lemlist and its partners use cookies (or similar technology) to measure and analyse how our platform is used and to show ads based on your interests. By clicking "Accept", you agree to the above. You can change your preferences at any time in the Cookie Settings from the footer. For more info, check our Cookies Policy and Privacy Policy.
Deny
Manage
Accept
Manage cookies
Analytics
We need to measure events on this website. Why? Kinda like counting calories to have a good line.
Advertisement
No boring ads chasing you all over the internet. Interesting and relevant stuff, we promise.
Social
If you’re interested in the content of this website, we would love to stay connected on your social networks.
Done
Deliverability
DMARC - What It Is, Why It Matters, and How to Set It Up
lemlist team
July 25, 2024
|
7 min. read
lemlist team
LAST UPDATED
June 20, 2024
READING TIME
7 min.
A properly configured DMARC record can increase your open rate by 10% or more.
DMARC adds a layer of security to your emails that builds trust with email service providers.
The result is that fewer of your emails will land in the spam folder.
Below, we’ll discuss what DMARC is, why it’s important, and how it works. ⬇️
What is DMARC?
DMARC is an email authentication protocol that stands for Domain-based Message Authentication, Reporting & Conformance.
It's an initiative by some of the biggest senders and receivers of email, like Gmail and Yahoo.
They created DMARC as a response to the increasing amount of fraudulent emails in the early 2010s. (Email is involved in 90% of cybercrimes)
The goal of the DMARC initiative was to combat phishing attacks and other cybercrimes through the implementation of a DMARC record.
A DMARC record is a DNS record you add to your domain’s DNS settings.
Through this record, receiving servers can verify if an email is coming from the domain it’s claiming to come from. It does so through two other DNS records called SPF and DKIM.
Why is DMARC Important? ⚠️
DMARC matters because it makes your emails more secure.
It prevents criminals from using your (sending) domain to launch cyber attacks.
In short: DMARC makes the internet a safer place for everybody.
What’s more, apart from the security aspect of DMARC, Gmail and Yahoo’s new email sender rules now require you to have a DMARC record set up.
Without DMARC, forget about landing in your audience’s inbox, especially if they use Gmail or Yahoo as their email provider.
And it doesn’t just concern Gmail addresses, either.
Companies can use custom email addresses through their Gmail account, and without DMARC, you will not reach many of them!
In a nutshell, if you’re doing email outreach in 2024, you need DMARC!
How Does DMARC Work? 👷
DMARC allows the receiving email server to verify if the email comes from the claimed sending domain.
The server intends to authenticate the email through the domain’s SPF and DKIM records.
If one of these authentication methods fail, it means we’re dealing with an unauthorized email.
It’s here where DMARC comes into place. Its policy settings determine what to do with the unauthorized email.
To make it easier to understand, first let’s take a look at a basic DMARC record:
v=DMARC1; p=none; rua=mailto:email@yourdomain.com
While it may look like an incomprehensible line of code, it’ll become crystal clear once you know what the tags mean:
➡️ The “v” stands for version. Since there’s only one valid version currently, this will always be “DMARC1” for now.
➡️ The “p” stands for policy. This is the setting that lets you decide what to do with unauthorized emails. The most common settings are:
👉 “None,” as in the DMARC record above. In this case, unauthorized emails will get a pass to the recipient’s inbox. Though this setting might seem useless, it’s actually the recommended setting for the first few weeks after implementing DMARC. It allows you to receive DMARC reports to monitor what happens to unauthorized emails and ensure that legitimate emails don't get flagged as unauthorized.
👉 “Quarantine” sends unauthorized emails to the recipient’s spam folder.
👉 “Reject” is the strictest setting. With your p tag set on “reject,” none of the unauthorized emails will get delivered.
➡️ The “rua” tag is where you want your DMARC reports sent. As mentioned above, these reports allow you to keep an eye on any email authentication inaccuracies.
The DMARC record above is a basic but fully functional example, but A DMARC can also include other non-essential tags (see table below).
DMARC Tag
What it does
Ruf
Sends more elaborate reports
Pct
Determines what percentage of incoming emails need to undergo the authentication process
Fo
Adjusts how reports are created and presented to users
Aspf
Determines the level of strictness for SPF authentication
Adkim
Similar to “Aspf” but for DKIM
Sp
DMARC enforcement for subdomains
How to Set Up a DMARC Record 📝
Since DMARC depends on SPF and DKIM, you must set these DNS records up before DMARC.
You can change the policy setting to something stricter once reports start coming in.
Setting up your DMARC record on any domain provider
Now we’re going to add the DMARC record to your domain’s DNS settings.
You can find those settings in your domain provider’s account.
However, if your domain's name servers point elsewhere, for example, to your hosting provider, this is where to find the DNS settings for your domain.
The exact steps may vary for different providers, but the process below should be a good enough guide to be able to add your DMARC record.
➡️ Step 1: Go to your domain’s DNS records
Log in to your domain or hosting provider account
Go to your domain’s DNS settings or records
➡️ Step 2: Add your DMARC Record
Once inside your domain’s DNS settings, you should see a list of DNS records.
Click on “add” or “add new record.” You should see a form like the one below:
For type, choose TXT. Some providers will also have a DMARC option here, but usually you need to set up a TXT record.
In the Host field, enter “_dmarc”. If your hosting/domain provider doesn’t automatically append your domain name here, then the value here should be _dmarc.yourdomain.com.
In the Value or Target field, paste your DMARC record. For starters, you can use the one we shared above. Just make sure to update the email address!
Leave the TTL setting to its default
Hit save!
➡️ Step 3: Validate your DMARC record
To verify your DMARC record, you need to run a DNS check again.
💡Important: it can take up to 48 hours for your DMARC to propagate. Usually it’ll be active much sooner than that, but please give it some time before running a DNS check.
Setting up your DMARC record is not difficult, but you may want to make things even simpler. Use this DMARC generator to help you out.
A Note on DMARC Reports 🗒️
Remember the “rua” tag in your DMARC record?
Well, as mentioned briefly earlier, there’s another reporting tag called “ruf.”
The “ruf” tag sends more detailed and elaborate reports than “rua.”
Both tags hold the email address your DMARC reports will be sent to.
The reports will give you insights into the authentication process.
Among other things, the reports will tell you if emails passed or failed authentication and which servers sent them.
Additionally, they allow you to find out what happened to the emails based on their authentication status.
Unfortunately, reports are sent in XML, which can be quite tough to analyze, so a tool that makes those reports more readable, such as EasyDMARC's DMARC report analyzer, can be very useful.
But what information exactly will you see in your DMARC reports?
All domains sending emails using your domain in their “From” field
IP addresses of the domains using your domain
The number of daily emails
SPF and DKIM authentication results
DMARC results
Emails that were quarantined
Emails that were rejected
Forensic/failure reports
Aggregate Reports (rua)
Reports with a rua tag are essentially broad descriptive reports.
These reports are sent in an XML format. Here’s an example rua report:
Here’s the key information included in a rua report:
Reporting Period
Timeframe the Report Covers
Sender IP Addresses
IP addresses that sent emails on behalf of your domain
SPF Results
Including nº of messages that passed SPF, nº of messages that failed SPF, and domains involved in SPF authentication
DKIM Results
Including nº of messages that passed DKIM, nº of messages that failed DKIM, and DKIM signatures used
DMARC Results
Including nº of messages that aligned with your DMARC policy, nº of messages that did not align and the disposition applied
Authentication Results
Summary of authentication methods used
Message Count
Total number of messages received from each source
Failure Details
Information on failed authentication methods
Message Headers
Headers of failed authentication messages
Aggregate Statistics
Summary statistics including percentage of authenticated and failed messages, among other metrics
Reporting Identifier
An identifier to match reports to specific DMARC configurations
Failure Reports (ruf)
The “ruf” tag offers more elaborate reporting.
Here’s what’s included in DMARC ruf reports:
Message Headers
Full header of the failed email
Message Body
Content of failed email
Authentication Results
Authentication check details and why they failed
Envelope Sender
Email address used as the return path for the failed message
DKIM Signature Information
In case of DKIM authentication failure, report includes details of the DKIM signature used, such as selector and domain
SPF Information
In case of SPF authentication failure, the report includes information about the SPF record for the sending domain and the IP address that sent the message
Autenthication-Results Header
Summary of authentication results, including failure checks and why they failed
DMARC Policy
Policy type (quarantine or reject)
Timestamps
When the message was received and when the failure report was generated
Message Size
Size of the failed message
Reporting Source
Information about the source that generated and sent the DMARC failure report
Additional Metadata
Additional information that can be helpful in the failure analysis and authentication failure
Key Takeaways 🔑
For email outreach, you must ensure that your technical setup is on point, as low open rates will cost you money.
DMARC is a critical component of your technical setup.
Without it, not only are your emails less secure, but they're also more likely to be sent to spam or not delivered at all.
While initially, setting up a DMARC record can seem complicated, once you know how it works, it becomes a breeze.
Use the information in this post to set up DMARC for your domain today!
Thanks! You've successfully subscribed to lemlist newsletter
Oops! Something went wrong while submitting the form.
Looking to verify leads' email addresses but aren't sure which tool suits your goals and budget? Check out the ultimate review of the Bouncer email verifier and ensure youget the most value for money.
Sending emails to unverified addresses = not reaching your target audience. Here are the best verification tools to ensure you open new business opportunities.
If you send emails to invalid addresses, you can’t get replies and grow your business. In this article, get 5 proven methods to validate an email without reaching out first.
Email warm-up helps establish a good sender reputation, allowing you to send more emails without landing in the spam folder. Essentially, a good email warm-up strategy is essential for cold email success.
Guillaume Moubeche
Jul 25, 2024
You've successfully subscribed to the lemlist newsletter!
Oops! Something went wrong while submitting the form.
.png)
.png)
