If you’re reading a blog about DMARC, you likely have a good understanding on the importance of both SPF and DKIM. If not, read those blogs first and come back here.
We often see senders implement DMARC without fully understanding what it does, which in turn results in delivery issues. Those issues can be resolved, but it’s much better to be proactive than reactive with email.
This blog describes what DMARC is, what you need to know before you implement it, and how to maintain your record both short- and long-term.
What is DMARC?
Domain-based message authentication, reporting, and conformance (DMARC) is a check on your email authentication (DKIM and SPF) to ensure that legitimate email goes to the inbox and spoofed email doesn’t.
DMARC ensures that legitimate email is being properly authenticated against established DKIM and SPF standards while illegitimate email that is appearing to come from domains under the sender’s control (active sending or non-sending domains) is blocked.
How does it work?
DMARC matches the header-from domain name with the envelope-from domain name during SPF checks and matches the header-from domain name with the domain name in the DKIM signature.
To pass DMARC, the email must pass SPF or DKIM authentication and alignment. If the email fails those criteria, the message fails. Because you have control over your DNS records for your sending domain and subdomains, you have full control over putting these protocols in place, not a spoofer looking to steal your brand identity and send emails impersonating you.
Again, it starts with SPF and DKIM, so having that authentication in place first before implementing any record is important.
Then what happens?
The next step depends on the DMARC record policy that you’ve established that tells mailbox providers how to handle any email that fails. DMARC uses the following policies or stages:
- Monitor: The early stage where mailbox providers can ensure that the right mail is getting through and being authenticated properly without anything happening to unauthenticated mail. In nearly all cases, a new sender to DMARC begins here.
- Quarantine: Following monitoring, the messages that fail DMARC move to the spam folder.
- Reject: In the final stage and what established DMARC users maintain, the messages that fail DMARC aren’t delivered at all.
You can have a percentage of your email use the policy and then adjust it over time.
Throughout the process, mailbox providers report back, helping senders understand what’s failing, what’s not, and the reasons behind it, giving them the intel they need to make the proper corrections and to help with the decision on when to move to the next stage.
Does Oracle Cloud Infrastructure (OCI) provide that reporting and insight?
You can choose to receive all the information yourself to review or use one of several third-party specialty providers to interpret the data sent back, such as Dmarcian and ValiMail. However, OCI doesn’t offer this level of reporting and interpretation outside guidance at the onset of establishing DMARC.
What does the record look like and how can we implement it?
In your DNS, create a TXT record “_dmarc.yourdomain.com,” replacing “yourdomain.com” with your domain or subdomain. We recommend using Dmarcian’s free DMARC record creation tool to create the record because it includes the address of where to send the reports.
Do I really need to do this?
Eventually, yes. Mailbox providers are putting more pressure on senders to set up DMARC to help keep out more of the bad email and ensure delivery of more good email. Gmail has slowly started to put a question mark next to those senders that aren’t fully authenticated—a big detriment to those receiving email, who then question the legitimacy. We expect that to only grow in the years ahead.
Is this process expensive?
Not at all. After some technical setup that OCI can assist with (including a custom return path), the cost is for any DMARC-specific monitoring and reporting evaluation. Going back to the question of how much spoofing would cost your brand, DMARC reporting could be a bargain.
If you’re sending through Oracle Cloud Infrastructure Email Delivery service and have further DMARC questions, reach out to support. If you’re not yet sending through Email Delivery, begin your journey today with a free trial.