RQIBAADL: Random questions I've been asked about DMARC lately: a FAQ

Uh, zoom, zip! A quick one today -- allow me to cobble together a blog post made up of some quick answers to recently asked questions about DMARC. Let's jump right in to it.

My DNS provider's control panel won't let me configure a DMARC record. I get an error that says that underscores are not allowed in domain names. What should I do?

Technically, underscores are not allowed in domain names. (There is no such thing as spam_resource.com.) However, underscores are allowed in DNS hostnames, like "_dmarc", the hostname or DNS entry you need to create under your domain name to enable DMARC. I'm not going to name names, but there are some domain registrars and DNS control panels that misunderstood the "no underscores in domain names" rule and think it means that you can't have underscores in DNS hostnames. Which is wrong. If you run into this, submit a support ticket to the DNS host or domain registrar and point out that millions of people have created DMARC records for their domains, and each one of those records contains an underscore. In some cases your domain registrar can add the DMARC record for you manually. And if they can't, maybe you'll need to move your domain to a different registrar.

It seems as though platforms affected by this are racing to fix things, if they haven't already. So let us hope that this becomes a thing of the past, very soon. (For those looking to nerd along from home, RFC 2782 specifies using a DNS record starting with an underscore, when implementing that DNS record to indicate a link to a service.)

When checking my DMARC record, I get an error that says I have no policy set. What does that mean?

The "policy" setting is the p= value in your DMARC record. It can be none, quarantine or reject. It has to be exactly one of these. Not more than one, not worded differently. Also make sure you didn't accidentally type "policy=" instead of "p=" into the DMARC record, which I myself am guilty of doing at least once.

When checking my DMARC record, I get an error that says that I have two DMARC records for my domain. But I followed the instructions that my ESP gave me! What gives?

A few domain registrars and email sending platforms blindly told customers to add a new DMARC record for their domain in order to become compliant with the new Yahoo/Google sender requirements. Without checking to see if the domain already had a DMARC record in place. This led to some folks ending up with two DMARC records, when there should only be one for the domain. Ignore the bad guidance; make sure you only have one DMARC record for your domain, and delete the second one.

More on that here.

That's great, but now I've got two DMARC records. Which one do I keep?

That's going to vary, but the short answer is -- if you use a DMARC service, you'll probably want to keep the one that references the DMARC service. In other words, if you have two DMARC records and one of them references sending reports to something-something@vali.email, keep that one, because it probably means that you or your company have engaged Valimail (or whoever) for DMARC monitoring and reporting. Do your research to confirm this, and write down the old DMARC record, in case you get it wrong and need to swap it out later.

Okay, I included a RUA (reporting address) in my DMARC record, and set it to my own email address. Now I'm getting these weird emails with a ZIP attachment. I open it to find an XML file and a bunch of data wrapped in code. What do I do with this?

Not much, really. These are DMARC reports. They're human readable, but just barely, and not really meant to be manually processed. If you want to take the XML file from one of those emails and parse it to see what it actually tells you, there are online tools that can do that. Here's links to ones from MX Toolbox and EasyDMARC.

If you want to deal with DMARC at scale, you need to either install unix tools to collect and process the data (if you're that kind of unix nerd), or sign up for service from a DMARC provider, to have them do it for you. DMARC providers ingest these reports and use them to generate dashboards to help you monitor sightings of your email domain(s) out in the wilds of the internet. Different DMARC providers have different levels of functionality and may offer add-ons or additional security-focused features or guidance, but at its very core, what a DMARC provider does is ingest DMARC reporting and convert it into something that you can usefully read and understand.

Mark Alley publishes a DMARC tools and vendors list here.

Hey, I set up DKIM and DMARC and all of this stuff and now my open rates have gone way down. What gives?

DKIM and DMARC don't really govern your open rates or click through rates. Together, what they do is make it easier for Yahoo and Gmail (and many other mailbox providers) to recognize you as you. It is entirely possible that some senders were getting good open rates with some sort of data source or list hygiene issue, and now that loophole is closed with these new requirements.

Also, when you first implement DKIM authentication, or if you just set up a new domain name, immediately sending big volume (thousand of messages or more all at once), might get Gmail and others to treat you as suspicious, resulting in delayed mail or spam folder placement.

Let me say that all again:

  1. Especially in the long term, DKIM/DMARC just makes it easier for mailbox providers to accurately rank your mail without including anybody else's mail in their calculations. For some folks, this means your engagement rates could be too low, or complaint rates be too high, and now Gmail can better see it, and could be more likely to put mail in the spam folder instead of delivering your mail to the inbox.
  2. If it's just newness of the DKIM set up (or domain purchase), slow down sending for your first few sends. If you would normally send 25,000 emails today, try breaking that up across a few days for a few sends. If it's just a case of newness, opens and clicks will rebound. Consult your friendly neighborhood deliverability consultant for assistance as needed.

TL;DR: If you're really sure that you're not a sub-standard sender, that people really do want your mail, open rates and click rates will probably bounce back after a few weeks.

But I thought DMARC was going to help me get to the inbox!

Sorry, friend, that's not what DMARC does. It has an indirect positive impact on deliverability for good senders, yes, but it is not a switch you turn on that somehow guarantees inbox placement.

If I had a dollar for every time I've heard somebody complain that DMARC was supposed to guarantee inbox placement, but that it's not working properly....I'd have at least nine dollars.

How do I test that I've got this thing configured correctly?

Send to Gmail. View message source (three dots menu -> "View Original").. Look at the authentication settings at the top. It'll highlight SPF, DKIM and DMARC success or fails. That's an easy way to get started. Want to do a more comprehensive test? I recommend Steve Atkins' Aboutmy.Email tool. It even has a "Good Practice" section which refers specifically to Yahoo/Google compliance.

If you just want to specifically view and troubleshoot your domain's DMARC DNS record, not pull apart full email headers and authentication from a sent email message, there are a fair number of tools out there that can do that, including this one from Valimail.



  1. Great post Al. I particularly like to section on underscores. At Cakemail, we used to get a lot more clients mentioning this problem, it's much less now.. but still it does happen. Ugh!


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.