What is DMARC?
DMARC (Domain-based Message Authentication Reporting and Conformance) tells a receiver what to do when authentication is missing or failing for a specific From: header domain and to strictly obey your SPF and DKIM records. DMARC should primarily be seen as a security measure for senders vulnerable to spoofing and phishing. Some large corporations use DMARC, e.g. PayPal, Google, Amazon, IBM, etc… as an extra layer of protection. But it requires a lot of admin and supervision on your side in general.
Does My Domain Need DMARC?
If you are able to complete sender authentication for your domain, you will have your SPF and DKIM records in place. Since SPF and DKIM are required for DMARC, any forged emails will likely be rejected or go to spam anyway. So it's not necessary to add DMARC to your domains for sending emails through our services.
For an email to pass DMARC, it needs to either pass and align SPF (Sender Policy Framework) or pass and align DKIM (DomainKeys Identified Mail) - it does not need to pass and align both protocols.
So although you may see some SPF alignment failures in DMARC reports, the messages are still passing DMARC Compliance because it passes and aligns through the DKIM protocol.
There are different types of DMARC record policies: none, quarantine, and reject. The "none" DMARC record policy (p=none) will take no action on messages that fail the DMARC check. It's mainly used as a placeholder policy for reporting. A reject (p=reject) or quarantine (p=quarantine) policy is a much stricter DMARC policy and we do not recommend it.
Also, not all recipient email servers support DMARC - so it will be ignored by some, meaning a lower delivery rate. It offers you a way to see who is attempting to impersonate your domain, assuming you have the software on your side to process DMARC, and assuming an email trying to impersonate your domain is sent to an email server that can handle DMARC and also reports the forged emails. This can be useful if you send a lot of emails to free email addresses e.g. Gmail, Yahoo, AOL, etc… AND have issues with people trying to forge your from address.
Please note that DMARC implementation can cause issues with delivery to some corporate email servers. Since corporate email servers tend to go through several layers of mail servers e.g. one to log the mail (for compliance), spam filters and link checkers, etc…, it changes the email header and it won't match the DMARC rules you have in place.
So if you are adding DMARC records to your domains simply to remove any domain warnings, it might not be necessary to add DMARC. However, if you plan to add a DMARC record, we highly recommend setting the policy to "none" (p=none), otherwise it could potentially reject messages sending through our services.
If you want to add a DMARC record to your domain simply for monitoring purposes, you can use the example DMARC Record value below. Please change the mailto value to the appropriate email address.
v=DMARC1; p=none; rua=mailto:email@example.com
This DMARC record is comprised of three parts:
- v: The DMARC version
- p: The DMARC policy. Instructs the receiving mail server what to do with messages that don’t pass authentication.
- rua: Email address to receive reports about DMARC activity for your domain. The email address must include mailto:. For example: mailto:firstname.lastname@example.org
Check your DMARC record using this third-party tool: Check DMARC Record
If you are adding a DMARC record and need further assistance, please contact our support team.
Common DNS/Hosting Provider Documentation