Back to the Learning Center

By: IMPACT User on April 12th, 2016

What Marketers Need to Know About Healthy DMARC Setup

Domain-based Message Authentication, Reporting & Conformance, or DMARC, is an email authentication standard introduced in 2012 to determine how unauthenticated email should be handled. It adds a third layer upon SPF and DKIM to create a holistic email confidence system. So, what does that mean? First, let’s back up a bit.

Whenever anyone sends an email from a certain domain, SPF/DKIM needs to be set up—it’s a way for email servers to say “it’s OK that this service (whether that’s your office email, Marketo, a web server, etc.) is emailing with an address that has my domain—they’re with me.”

There is an easy way to better understand SPF and DKIM. Think of SPF as the “envelope” (the original piece of data being sent over) and DKIM as the “signature” (the letter inside—is it forged or original?). SPF is a public declaration given by a domain; DKIM requires both a public and private key. The two work in tandem to prove that an email is legitimate.

DMARC builds upon this system by giving mail servers instructions on what to do when it finds emails that don’t have SPF and/or DKIM records: should it let them through, quarantine them, or reject them? Additionally, DMARC is set up so the servers you email to will provide a report on what emails are being sent with your domain—and if there’s anyone sending rogue emails with your domain (say, for phishing purposes).

While this is exciting stuff for IT, why should marketing care? Simply put, more and more email providers are now checking to make sure you have a DMARC policy to determine whether your email is considered spam—even if you have SPF and DKIM records defined! Here at DemandLab we have seen examples of AOL, Yahoo, and private email firewalls now rejecting emails due to the lack of a DMARC record. Defining a record is a win-win: your marketing messages are considered more trustworthy, and your users have the security of knowing anything coming from your email domain is legitimate.

How do I set up DMARC for my email domain?

You can check if your email domain currently has a DMARC policy by visiting http://mxtoolbox.com/dmarc.aspx. If your company doesn’t have a record on file, we recommend a five-step approach to make sure your implementation goes smoothly:

1. Take an inventory of your emailing systems

Your company’s technology stack probably has more things sending out email than you’d think. There’s more to consider than just your office email and marketing automation email! Consider transactional emails, emails sent from internal programs, emails from other SaaS platforms, and more. We recommend working with your IT team to look across your entire technology stack to make sure you have everything covered.

2. Check that all the systems you identified have SPF/DKIM definitions

For many marketers, the process of setting up SPF and DKIM when you first purchase your marketing automation platform is the first (and last!) time they ever think about these records, but it’s important to consider how all other outgoing email is defined with SPF and DKIM records.

Make sure you have all IPs and/or record types defined with your SPF setup. It’s important to remember that the SPF standard can only handle 10 lookups, so if you have more than 10 different places sending emails with your domain, you may want to consider consolidating your email sources or purchasing a separate domain for certain types of emails.

From there, you need to ensure you have DKIM records set up for each of your mailing platforms. Your IT team should be able to help you see which TXT records have different DKIM signatures on them and what you may be lacking. Because some administrators aren’t as familiar with DKIM setup, there’s a very real possibility that not all of your mailing systems are covered. Included below are instructions for setting up DKIM on some of the most common email systems:

Salesforce

Salesforce

https://help.salesforce.com/htviewhelpdoc?id=emailadmin_create_dkim_key.htm

Office 365

Office 365

http://blogs.msdn.com/b/tzink/archive/2015/10/08/manually-hooking-up-dkim-signing-in-office-365.aspx

Exchange

Exchange

https://www.emailarchitect.net/forum/yaf_postst357_Set-up-DKIM-in–Exchange-2007-2010-2013.aspx#post538

Google Apps

Google Apps

https://support.google.com/a/answer/174124?hl=en

Linux servers (Postfix)

Linux servers (Postfix)

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy

3. Create an email account for receiving DMARC reports

 

DMARC requires an email address to send its authentication reports to; most commonly this address is either abuse@domain.com or postmaster@domain.com (either of which we strongly recommend for your own DMARC setup). Make sure you have a valid email inbox for these records that go to both IT and marketing. Do note that if you use Google Apps, the process is a little different than most email providers.

4. Define what you want your DMARC policy to be

DMARC gives domains a few different options on how to handle emails that don’t pass authentication (those interested in learning all potential configurations should check out this helpful overview of all DMARC tags and values).

For simplicity’s sake, we’ll define three main options: take no action, quarantine, or reject. We generally recommend a phased approach where domains move from taking no action, then quarantining a percentage of emails, then quarantining all emails, and finally rejecting.

A very basic example of a DMARC record where servers are instructed to take no action would be:

v=DMARC1; p=none; rua=mailto:postmaster@domain.com; ruf=mailto:postmaster@domain.com

 

5. Set your DMARC policy (and monitor your reports!)

 

Once you’ve determined what your DMARC record should be, have your IT team place it as a TXT record in your domain’s DNS manager. After applying this record, you should start to receive daily emails that look similar to the following:

Attached to each of these emails will be an XML report that details what that particular email provider has experienced.

In this particular report from Yahoo, we can see the following:

  • The policy for this domain is to take no action ( tag)
  • 19 emails were sent to Yahoo’s servers on this day ( tag)
  • Emails sent from an IP passed SPF/DKIM ( tag)
  • Emails from domain.com passed SPF/DKIM (first  tag)
  • Emails from mail.domain.com passed SPF/DKIM (second   tag)

This is an example of a healthy DMARC setup. Be sure to watch your reports over the next few weeks and check that you do not see any failmessages, which would point to a specific domain or IP failing.

DMARC is not just an IT responsibility, especially when your email deliverability is hanging in the balance. Marketers should be involved throughout the entire DMARC setup and implementation process. Together with the IT team, marketers must do periodic checkups on the reports to ensure that your email continues to deliver as it should, and you can enjoy knowing that your email is safer, more deliverable, and unspoofable.

 

If your marketing team is looking for support with DMARC and email compliance, contact us.