DMARC stands for “Domain-based Message Authentication, Reporting, and Conformance”. It is an email authentication protocol that can be added to a domain’s DNS zone, developed as an improvement and extension of the existing protocols of SPF and DKIM. Using DMARC improves your email security and deliverability and prevents unauthorized third parties from sending emails from your domain.
Boiled down to the essentials, DMARC verifies whether the sender of an email that claims to be from your domain has your permission to send this email. Implementing DMARC prevents third parties from sending unwanted emails from your domain and helps increase your deliverability rate for the emails you want to send. This results in loyal customers, who trust you and your company.
Microsoft, Gmail, AOL, and Yahoo all employ DMARC as a protection layer. That means that all emails that are not authenticated by DMARC will automatically end up in the spam boxes of people using these email clients. On top of that, Google and Yahoo implemented new policies in February 2024 stating that all bulk email senders (users who send emails to over 5000 email addresses per day) need to have DMARC implemented for their emails to be delivered.
While DMARC was first introduced in 2012, its use has grown strongly over the past years. With the introduction of Google and Yahoo’s new bulk email policies, email security experts expect the use of DMARC to grow even further.
To understand how DMARC works, you first need to understand what SPF and DKIM are. Just like DMARC, SPF, and DKIM are both email authentication protocols that you can add to a domain’s DNS record.
SPF stands for “Sender Policy Framework”. SPF records define which servers and domains have your consent to send emails on your behalf. Meanwhile, DKIM stands for “DomainKeys Identified Mail”. This is an email authentication technique that involves adding a digital signature (called a DKIM signature) to all outgoing emails. DKIM verifies to receiving servers that an email was indeed sent or authorized by the owner of the domain it originates from.
SPF and DKIM work in isolation from each other, and it is quite a lot of work to deploy both protocols correctly at the same time. This means that some authentic, legitimate emails may slip between the cracks and still end up in spam folders.
DMARC joins the mechanisms of SPF and DKIM together and streamlines the general process of email authentication. A large improvement of DMARC, compared to SPF and DKIM, is that this protocol shows automated aggregate and failure reports about all outbound emails to domain owners. This helps you keep track of all outgoing email flows and makes it easier to catch a potential abuse attempt.
Image retrieved from DMARC.org
These are the key benefits of using DMARC for your email.
Improved email deliverability: Using DMARC makes your legitimate emails more likely to reach your recipients' inboxes and not get mistakenly marked as spam.
Prevent cybercriminals from using your domain: If unauthorized third parties try to send emails from your domain, DMARC will prevent these emails from ending up in receivers’ inboxes. This improves your general email security.
More insights into your outgoing email flows: DMARC automatically generates aggregate reports that show a full overview ofon which servers are sending (or trying to send) emails on behalf of your domain. This gives you a better understanding of your email activities and helps you spot unauthorized or suspicious behavior.
A DMARC record is a record that you can add to your DNS zone. This record specifies your DMARC policy for receiving email clients. There are three different policies: monitoring (p=none), quarantine (p=quarantine), and reject (p=reject). We explain these policies further down this article, under “How do I set up DMARC on my domain?”.
To add a DMARC record, you will need to manually set up the DMARC CNAME or TXT record in your domain’s DNS zone. Out of these two options, we strongly recommend adding a CNAME record, which is a simpler process. Adding a TXT record takes more manual work, but you may prefer adding a TXT record in some cases.
You can find detailed instructions on setting up the DMARC CNAME or TXT record on the website of the Global Cyber Alliance.
As soon as you have added the DMARC CNAME or TXT record to your domain’s DNS zone (either automatically or manually), you will start receiving aggregate and failure reports by email. In general, it will take 4-6 weeks before you have gathered enough data for you to start tailoring it to your needs and basing decisions in your email strategy on the results.
To set up DMARC after you add the DMARC record to your domain, you need to choose the right DMARC policy for you. Your DMARC policy allows you to indicate that your outgoing email messages are compliant with SPF and DKIM, and to tell receiving email clients what to do with unauthenticated emails that appear to come from your domain. You can set up DMARC with three different policies: monitoring (p=none), quarantine (p=quarantine), and reject (p=reject).
The monitoring policy (p=none) is the entry-level DMARC policy. If you have this policy enabled, DMARC will simply monitor your sending sources without taking action regarding illegitimate emails. Unauthorized emails from your domain can therefore still end up in your contacts’ inboxes. However, you can analyze the data and find out who or what is sending these emails from your domain.
The quarantine policy (p=quarantine) is the next “step” on the ladder. This policy will automatically redirect unauthorized messages from your domain to the receivers’ spam boxes.
Finally, enabling the reject policy (p=reject) will tell receiving email clients to prevent all messages that come from unauthorized sources from being delivered. In this case, unauthorized messages from your domain will not even end up in spam boxes. They will simply never arrive in your contacts’ mailboxes.
When you are starting to use DMARC, we recommend you start with the monitoring policy. Many beginners jump straight to the reject policy. Of course, no one wants any spam that comes from their domain to end up in their customers’ mailboxes. However, in most cases, this policy will also reject legitimate and important emails from your side, as you have likely not configured your email well when you are just starting out. We therefore recommend starting with the monitoring and quarantine policies and slowly working your way up to reject, while carefully analyzing the data that you receive through DMARC’s aggregate reports.
Example of a DMARC record with the p=none policy set up, via https://mxtoolbox.com/
When you add a DMARC record to your DNS zone, every email service provider that supports DMARC (such as Yahoo and Google) will automatically send out aggregate reports about your emails. These reports contain valuable information about your outgoing emails, such as information about the servers they come from and whether they were authenticated by you or not. You will receive aggregate reports once a day in the form of compressed flat XML text.
Besides these aggregate reports, DMARC may also cause you to receive failure reports. These reports contain edited copies of emails that failed authentication checks by email service providers. You can use failure reports to find out more about why these emails were rejected, and how you can prevent this from happening in the future. However, DMARC failure reports are not supported by major internet providers due to privacy reasons, which means that you may not receive many of these. In general, we recommend focusing on aggregate reports, as they already contain a lot of useful information by themselves.
EasyDMARC is a hosted DMARC solution that makes deploying DMARC records seamless and easy. The tool provides an easy-to-use control panel that makes it easy to set up DMARC by yourself. The intuitive dashboard enables you to edit all settings, without any technical knowledge and without having to add or update the DMARC record in the DNS yourself.
EasyDMARC also automatically provides you with useful data about outgoing email flows from your domain, including the servers that they come from. It takes DMARC’s automatically generated aggregate reports and turns them into an easy-to-understand dataset and graph, which will give you valuable insights further to improve your email security and outgoing email strategies.
EasyDMARC isn’t just a monitoring tool, it gives you much more! These are the biggest benefits of using EasyDMARC compared to using the manual approach.
No technical knowledge needed: Using EasyDMARC, you do not have to edit anything in the DNS yourself. You can add and update your DMARC record in a few simple clicks. This makes EasyDMARC accessible for everyone without needing advanced technical knowledge.
Simplified reports: Aggregate reports are notoriously difficult to read and understand for people with no technical background. EasyDMARC translates the reports into a dynamic, easily understandable dashboard, making it much easier to interpret the data.
Extra integrated features: With EasyDMARC, you get access to a host of useful extra features that help you improve your email security - including a blacklist check tool, phishing check tool, tools for reputation monitoring, and more!
Do you want to learn more about how EasyDMARC can tangibly improve your email security, strategy, and deliverability? Take a look at this case study of a happy EasyDMARC customer!
Aggregate reports as shown in the EasyDMARC control panel.
Manual work in the DNS v/s using the EasyDMARC control panel: If you implement DMARC manually, you need to know how to add and update records to the DNS. Meanwhile, if you use EasyDMARC, you can add a DMARC record to your DNS zone with just a few clicks in the EasyDMARC control panel. This feature makes EasyDMARC a suitable choice for users with less technical experience.
XML files v/s an intuitive dataset and graph: Manual DMARC automatically generates daily aggregate reports that are sent to your email address in the form of XML files. These files are notoriously difficult to read if you do not have a technical background. EasyDMARC translates the reports into a dynamic, easily understandable dataset and graph, making the data from the aggregate reports easy to interpret for anyone.
Extra integrated features: With EasyDMARC, you get access to a host of useful extra features, including a blacklist check tool, phishing check tool, tools for reputation monitoring, and more! Manual DMARC does not include these features.
Domain resellers are individuals and businesses that offer domain registration and management services to their customers, without being a domain registrar.
SSL certificates are digital certificates that provide a secure and encrypted connection between a web server and a user's web browser.
Premium DNS, also called Anycast DNS, is an advanced DNS service that boosts your website’s performance and protects it from Distributed Denial of Service (DDoS) attacks.
Renewing a domain is the act of extending your domain name’s registration period so you can continue using it. Renewing a domain name is crucial for maintaining your online presence and protecting your brand.