DMARC is an email authentication technology that builds on DKIM and SPF. While DKIM and SPF are used to prevent spoofing (among other things), DMARC takes it a step further by providing instructions to email receivers about what to do with the email if it doesn’t pass authentication.
There are many elements that a mail server or filter will consider when deciding the risk or spam level of an email—including the presence of a passing SPF and DKIM. DMARC is different though as its absence will not impact deliverability; it's more of a voluntary email authentication. DMARC is mainly used for anti-phishing or anti-fraud and can protect a brand reputation. It will prevent phishing emails spoofed for your brand from being delivered to a customer's inbox.
NOTE—if you currently have DMARC set up or plan to in the future, please open a Support ticket to have your ClickDimensions account configured with DKIM in order to align with the DMARC you will set up.
How does DMARC work?
A DMARC record is created for an email sending domain. It’s a TXT DNS record which can be configured in many ways to determine how relaxed/strict it should be, how subdomains should behave, where reporting should go, and what type of policy you want to declare.
There are 3 policies or levels that a DMARC policy can have.
Instructs the receiver not to do anything in particular with the email if it fails DMARC but allows them to view reporting for all emails sent with their domain.
Instructs the receiver to deliver the email to the spam/junk folder if DMARC fails.
Instructs the receiver to reject or bounce the email back if it fails DMARC.
An email server/ISP/spam filter will not base their decision solely on DMARC. Emails will still be put through the normal anti-spam checks and algorithms even if DMARC passes. And email servers/filters are not required to honor the DMARC policy, but most will.
What is required for DMARC to pass?
There are 2 factors to consider when configuring email to work with DMARC. The following information describes a scenario where DMARC is set to the default mode of relaxed.
- SPF and/or DKIM
- DMARC is built on the existing SPF and DKIM email authentication technologies.
- DMARC will work with one or both.
- SPF or DKIM needs to be present for the email AND needs to pass.
- The From domain (Display From) will need to match on the organizational domain for either the Mail From (SPF) or the DKIM Signature (DKIM).
- For example, if you send from email@example.com, the domain for SPF or DKIM will need to be a subdomain (market.tomatogardens.com) or match exactly (tomatogardens.com).
For DMARC to pass, the email message must . . .
- Pass SPF authentication on the Mail From and have alignment with the Display From domain and Mail From domain. OR
- Pass DKIM authentication and have alignment with the DKIM domain and the Mail From domain.
How does ClickDimensions configure email to work with DMARC?
ClickDimensions will configure an account to work with DMARC by configuring the DKIM signature to align with the DMARC policy. For more information about this process, please see our DKIM Signatures article.
Below is an example of how the domains would look configured for DMARC using DKIM, where DMARC is set to the default mode of relaxed. The organizational domain has been bolded to show how it is aligned.
From Email (Display From)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=gears; d=market.tomatogardens.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe; bh=FE2Ra3JJOD3+/d5W/4au03QqBPQXjXV1Gt22xYxFoz8=; b=d/hLwvA
_dmarc.tomatogardens.com TXT “v=DMARC1; p=quarantine; pct=100;”
There are exceptions to this if DMARC is set up as strict for DKIM or both SPF and DKIM. Please work with the Email Deliverability team to ensure your account is set up correctly.
What happens if the email is not configured to work with DMARC?
If the sender has DMARC set up but doesn’t have the account configured correctly to work with DMARC, the symptoms vary by how the DMARC policy is set.
- If the policy (p=) is set to quarantine, we will see a large volume of email delivered to the spam or junk folder and opens/clicks will decrease dramatically.
- If the policy (p=) is set to reject, we usually see about a 40 – 50% bounce rate. The bounces returned will reference a DMARC policy or DMARC failure.
- If the policy (p=) is set to none, technically there should be no impact but in practice we have seen some volume of email being flagged as spam or other undesired behavior.