Email Deliverability

DMARC Implementation: Email Security and Monitoring

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties together SPF and DKIM to provide complete email authentication and reporting. Learn how to implement DMARC to protect your domain and monitor email delivery.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the final piece of email authentication. It tells receiving servers what to do when SPF or DKIM checks fail, and provides you with reports about email authentication activity.

Think of it this way:

• SPF says "these servers can send email for my domain"
• DKIM proves "this email hasn't been tampered with"
• DMARC says "if SPF or DKIM fails, reject/quarantine the email and tell me about it"

Why DMARC is Essential

DMARC is no longer optional for serious email senders:

• Gmail and Yahoo require it for bulk senders (5,000+ emails/day)
• Protection from phishing using your domain
• Visibility into who's sending email claiming to be from your domain
• Better deliverability with major email providers
• Brand protection from email spoofing attacks

Prerequisites: SPF and DKIM

Before implementing DMARC, you must have:

• SPF record configured and passing
• DKIM signing enabled and passing
• An email address to receive DMARC reports

Warning: Don't implement a strict DMARC policy without first having SPF and DKIM working correctly, or legitimate emails may be rejected.

How to Setup DMARC

Step 1: Create Your DMARC Record

A basic DMARC record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Breaking it down:

• v=DMARC1 - Version (always required)
• p=none - Policy (what to do with failed emails)
• rua=mailto:dmarc@yourdomain.com - Where to send aggregate reports

Step 2: Add the DMARC Record to DNS

1. Log in to your DNS provider
2. Navigate to DNS management
3. Add a new TXT record
4. Set the name to _dmarc (not @, not blank)
5. Paste your DMARC record in the value field
6. Save the changes

Note: The record name must be exactly _dmarc. If your DNS provider asks for a full domain, use _dmarc.yourdomain.com.

Step 3: Monitor Reports

After 24-48 hours, you should start receiving DMARC aggregate reports. These XML files tell you:

• Which IPs are sending email from your domain
• How many emails passed/failed SPF and DKIM
• What receiving servers did with failed emails

DMARC Policy Levels

DMARC has three policy levels:

1. None (Monitoring Mode)

p=none

Recommended for beginners. Emails are not rejected, but you receive reports. Use this to identify any legitimate sources that fail authentication before enforcing a stricter policy.

2. Quarantine (Soft Fail)

p=quarantine

Failed emails go to spam/junk folder. Good middle ground when you're confident in your authentication setup.

3. Reject (Hard Fail)

p=reject

Failed emails are rejected entirely. Only use this when you're 100% sure all legitimate email passes SPF/DKIM.

Advanced DMARC Options

A more complete DMARC record might look like:

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; sp=quarantine; adkim=r; aspf=r

Additional tags explained:

• pct=100 - Apply policy to 100% of failed emails (default)
• ruf=mailto:... - Forensic reports (detailed failure info)
• sp=quarantine - Subdomain policy
• adkim=r - DKIM alignment mode (r=relaxed, s=strict)
• aspf=r - SPF alignment mode (r=relaxed, s=strict)

DMARC Alignment

For DMARC to pass, either SPF or DKIM must:

1. Pass authentication
2. Be aligned with the From: domain

Relaxed alignment (default): Subdomains count (e.g., news.example.com aligns with example.com)

Strict alignment: Exact domain match required

DMARC for Bulk Email

When using ListMailer or other bulk email tools:

• Start with p=none to monitor
• Ensure your SMTP provider supports DKIM (most do)
• Check DMARC reports to verify alignment
• Gradually move to p=quarantine then p=reject
• Use ListMailer's deliverability test to verify DMARC passes

Reading DMARC Reports

DMARC reports are XML files sent daily to your reporting email address. They contain:

• Source IP addresses sending email from your domain
• Volume of emails sent from each source
• SPF and DKIM results for each source
• Disposition (what receiving servers did with the email)

Use DMARC report analyzers like:

• Postmark DMARC Digests (free)
• dmarcian (paid)
• MXToolbox DMARC (paid)

Common DMARC Issues

Alignment Failures

Your From: domain doesn't match the SPF/DKIM domain. Solution: Ensure you're sending from the correct domain or update alignment mode.

No Reports Received

Check DNS record is correct, email address is valid, and you're actually sending/receiving email. Reports take 24-48 hours to start arriving.

Legitimate Email Failing

A service sending on your behalf isn't in your SPF record or isn't signing with DKIM. Add them to SPF or configure DKIM for that service.

Step-by-Step DMARC Rollout

1. Week 1-2: Implement p=none and collect reports
2. Week 3-4: Analyze reports and fix any authentication failures
3. Week 5-6: Move to p=quarantine and monitor
4. Week 7+: If no issues, consider moving to p=reject

Testing Your DMARC Setup

• Use MXToolbox DMARC Lookup to verify your record
• Send test emails and check headers for DMARC=pass
• Use ListMailer's deliverability test for automated checking
• Monitor DMARC reports for unexpected failures

Example DMARC Records

Basic monitoring:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Quarantine with percentage rollout:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

Full protection:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com

Summary

DMARC is the final piece of email authentication that ties together SPF and DKIM. Start with monitoring, fix any issues, then gradually enforce stricter policies. The result: better deliverability, protection from spoofing, and visibility into your email ecosystem.