DMARC is an email authentication technology that builds on DKIM and SPF. While DKIM and SPF are used to prevent spoofing (among other things), DMARC takes it a step further by providing instructions to email receivers about what to do with the email if it doesn’t pass authentication.
There are many elements that a mail server or filter will consider when deciding the risk or spam level of an email—including the presence of a passing SPF and DKIM. DMARC is different though, as its absence will not impact deliverability; it's more of a voluntary email authentication. DMARC is mainly used for anti-phishing or anti-fraud and can protect a brand reputation. It will prevent phishing emails spoofed for your brand from being delivered to a customer's inbox.
NOTE: If you currently have DMARC set up or plan to in the future, please ensure that you have already completed the process for Email Sending Domains to have your ClickDimensions account configured with DKIM in order to align with the DMARC you will set up. If your domains do not validate as Waiting for Approval or Approved Status, please open a support ticket and we'll be happy to assist.
How does DMARC work?
A DMARC record is created for an email sending domain. It’s a TXT DNS record which can be configured in many ways to determine how relaxed/strict it should be, how subdomains should behave, where reporting should go, and what type of policy you want to declare.
There are 3 policies or levels that a DMARC policy can have.
-
None
Instructs the receiver not to do anything in particular with the email if it fails DMARC but allows them to view reporting for all emails sent with their domain. -
Quarantine
Instructs the receiver to deliver the email to the spam/junk folder if DMARC fails. -
Reject
Instructs the receiver to reject or bounce the email back if it fails DMARC.
An email server/ISP/spam filter will not base their decision solely on DMARC. Emails will still be put through the normal anti-spam checks and algorithms, even if DMARC passes. And email servers/filters are not required to honor the DMARC policy, but most will.
What is required for DMARC to pass?
There are 2 factors to consider when configuring email to work with DMARC. The following information describes a scenario where DMARC is set to the default mode of relaxed.
- SPF and/or DKIM
- DMARC is built on the existing SPF and DKIM email authentication technologies.
- DMARC will work with one or both.
- SPF or DKIM needs to be present for the email AND needs to pass.
- Alignment
- The From domain (Display From) will need to match on the organizational domain for either the Mail From (SPF) or the DKIM Signature (DKIM).
- For example, if you send from info@tomatogardens.com, the domain for SPF or DKIM will need to be a subdomain (market.tomatogardens.com) or match exactly (tomatogardens.com).
For DMARC to pass, the email message must . . .
- Pass SPF authentication on the Mail From and have alignment with the Display From domain and Mail From domain. OR
- Pass DKIM authentication and have alignment with the DKIM domain and the Mail From domain.
How does ClickDimensions configure email to work with DMARC?
ClickDimensions will configure an account to work with DMARC by configuring the DKIM signature to align with the DMARC policy. For more information about this process, please see our DKIM Signatures article.
Below is an example of how the domains would look configured for DMARC using DKIM, where DMARC is set to the default mode of relaxed. The organizational domain has been bolded to show how it is aligned.
From Email (Display From)
info@tomatogardens.com
Mail From
email.clickdimensions.com
DKIM Signature
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=gears; d=market.tomatogardens.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; bh=FE2Ra3JJOD3+/d5W/4au03QqBPQXjXV1Gt22xYxFoz8=; b=d/hLwvA
DMARC record
_dmarc.tomatogardens.com TXT “v=DMARC1; p=quarantine; pct=100;”
There are exceptions to this if DMARC is set up as strict for DKIM or both SPF and DKIM described in the DMARC tags section below.
What happens if the email is not configured to work with DMARC?
If the sender has DMARC set up but doesn’t have the account configured correctly to work with DMARC, the symptoms vary by how the DMARC policy is set.
- If the policy (p=) is set to quarantine, we will see a large volume of email delivered to the spam or junk folder and opens/clicks will decrease dramatically.
- If the policy (p=) is set to reject, we usually see about a 40 – 50% bounce rate. The bounces returned will reference a DMARC policy or DMARC failure.
- If the policy (p=) is set to none, technically there should be no impact, but in practice we have seen some volume of email being flagged as spam or other undesired behavior.
DMARC tags
Any domain that is used to send email from your CRM using ClickDimensions must avoid using certain tags in the DMARC records you set up on your DNS that apply on an organizational domain or a signing domain. If this is not followed then the policy set for unauthenticated email as described above will be seen, when any attempt to send email from your CRM via ClickDimensions is made.
DMARC authentication configured on your email sending domains must have a default adkim value of relaxed (not strict) DMARC either by asserting the relaxed value in the tag, e.g.
adkim=r;
or ideally by removing the adkim tag altogether. The same default relaxed value for the aspf tag is also needed, and we recommend omitting the aspf tag as well.