The first post in this series on email authentication changes covered the importance of DKIM and SPF records for email sending in light of the new requirements set forth by Google and Yahoo/AOL. This second installment will cover the DMARC record, a third piece to the email authentication puzzle. If you are unsure of what DMARC records are or why they are important, read on.
Anyone sending an email to a Gmail or a Yahoo email address is required to have valid DNS records in place to ensure email authentication. This includes SPF, DKIM, and DMARC records. Without these three records correctly configured in your domain’s DNS records, Google or Yahoo may choose to drop the email and not warn the sender.
What Are DMARC Records?
If you have a website for your business and you send email using the domain name – such as me@mybusiness.com – then you need to ensure that your DNS records include a correctly configured DMARC record. If you use Gmail, Hotmail, or some other free email service that does not include your business domain, then this would not apply.
DMARC is an acronym for Domain-based Messaging Authentication Reporting and Conformance and is pronounced “dee-mark.” It is considered to be an email security protocol. It uses the results of the SPF and/or DKIM checks to determine whether an email is truly coming from the domain on the email. If either SPF or DKIM fail, DMARC steps in and provides instruction on what should happen to that email.
DMARC allows for three options for an email that fails either SPF, DKIM, or both initial tests: it will either reject the email immediately, quarantine it by sending it to a spam folder, or it may do nothing and the email will be treated as if the DMARC record doesn’t exist. The record can be configured to do more than one of these options. For example, it may allow a percentage of failed emails through but drop the remainder of the emails. By configuring a DMARC record you are instructing your email server on what to do with any email that fails authentication.
What does a DMARC record look like?
A DMARC record will be a TXT (“text”) record added to your DNS records through your domain’s registrar. Let’s say you purchased a domain from GoDaddy or some other registrar. You’ve added an A record to point to your website, and you’ve added MX records to set up email service. You’ll next want to add SPF, DKIM, and DMARC records to ensure your email deliverability.
As a starting point, a DMARC TXT record may look something like this:
v=DMARC1; p=none; rua=mailto:me@mybusiness.com; pct=100;
So what does this record do? The “p=none” section specifies the DMARC policy will do nothing to emails that fail DMARC authentication, and the “rua=mailto:” portion indicates a report of the failure will be sent to me@mydomain.com. If you’ve added the record correctly, you’ll start receiving reports within a day – this is a good indication the record was added correctly. You may decide you want to start quarantining the failed emails – you can then change “p=none” to “p=quarantine” in your DMARC record. To reject all emails that fail authentication, “p=reject” & “pct=100” can be used.
There are online “wizards” that can make creating a DMARC record very easy – Dmarcian’s DMARC Record Wizard takes just a few minutes to fill out and it will help you get your DMARC record set up in no time at all.
Why should I worry about SPF, DMARC, and email authenticity?
As a business owner, you want to ensure you are receiving clients’ emails and that clients are receiving your emails without them ending up in a spam folder or worse – having them dropped completely and not delivered. Email today is an important communication tool for businesses, whether it’s an email directly to a client, a notification sent via a website contact form, or a mass mailing of a newsletter or sale flier.
As an email recipient, you want assurance that the email you are reading and replying to is authentic and that it has been sent from the domain used on the email and not from a phishing email or a spoofed email.
Shouldn’t my email service worry about this? Why do I need to deal with DNS records?
A business owner may wear many hats, that is a certainty! Should you be expected to know everything about email authentication, DNS, and what a quarantine DMARC policy does? No, not really. Just as you work with a CPA for bookkeeping and taxes, you’ll want IT support to help you with your email setup and DNS requirements. If you’re unsure if you have the proper email authentication in place, reach out to your IT company and ask. If you aren’t working with an IT company, you can contact us at support@rootsmarketinggr.com, and we can suggest one of our trusted IT partners to assist you with your DMARC setup.
