Need Help? Start Here

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that works by aligning the results of SPF and DKIM with the domain in the email’s “From” header.
This alignment ensures that only authorized senders can send emails on behalf of your domain. DMARC also provides reporting mechanisms, enabling domain owners to monitor email traffic and detect unauthorized use.
By implementing DMARC, you mitigate email spoofing, phishing attacks, and enhance email deliverability.

A DMARC record is a TXT record published in your domain’s DNS. Its key components include:

1. Policy (p=): Specifies the action (None, Quarantine, or Reject) for unauthenticated emails.
2. Aggregate Reports (rua=): Email address(es) to receive daily reports about authentication results.
3. Forensic Reports (ruf=): Email address(es) to receive detailed reports for failed emails (optional).
4. Alignment Mode (adkim= and aspf=): Defines whether alignment is strict or relaxed for DKIM and SPF.
5. Subdomain Policy (sp=): Policy for subdomains (defaults to the main domain policy if not set).
6. Reporting Interval (ri=): Time interval (in seconds) for aggregate report delivery (default is 86,400 seconds or 1 day).

Example:
v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=r;

DMARC policies define how unauthenticated emails should be handled.

1. None (p=none): Monitors email traffic without affecting delivery. Use this policy when starting with DMARC to gather reports and identify issues.
2. Quarantine (p=quarantine): Marks unauthenticated emails as suspicious (e.g., moves them to spam). Use this policy after reviewing reports and addressing major issues.
3. Reject (p=reject): Blocks unauthenticated emails entirely. Use this policy only when confident your legitimate emails are properly authenticated.

• Aggregate Reports: These daily reports provide a summary of how your emails are being authenticated across various receiving mail servers. They include data on SPF, DKIM, and DMARC pass/fail rates, helping you understand email traffic and potential issues. Aggregate reports are sent to the email addresses specified in the rua= tag of your DMARC record.
• Forensic Reports: These detailed reports are triggered when an email fails DMARC checks. They contain information about the failed message (such as the email headers and IP address of the sending server) and are sent to the email addresses specified in the ruf= tag of your DMARC record. These reports help with deeper analysis and troubleshooting of specific authentication failures.

1. There are several reasons DMARC might fail for your emails:
   a. SPF and DKIM Failures: If your SPF or DKIM records are misconfigured or not aligned with the “From” address, DMARC will fail.
   b. Third-Party Senders: If you use external services (like email marketing platforms), they may not be properly authenticated with your domain’s SPF or DKIM, leading to DMARC failures.
   c. Misalignment: Ensure that the domains used in SPF/DKIM align with the domain in the “From” header. If they don’t, DMARC will fail.
Check your reports to pinpoint the exact cause of failure.

• Implementing DMARC can take anywhere from a few minutes to several weeks, depending on your setup:

1. Start with Monitoring (p=none): The process begins by publishing a DMARC record with a p=none policy. This allows you to monitor email activity without affecting delivery and typically takes only a few minutes.
2. Monitor and Configure Sending Sources: Use the DMARC reports to identify misconfigured systems or unauthorized senders. Align SPF and DKIM for all legitimate email-sending sources. This phase can take a few days to a few weeks, depending on the complexity of your email infrastructure.
3. Move to Quarantine (p=quarantine): After ensuring most sources are configured correctly, update your DMARC policy to quarantine suspicious emails. This step requires continued monitoring and adjustments as needed.
4. Enforce Reject (p=reject): Once all legitimate sources are aligned and no issues remain, transition to a reject policy to fully block unauthorized emails. This final phase ensures maximum protection and may take additional time to validate.

• Overall, the entire process typically takes 1 to 2.5 months, depending on the complexity of your setup and the number of email sources to configure.

• Yes, DMARC applies to subdomains by default, meaning they inherit the policy of the parent domain unless specified otherwise.

• Inheriting the Policy: If no separate DMARC record is set for a subdomain, it will follow the main domain’s policy. For example, if your parent domain has p=reject, the subdomain will also reject emails that fail DMARC checks.
• Using the sp Tag: To set a different policy for subdomains, use the sp (subdomain policy) tag in your main domain’s DMARC record. Example:
  v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected] This would apply the “Reject” policy to the parent domain but place emails from subdomains into quarantine.
• Separate DMARC Record: If a subdomain follows completely different email flows (e.g., a third-party service), it should have its own DMARC record to ensure proper protection