DMARC, the quick and dirty way

As you well know, Gmail and Yahoo Mail are now requiring that all senders start to publish a DMARC record, if they weren't publishing one already.

Hopefully you watched the webinar with LB Blair and myself (I'll link to the recording here as soon as it is available) where we talk at length about DMARC and what you need to know to start to be able to "speak DMARC" as needed.

But if you didn't watch that? And don't have the time to dive into making yourself a DMARC export? What's the five minute version of all of this, how do you get up and running quickly without having to stop and worry about RFCs and options. "Just tell me what I need to know to get it done." Okay, I got you. Here we go.

Before you proceed with this, you need to ensure that you've implemented DKIM authentication for every place you send email. That includes your corporate mail – your 1:1 mailbox where people write in to you, and you respond back to them, AND it also includes any ESP (email service provider), CRM tool, or newsletter tool. ANYTHING that sends mail using your domain NEEDS to have DKIM set up properly. You bought a Microsoft O365 package from Godaddy? You use Google Workspace for your mail email domain? Klaviyo is your marketing platform? Or Mailchimp? Doesn't matter which; Google "Configure DKIM domain for (platform)" or "Configure custom sending domain for (platform)" and find and implement the directions.

• Configuring DKIM on Google Workspace
• Configuring DKIM on Microsoft O365
• Configuring DKIM on Klaviyo
• Configuring DKIM with Mailchimp
• Configuring DKIM with AWeber
• Configuring DKIM with ConvertKit

Just about all of these involve either copying and pasting a little bit of text into a certain place in the DNS records for your domain, or adding a "CNAME" record or two for your domain name. If you see references to "Domain Keys" here and there, DKIM actually stands for "Domain Keys Identified Mail," so they're usually talking about DKIM.

To safely utilize DMARC, you must implement DKIM for every email service you use with your domain name. If you skip this step, bad things will happen either now or later, and some of the simpler DMARC options I'll offer up below might mean you don't realize that your domain is configured badly and that lots of your mail is going to get rejected or filtered unfairly.

Now that you've got DKIM in place, here are three options for DMARC. Each of these is a "DMARC record" and you're going to copy and paste whichever one you choose into a certain place in your domain's DNS settings.

• Okay: "v=DMARC1; p=none;"
• Better: "v=DMARC1; p=none; rua=mailto:you@yourdomain.com"
• Best: Go partner with a DMARC tools/service provider and follow their guidance on how to implement a DMARC record, with a reporting address pointing to them.

Note that the "p=" option here refers to "DMARC policy," which is how a domain owner tells mailbox providers like Yahoo Mail and Gmail what to do about mail that fails authentication checks. You're starting off with a policy of "none" which means you are interested only in monitoring your domain's traffic – you're not telling mailbox providers to filter or reject mail that fails authentication. A policy of "quarantine" tells providers to examine and filter failed mail, and a policy of "reject" tells mailbox providers to reject failed mail. Reject is the best policy from a security and spoofing perspective – it helps best prevent bad guys from faking mail from your domain. But you're new to DMARC, not an expert. Don't jump straight to a policy of "reject." Stick with "none" until you decide to partner with a DMARC service/platform and then follow their advice on when to make policy setting changes.

Let's review those options in more detail.

The "Okay" version: You'll publish a DMARC policy of none, with no option for reporting. This allows you to comply, at the most bare minimum level, with the new Google and Yahoo sender requirements. This doesn't really get you any benefit from DMARC, and the only real benefit for Google and Yahoo is that they know that you listened enough to "check the box."

Here's what to do to implement this version: Find the place where you bought your domain from. In my case, that's Hover.com. I logged in to my Hover.com dashboard and clicked on my domain name. I clicked on "DNS" and "add new entry." Type? TXT (aka "text"). Value? An underscore followed by the word "dmarc" in all lower case. In other words, "_dmarc" is what you're typing in here. Value: Type in "v=DMARC1; p=reject;" without quotes. (Don't include quotes in any of these values.)

And ... that's it! You're done. Easy peasy. 

Better version: Similar to the okay version, but in that "Content" section in your DNS settings for your domain, we're going to add an email address. Specifically, your email address. You're going to format it like this: "rua:mailto:you@youremailaddress;" but change you@youremailaddress to your actual email address. Also, this email address has to be in the same domain name you're setting this up for. Meaning, if you're setting up a DMARC record for wombatmail.com, the contact address has to be a valid email address at the domain wombatmail.com. I'm glossing over why, because this is the quick tutorial, but if you try to send reports to another domain, it doesn't work unless you know what you're doing, and that knowledge is out of scope here. See the screenshot to show how I would implement this for wombatmail.com.

This means that you're inviting mailbox providers to send aggregated reporting data to you via email. Why? Because Yahoo Mail strongly recommends that you have this (called a "reporting mechanism") in place. You'll get a few emails from this, maybe weekly. As long as nobody is spoofing millions of emails in your domain, the email volume is going to be really, really light. You can put them in a folder and ignore them if you want (following the letter, but not the spirit of what Yahoo wants). Or you could later investigate do-it-yourself DMARC processing tools. Or you could just move on to the best way to do it, see the next option.

Best version: Don't do any of this. Go find a DMARC provider with a free option (like Valimail Monitor) and follow their instructions. They'll give you the specific DMARC record info to paste into that DNS TXT record. They will receive DMARC reports about your domain. They'll pull those reports into some sort of summary update or dashboard. You can mostly ignore it for now, especially if you're a small brand sender or newsletter sender and you're just trying to check the box. But if and when you're ready to dig deeper, look into what these tools can do for you, and what their monitoring and alerting can tell you. It's good stuff, and very important to have when you're a savvy email sender.

Postmark is far from the only DMARC vendor out there; Valimail, OnDMARC by Red Sift, dmarcian and EasyDMARC are also all good options, and there's even a website featuring a chart of known DMARC vendors, just ripe for browsing:

• Valimail
• RedSift
• DMARCian
• EasyDMARC
• DMARC Vendors

Why go this route? Because these tools will help guide and warn you through initial implementation of DMARC, plus they'll offer alerting to tell you when they notice something amiss. Amiss could mean that a DNS record necessary for DKIM accidentally got deleted, or it could mean that some bad guy in Korea or China is sending millions of emails pretending to be you. It is valuable to have a DMARC provider monitor that can warn you of anything suspicious.

Note that your domain name should have only one "_dmarc" text record. If your domain name already has one, and you want to implement any of this, you'll need to edit or delete and replace the existing DNS record. But if you do have a DMARC record in place….maybe stuff is already in place? Be sure to investigate and confirm.

Want to check to see if your domain has a DMARC record, or if you implemented it correctly There are lots of DMARC lookup tools online, including my own over at Wombatmail, this one from DMARCian, and this one from Valimail.

Disclaimer: As of March 27, 2024, I am an employee of Valimail.