DMARC - What It Is, Why It Matters, and How to Set It Up

A properly configured DMARC record can increase your open rate by 10% or more.

DMARC adds a layer of security to your emails that builds trust with email service providers.

The result is that fewer of your emails will land in the spam folder.

Below, we’ll discuss what DMARC is, why it’s important, and how it works. ⬇️

What is DMARC?

DMARC is an email authentication protocol that stands for Domain-based Message Authentication, Reporting & Conformance.

It's an initiative by some of the biggest senders and receivers of email, like Gmail and Yahoo.

They created DMARC as a response to the increasing amount of fraudulent emails in the early 2010s. (Email is involved in 90% of cybercrimes)

The goal of the DMARC initiative was to combat phishing attacks and other cybercrimes through the implementation of a DMARC record.

A DMARC record is a DNS record you add to your domain’s DNS settings.

Through this record, receiving servers can verify if an email is coming from the domain it’s claiming to come from. It does so through two other DNS records called SPF and DKIM.

Why is DMARC Important? ⚠️

DMARC matters because it makes your emails more secure.

It prevents criminals from using your (sending) domain to launch cyber attacks.

In short: DMARC makes the internet a safer place for everybody.

What’s more, apart from the security aspect of DMARC, Gmail and Yahoo’s new email sender rules now require you to have a DMARC record set up.

Without DMARC, forget about landing in your audience’s inbox, especially if they use Gmail or Yahoo as their email provider.

And it doesn’t just concern Gmail addresses, either.

Companies can use custom email addresses through their Gmail account, and without DMARC, you will not reach many of them!

In a nutshell, if you’re doing email outreach in 2024, you need DMARC!

How Does DMARC Work? 👷

a flowchart of the DMARC authentication process

DMARC allows the receiving email server to verify if the email comes from the claimed sending domain.

The server intends to authenticate the email through the domain’s SPF and DKIM records.

If one of these authentication methods fail, it means we’re dealing with an unauthorized email.

It’s here where DMARC comes into place. Its policy settings determine what to do with the unauthorized email.

To make it easier to understand, first let’s take a look at a basic DMARC record:

v=DMARC1; p=none; rua=mailto:email@yourdomain.com

While it may look like an incomprehensible line of code, it’ll become crystal clear once you know what the tags mean:

  • ➡️ The “v” stands for version. Since there’s only one valid version currently, this will always be “DMARC1” for now.
  • ➡️ The “p” stands for policy. This is the setting that lets you decide what to do with unauthorized emails. The most common settings are:
    • 👉 “None,” as in the DMARC record above. In this case, unauthorized emails will get a pass to the recipient’s inbox. Though this setting might seem useless, it’s actually the recommended setting for the first few weeks after implementing DMARC. It allows you to receive DMARC reports to monitor what happens to unauthorized emails and ensure that legitimate emails don't get flagged as unauthorized.
    • 👉 “Quarantine” sends unauthorized emails to the recipient’s spam folder.
    • 👉 “Reject” is the strictest setting. With your p tag set on “reject,” none of the unauthorized emails will get delivered.
  • ➡️ The “rua” tag is where you want your DMARC reports sent. As mentioned above, these reports allow you to keep an eye on any email authentication inaccuracies.

The DMARC record above is a basic but fully functional example, but a DMARC can also include other non-essential tags (see table below).

DMARC TagWhat it does
RufSends more elaborate reports
PctDetermines what percentage of incoming emails need to undergo the authentication process
FoAdjusts how reports are created and presented to users
AspfDetermines the level of strictness for SPF authentication
AdkimSimilar to “Aspf” but for DKIM
SpDMARC enforcement for subdomains

How to Set Up a DMARC Record 📝

Since DMARC depends on SPF and DKIM, you must set these DNS records up before DMARC.

Here’s how to set up an SPF record, and go here to configure your DKIM record.

Once your SPF and DKIM records are set up, move on to the next step:

Checking for existing DMARC records

Since having multiple DMARC records can complicate the authentication process, it’s important to check if you already have one set up.

A simple way to find out is through a DNS check.

You can use lemwarm’s free email deliverability checker for this.

It’ll give you an overview of your technical setup, including your DNS records.

Preparing your DMARC record

A basic DNS record will probably do the job for you now.

All you need to change is the “rua” tag so that it corresponds to your email address.

v=DMARC1; p=none; rua=mailto:youremail@yourdomain.com

You can change the policy setting to something stricter once reports start coming in.

Setting up your DMARC record on any domain provider

Now we’re going to add the DMARC record to your domain’s DNS settings.

You can find those settings in your domain provider’s account.

However, if your domain's name servers point elsewhere, for example, to your hosting provider, this is where to find the DNS settings for your domain.

The exact steps may vary for different providers, but the process below should be a good enough guide to be able to add your DMARC record.

➡️ Step 1: Go to your domain’s DNS records

  1. Log in to your domain or hosting provider account
  2. Go to your domain’s DNS settings or records

➡️ Step 2: Add your DMARC Record

Once inside your domain’s DNS settings, you should see a list of DNS records.

Click on “add” or “add new record.” You should see a form like the one below:

a form to add a DNS record
  1. For type, choose TXT. Some providers will also have a DMARC option here, but usually you need to set up a TXT record.
  2. In the Host field, enter “_dmarc”. If your hosting/domain provider doesn’t automatically append your domain name here, then the value here should be _dmarc.yourdomain.com.
  3. In the Value or Target field, paste your DMARC record. For starters, you can use the one we shared above. Just make sure to update the email address!
  4. Leave the TTL setting to its default
  5. Hit save!

➡️ Step 3: Validate your DMARC record

To verify your DMARC record, you need to run a DNS check again.

Go to lemwarm’s free email deliverability tester and check your results.

💡Important: it can take up to 48 hours for your DMARC to propagate. Usually it’ll be active much sooner than that, but please give it some time before running a DNS check.

Setting up your DMARC record is not difficult, but you may want to make things even simpler. Use this DMARC generator to help you out.

A Note on DMARC Reports 🗒️

Remember the “rua” tag in your DMARC record?

Well, as mentioned briefly earlier, there’s another reporting tag called “ruf.”

The “ruf” tag sends more detailed and elaborate reports than “rua.”

Both tags hold the email address your DMARC reports will be sent to.

The reports will give you insights into the authentication process.

Among other things, the reports will tell you if emails passed or failed authentication and which servers sent them.

Additionally, they allow you to find out what happened to the emails based on their authentication status.

Unfortunately, reports are sent in XML, which can be quite tough to analyze, so a tool that makes those reports more readable, such as EasyDMARC's DMARC report analyzer, can be very useful.

But what information exactly will you see in your DMARC reports?

  • All domains sending emails using your domain in their “From” field
  • IP addresses of the domains using your domain
  • The number of daily emails
  • SPF and DKIM authentication results
  • DMARC results
  • Emails that were quarantined
  • Emails that were rejected
  • Forensic/failure reports

Aggregate Reports (rua)

Reports with a rua tag are essentially broad descriptive reports.

These reports are sent in an XML format. Here’s an example rua report:

Example of a DMARC rua report
Source: DMARCLY

Here’s the key information included in a rua report:

Reporting PeriodTimeframe the Report Covers
Sender IP AddressesIP addresses that sent emails on behalf of your domain
SPF ResultsIncluding nº of messages that passed SPF, nº of messages that failed SPF, and domains involved in SPF authentication
DKIM ResultsIncluding nº of messages that passed DKIM, nº of messages that failed DKIM, and DKIM signatures used
DMARC ResultsIncluding nº of messages that aligned with your DMARC policy, nº of messages that did not align and the disposition applied
Authentication ResultsSummary of authentication methods used
Message CountTotal number of messages received from each source
Failure Details Information on failed authentication methods
Message HeadersHeaders of failed authentication messages
Aggregate Statistics Summary statistics including percentage of authenticated and failed messages, among other metrics
Reporting Identifier An identifier to match reports to specific DMARC configurations

Failure Reports (ruf)

The “ruf” tag offers more elaborate reporting.

Here’s what’s included in DMARC ruf reports:

Message Headers Full header of the failed email
Message Body Content of failed email
Authentication ResultsAuthentication check details and why they failed
Envelope SenderEmail address used as the return path for the failed message
DKIM Signature InformationIn case of DKIM authentication failure, report includes details of the DKIM signature used, such as selector and domain
SPF InformationIn case of SPF authentication failure, the report includes information about the SPF record for the sending domain and the IP address that sent the message
Autenthication-Results HeaderSummary of authentication results, including failure checks and why they failed
DMARC PolicyPolicy type (quarantine or reject)
TimestampsWhen the message was received and when the failure report was generated
Message SizeSize of the failed message
Reporting SourceInformation about the source that generated and sent the DMARC failure report
Additional MetadataAdditional information that can be helpful in the failure analysis and authentication failure

Key Takeaways 🔑

For email outreach, you must ensure that your technical setup is on point, as low open rates will cost you money.

DMARC is a critical component of your technical setup.

Without it, not only are your emails less secure, but they're also more likely to be sent to spam or not delivered at all.

While initially, setting up a DMARC record can seem complicated, once you know how it works, it becomes a breeze.

Use the information in this post to set up DMARC for your domain today!

No items found.

Related Insights

No items found.

Subscribe to our newsletter