS records for your domain.
  2. Locate the option to add or edit a DMARC DNS Record and create a new TXT record with the following format:
  • Record Name: _dmarc.yourdomain.com (replace yourdomain.com with your actual domain)
  • Record Type: TXT
  • Value: Paste the DMARC record you created earlier.

For example, if your domain is example.com, your DMARC DNS record name would be _dmarc.example.com

  1. Save, or create, the DMARC record. The DMARC DNS record will take typically within a few hours or up to 48 hours.
  2. Test Your DMARC Record to ensure that your DMARC record is correctly published and functioning as expected, you can use online DMARC record testing tools or receive and analyze DMARC reports.
  3. Monitor DMARC reports sent to the email address specified in the rua tag
    These reports provide insights into the email authentication status for your domain and help you fine-tune your DMARC policy.
  4. Gradually adjust your policy.
    You can start with a less strict policy (e.g., p=none) and graudally increase the policy's strictness (e.g., p=quarantine or p=reject) as you gain confidence in your email authentication practices.

Publishing a DMARC (Domain-based Message Authentication, Reporting, and Conformance) record involves adding a DNS TXT record to your domain's DNS settings.

This DMARC record defines your domain's DMARC policy and specifies where DMARC reports should be sent. Here's a step-by-step guide on how to publish a DMARC record:

DMARC report

Essentially, as with all other reports, a DMARC report allows you to evaluate the deliverability of a particular domain.

You will receive full insights on how and where your emails are landing and their authenticity. You will also be able to spot emails that are allegedly being sent from your domain.

With these insights, you will clearly see the issues you need to fix (and what you’re doing right as well).

Unfortunately, reports are sent in an XML which can be quite tough to analyze, so a tool that will make those reports more readable, such as EasyDMARC’s DMARC report analyzer can be very useful.

But what information exactly will you see in your report?

  • All domains sending emails using your domain in their “From” field
  • IP addresses of the domains using your domain
  • The number of daily emails
  • SPF and DKIM authentication results
  • DMARC results
  • Emails that were quarantined
  • Emails that were rejected
  • Forensic/failure reports

How to enable DMARC reports

  1. Create a DMARC record.
  2. Enter the email address where you wish to receive aggregate reports in the “Report Email” field.We recommend you don’t use your main email address, so you don’t clutter your inbox with daily reports.
  3. Enter your email address in the “Failure Reporting” field to receive forensic DMARC reports.
  4. Once you have filled in the rest of your information, click “generate”
  5. Publish your record in your DNS when it’s ready.

Now that we’ve discussed the use and process of DMARC reports, let’s analyze the two types of reports:

Aggregate Reports (rua)

Reports with a rua tag are essentially broad descriptive reports.

These reports are sent in an XML format and can appear as such:

Source: DMARCLY

What is the key information included in an aggregate DMARC report?

Reporting Period Timeframe the Report Covers
Sender IP Addresses IP addresses that sent emails on behalf of your domain
SPF Results Including nº of messages that passed SPF, nº of messages that failed SPF, and domains involved in SPF authentication
DKIM Results Including nº of messages that passed DKIM, nº of messages that failed DKIM, and DKIM signatures used
DMARC Results Including nº of messages that aligned with your DMARC policy, nº of messages that did not align and the disposition applied
Authentication Results Summary of authentication methods used
Message Count Total number of messages received from each source
Failure Details Information on failed authentication methods
Message Headers Headers of failed authentication messages
Aggregate Statistics Summary statistics including percentage of authenticated and failed messages, among other metrics
Reporting Identifier An identifier to match reports to specific DMARC configurations

Failure Reports (ruf)

These reports are sent in real-time and concerning specific messages, typically in plain text.

Message Headers Full header of the failed email
Message Body Content of failed email
Authentication Results Authentication check details and why they failed
Envelope Sender Email address used as the return path for the failed message
DKIM Signature Information In case of DKIM authentication failure, report includes details of the DKIM signature used, such as selector and domain
SPF Information In case of SPF authentication failure, the report includes information about the SPF record for the sending domain and the IP address that sent the message
Autenthication-Results Header Summary of authentication results, including failure checks and why they failed
DMARC Policy Policy type (quarantine or reject)
Timestamps When the message was received and when the failure report was generated
Message Size Size of the failed message
Reporting Source Information about the source that generated and sent the DMARC failure report
Additional Metadata Additional information that can be helpful in the failure analysis and authentication failure

Key Takeaways

The technical setup of your domain is critical if you want to protect your email deliverability and ensure that your emails are landing where you want them to.

If you are just starting make sure to keep your DMARC policy light and to check your aggregate and forensic reports regularly to gain a better understanding on what you need to fix and adjust. As you move on you’ll be able to set a more strict policy.

Now that you’re doing everything in your hand to protect your email deliverability, let us help you too.

With lemwarm you can warm up your email account so you won’t be flagged as spam when you start your campaigns! 😉

lemlist team
Your source of actionable outreach tips and strategies that will help you get replies and grow your business.

What you should look at next

Receive weekly outreach tips in your inbox, sent to 210 000+ salespeople, marketers, founders, and entrepreneurs worldwide!

Subscribe to the lemlist newsletter
You've successfully subscribed to the lemlist newsletter!
Oops! Something went wrong while submitting the form.