What is DMARC and What Do the Recent Changes Mean for Email Marketers?
DMARC (Domain-based Message Authentication Reporting and Conformance) is a policy to protect users from spam and phishing emails.To describe DMARC in more precise, scientific terms, it is message authentication, reporting, and domain name-based compliance checking.
History:
DMARC was launched in 2010 as an anti-phishing tool. It was supported by e-mail providers Hotmail, Yahoo! Mail, AOL, Comcast, GMail, Netease and Newsletter Senders American Greetings, Bank of America, Facebook, Fidelity, JPMorgan Chase & Co., LinkedIn, PayPal.
How DMARC Works
Imagine you are sending out a bulk email. In this case, it is important for an email provider, to know that you have allowed sending letters on your behalf. That letters from your domain are sent by you, and not by some scammer.DMARC regulates this process. It tells the server what to do with the message if the DKIM and SPF records are incorrect. Correct DKIM and SPF confirm that the letter was actually sent from the domain specified in the "From:" field in the letter. Even if the email is technically sent from other servers and not from your mail server.Thus, DMARC is responsible for mail authentication. That is, for the sender's authentication procedure.
Let's see how exactly DMARC does this.
DMARC is a protocol that records what to do with a message after reading DKIM and SPF records. DKIM and SPF are entries in the mail domain settings. They tell the email provider what to do with the email they receive.
DKIM works like this: the letter contains encrypted data about who sent the letter and when. The postal provider (Gmail) receives this data along with the letter. The provider decrypts them using the public key posted on the domain from which the letter was sent. If the data match, it means that this is an honest sender, the letter can be sent to the "Inbox". If not - a fraudster, the letter is sent to "Spam".
What DMARC does:
- tells the mail provider what to do with the letter, depending on the results of reading DKIM and SPF,
- tells the server to send a report to the domain administrator's mail (that is, you or your system administrator) with information about which letters were sent and how the provider handled the letters.
To understand better, let's see how these protocols work when sending a regular mailing list.
How is sending and receiving a letter going today:
1. The letter has been sent;
2. The sending server assigns DKIM to each message;
3. The letter was received by the recipient's provider;
4. The provider checks the reputation of the domain, the entry of email and domain into black lists, the IP addresses of the servers from which the letter was sent. As part of this check:
- The ISP decrypts and verifies the DKIM. Is the letter sent from this domain exactly, or is it a fake?
- The ISP decrypts and verifies the SPF. Is it allowed to send letters from this domain to this IP?
- The ISP applies the policy specified in DMARC. In DMARC it is written to send to "Spam" those whose DKIM does not match and send a report about this to the domain administrator.
5. Standard spam filters are applied to the message.
6. There are three options for the development of events after:
- The letter is missed and goes to the recipient's Inbox. If DKIM and SPF are ok and spam filters passed.
- The letter has been added to quarantine (in "Spam"). If the DKIM does not match and / or the spam filters are not passed.
- The letter was rejected (not delivered). Individual reasons: for example, the user's mailbox is clogged.
7. After the letters are distributed, an automatic report is generated and sent to the sender, where it is written what happened to the sent letters.
How to set up DMARC
To set up DMARC, you need:
- Go to the hosting control panel of your site;
- Find management of DNS records in the settings;
- Insert a new DMARC TXT record;
- Save your changes.
We have listed the most common entries in the examples. You can just copy the entry from there.
You need to find the section in your hosting where TXT records are edited. A TXT record is a type of text-formatted DNS record that tells external sources what to do. For example, it confirms ownership of the domain. Or, like DMARC, it tells mailers what to do with emails from this domain.
Examples of DMARC records and what they mean
You can simply copy the entry that suits your task. If something does not work out - contact the Customer Care Service, they will certainly help you.
Example 1. What to write in DMARC if you do not send mailings.
If you have a small site, you do not do bulk mailing and only use corporate mail, a basic DMARC record is enough for you.
Example 2. What to write in DMARC if you do mailings
If you do mailings, you need to register DMARC so that you receive a report on dispatches and the policy to specify none, since you do not yet know what other letters are sent from your domain. If you set quarantine you can send good, but incorrectly configured emails to "Spam".
Example 3. Reject all messages that do not pass DMARC check
Such an entry will mean that all letters that do not have the same DKIM will not be delivered. You can write it if you are sure that only you send letters and everything is configured correctly. You will not receive reports.
Example 4. Reject all messages that did not pass the DMARC check and send all reports
Write such a note in a situation where you know for sure that you have been hacked. And they send letters on your behalf. But first make sure DKIM is configured.
DKIM / SPF do not work correctly if:
- users have configured the forwarding of letters from one of their mailboxes to another, such letters on your behalf will not be delivered;
- the service through which you send letters, for example, payment, does not allow you to register DMARC, DKIM and SPF;
- you forgot to add the mailing service or CRM to the white list of senders, or the white list does not work correctly, then all bulk mailings of your choice will not be delivered to users;
- other types of errors and breakdowns in the DMARC record;
- If you set up a reject policy, in all these cases, emails will not be delivered to the senders;
Optional DMARC Tags
In addition to the required tags, you can specify additional tags. They will indicate which reports and where to send, or to what percentage of emails to apply the policy. These are the optional tags:
- aspf and adkim allow you to check SPF and DKIM and can take the values r (relaxed) - soft check and s (strict) - strict, first select soft check so as not to block incorrectly configured, but necessary letters from your domain, for example, automatic sending of invoices from 1C;
- pct is responsible for the% of emails to be filtered by this protocol. If it is not filled, then everything. If pct = 20 - it will filter 20% of emails.
- sp is a subdomain (or subdomains) policy that works the same as a domain policy. When you do bulk mailing, mail is sent from different subdomains on your domain. You can adjust each of them.
- rua - email, which will receive an aggregated XML report once a day. This report will help you find out who is sending letters on your behalf and what letters are generally sent from your domain.
- rf - report if the message was not verified;
- fo - failure reporting options, if the reporting mechanism did not work:
- fo = 0 (used by default) - send a report if no authentication stage has been passed;
- fo = 1 - if at least one stage of authentication has not been passed;
- fo = d - if DKIM is not passed;
- fo = s - if SPF is not passed.