What is DMARC authentication?
DMARC is a form of email authentication that stands for Domain-based Message Authentication, Reporting, and Conformance.
DMARC authentication is used in combination with SPF authentication and DKIM authentication to provide domain owners with a way to declare a mail handling policy if the domain used in the email message's From address is not SPF nor DKIM signed. It also provides transparency for the domain owner when there are messages being sent with their domain in the From Address that is failing SPF and DKIM.
Why would you want to setup DMARC for your domain?
- It gives you the ability to explicitly define how and if an email message should be accepted when SPF and DKIM authentication of the From Address is missing.
- It provides the ability to be alerted when your domain is being used in other email messaging without your authorization. These instances will likely be spam and malicious mail spoofing of your domain.
Protect your domain's sender reputation by identifying if your domain is being used without authorization and sending potentially malicious messages to users, and then by deterring such activities by way of the DMARC policy you define.
DMARC has three policy options to choose from:
- "None" If an email message fails DMARC, don't do anything.
- "Quarantine" If an email message fails DMARC, the receiving email system should place the message into the spam folder.
- "Reject" If an email message fails DMARC, do not accept the message at all.
When approaching these three email handling policy options, you'll want to start with a policy of None, then move to Quarantine, and finally to a policy of Reject, in that order, allowing time in between each policy change to ascertain what messages are failing DMARC. If there are legitimate messages failing DMARC, you'll want to update your SPF/DKIM to account for those messages. Once you are 100% confident all legitimate and authorized messages are not failing DMARC, then you can proceed to the Reject policy if you prefer.
What constitutes DMARC passing?
There are 2 requirements in order for DMARC to pass:
- SPF and DKIM must be in place and setup for the From domain you're using in your email messages.
- The From domain for the email message must match the domain authenticated by SPF or DKIM.
This is why setting up custom DKIM with AWeber is crucial. Failing to do so will not meet DMARC compliance and leave your domain usage open to suspect emailing activity.
Implementing DMARC
The DMARC record will need to be set as a DNS TXT record. (You may want to consult with your hosting provider to help setup this DNS record for you. )
Here's an example of a very basic DMARC record (Note: you can use other options for your DMARC record and policy if you prefer). Replace the email address below with your own. Note that you will begin receiving dmarc reports at this address.
v=DMARC1; p=none; rua=mailto:yourname@yourdomain.com; pct=100;
The 'rua' tag and specification allows you to explicitly define where the aggregate reports should be sent when an email message fails DMARC. Note these reports are in XML format and can be contiguous. Also, you'll want to route these reports where they will be readable to you since they will be in a XML format. These reports will let you know if there are email messages using your From Domain that is failing DMARC so you can take appropriate steps to resolve.
The 'p' tag above references what policy you wish to set for when an email fails DMARC ('none', 'quarantine', or 'reject').
Additional resources regarding DMARC setup can be found here on Google's support documentation.