DMARC

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication protocol based on SPF & DKIM. This is an additional mechanism to prevent spammers from using your domain by providing a direction for receivers to handle unauthenticated emails. After you implement DMARC, the number of spoofed emails reaching the end-users inbox reduces. This reduces spam complaints and protects your domain's reputation. Domains with higher reputation tend to have better deliverability.

Table of Contents

How DMARC works?

Both the sender domain and the recipient MX server must be subscribed to DMARC for the validation to occur. 2 types of conditions must pass for an email to be DMARC compliant:

  1. Matching domains: SPF match and DKIM match
  2. DMARC Authentications: SPF Protocol and DKIM Protocol

Matching domains

In this validation, the receiver first extracts the domain names from your email header fields - DKIM signature ('d=' tag), 'from' address, and return-path (bounce) address.

SPF Match - If the 'from' address domain matches with the return-path address domain, then SPF matching condition passes.

DKIM Match - If 'from' address domain matches with the dkim-signature domain, then DKIM matching condition passes.

DMARC Authentications

This is the second validation in DMARC. It happens only when the Matching domains condition passes. 

SPF Authentication - If SPF matching condition passes, then DMARC checks for SPF Authentication status. Emails that pass this check are tagged as 'Aligned with SPF'.  

DKIM Authentication - If DKIM matching condition passes, then DMARC checks for DKIM Authentication status. Emails that pass this check are tagged as 'Aligned with DKIM'.

To pass DMARC, emails should either be Aligned with SPF or Aligned with DKIM or both. When both the Alignments fail for a sender domain, the receiver treats the email as unauthentic and is handled as per the published DMARC policy. 

DMARC Alignment modes

DMARC policy can be set under 2 Alignment modes: Strict and Relaxed. By default, the alignment mode is 'Relaxed'. The alignment mode determines the pass condition for Matching domains validation. SPF alignment mode and DKIM alignment mode are set using the 'aspf' tag and 'adkim' tag respectively in the DMARC syntax.

DMARC Alignment ModePassesFails
Strict

When the matching domains are an exact match.

When matching domains are NOT an exact match.

Relaxed

When matching domains are either an exact match or share a parent-child relationship i.e., a domain and a sub-domain.

When matching domains are different.

DMARC Alignment mode for ZeptoMail

ZeptoMail mandates you to verify your domains using SPF & DKIM Authentication before sending emails. Hence all your emails will pass the Validation 2 (DMARC Authentication) for SPF and DKIM. However, to collect your bounces, the bounce address in ZeptoMail is configured using CNAME record. That means your return-path (bounce) address domain will be a sub-domain. For eg., 

'from' address domain = zylker.com
return-path (bounce) address domain = bounce.zylker.com

They are not an exact match. When the DMARC SPF Alignment mode (aspf = s) is set as strict, all your emails will fail SPF Matching condition (Validation 1) and will be tagged as 'Not Aligned with SPF'. However, these emails will be Aligned with DKIM. So all emails sent via ZeptoMail will pass the DMARC authentication.

If you wish to make your emails sent via ZeptoMail to be 'Aligned with SPF' then set the Alignment mode to relaxed. This can be done by changing the tag 'aspf=s' to 'aspf=r' in your DMARC syntax. 

How to configure DMARC

To publish DMARC policy, you need to create a TXT record in your DNS in the following format. 

Name of the TXT Record: _dmarc.yourdomain.com (where yourdomain.com has to be replaced with your domain name)

TXT Record Value: "v=DMARC1; p=reject; pct=80; rua=mailto:admin@yourdomain.com" (add other optional tags based on your requirement)

DMARC Syntax

Tag NameDescriptionSampleMandatory/ Optional 
vProtocol versionv=DMARC1Mandatory
p

Instruction provided by the sender to the receiver on what to do with emails that do not pass authentication:

  • none: No action taken against authentication failed emails
  • quarantine: Emails are quarantined or placed in the recipient's spam folder
  • reject: Emails will bounce back to the sender

p=none

p= quarantine

p=reject

Mandatory
pctSpecifies the percentage of messages to be affected by DMARC policypct=20Optional
ruaSpecifies the email address where the DMARC aggregate reports will be sent. To send reports to more than one email address, separate emails with a commarua=mailto:admin@yourdomain.comOptional
ruf

Specifies the email address where the DMARC forensic reports will be sent. These reports are much more detailed than aggregate reports. To send reports to more than one email address, separate emails with a comma

ruf=mailto:admin@yourdomain.com
 

Optional
spSimilar to 'p' tag. This tag sets the policy for sub-domains if you wish to apply a different policy to your sub-domains

sp=none

sp= quarantine

sp=reject

Optional

adkim

Sets the DKIM alignment policy - strict (s) or relaxed (r).

s: Strict alignment. The sender domain must exactly match the domain in the DKIM headers

r: Relaxed alignment: Allows partial matches i.e., if the sender domain is a sub-domain of the domain in the DKIM mail headers, DKIM alignment is passed

adkim=s

adkim=r

Optional

aspf

Sets the SPF alignment policy - strict (s) or relaxed (r).

s: Strict alignment. The sender domain must exactly match the domain in the return-path (bounce) address

r: Relaxed alignment: Allows partial matches i.e., if the sender domain is a sub-domain of the domain in the return-path (bounce) address, SPF alignment is passed

aspf=s

aspf=r

Optional

DMARC Roll-out steps 

If you sent emails using 3rd party senders who do not mandate SPF and DKIM authentication, then there is a possibility for your emails to be rejected or quarantined as per the DMARC policy. To prevent sudden disruptions in your email deliverability, it is important to roll out DMARC in a phased manner. This also ensures that genuine emails are not tagged as spam by this policy.

  • Phase 1 (Initial phase or Monitor phase) - publish the DMARC record with the tag 'p' as none in the DNS.
  • Phase 2 (Quarantine phase) - change the tag 'p' to Quarantine in your published records.
  • Phase 3 (Final phase or Reject phase) - change the tag 'p' to Reject. All emails that fail DMARC authentication will be rejected. 

Phase 1: Monitor Reports and Traffic 

"v=DMARC1; p=none; rua=mailto:admin@yourdomain.com"

This is the monitor phase where you will receive reports about who is sending emails under your brand name and determine which of them are legitimate and which of them are spoofed. The tag 'p' will be set as none. The details of all unverified emails will be sent to the mailto address set in the 'rua' tag. To receive reports to multiple email ids, separate the added email ids in the rua tag using a comma. If you find any legitimate emails in your reports, ensure that the SPF, and DKIM authentication are set up properly. Add the IP address of legitimate emails in your SPF records and/or configure the source of these emails with DKIM. Repeat this until your DMARC report do not contain any authentic emails. This will prevent wrong reporting of authentic emails as spam. Now move to phase 2 (Quarantine phase). 

Phase 2: Quarantine Emails and Analyze

"v=DMARC1; p=quarantine; rua=mailto:admin@yourdomain.com"

In this phase the receiver will quarantine all the emails that looks spoofed or are unverified. The tag 'p' will be set to quarantine. An additional tag 'pct' is set. The tag 'pct' determines the percentage of emails to which the receiver should apply DMARC quarantine policy. For eg., if you set 'pct' as 20, then the sender is asking the receiver to quarantine 20% of the emails that appear as unauthenticated. To the remaining 80% of the emails, the next lower policy 'p=none' will be applied. It is highly recommended to quarantine unverified emails in smaller steps. Start by quarantining a small percentage of unverified emails and increase it in steps. If you set pct=0, it means that the DMARC is still in phase 1 and quarantine policy will not applied. The DMARC report will still contain the details of all the unauthentic emails.

"v=DMARC1; p=quarantine; pct=20; rua=mailto:admin@yourdomain.com

The next step is to gradually increase the 'pct' in steps like pct=30, pct=40 etc., Finally you will remove the 'pct' tag. 

"v=DMARC1; p=quarantine; rua=mailto:admin@yourdomain.com

Once 'pct' is removed, all the emails (100%) that appear to be spoofed will be quarantined. 

The quarantine policy is applied in any of the ways listed below:

  • Quarantine - The emails will be delivered to the quarantine mailbox of the receiver. The administrator of the mailbox will decide whether to deliver these emails or not.
  • Deliver to Spam - If the receiver is hosting the mailbox, then the receiver can place the quarantined messages in the recipient's spam folder and the recipient has the option to move it into their inbox.
  • Anti-spam filtering - Receivers will treat quarantined messages as spam. They may then decide to add additional spam scores to these messages leading to such messages getting blocked altogether.

The quarantined emails report is send to the email address specified in the 'rua' tag. Review the quarantined email report and add the IP address of legitimate emails in your SPF records or configure the source of these emails with DKIM. This will prevent quarantining of legitimate emails.

Note:

Quarantine phase is not a testing option. If you enable quarantine without properly setting up your DMARC policy, all your legitimate emails will be treated as spam and blocked by receivers. Additionally, receivers will downgrade the reputation of your domain.  

Phase 3: Reject Spoofed Emails

In this phase unverified emails will be rejected (blocked completely & will not reach the quarantine or spam mailbox). The end-user will never be aware of such rejected emails. After you ensure that valid emails are not quarantined, set the tag p=reject.

"v=DMARC1; p=reject; rua=mailto:admin@yourdomain.com"

The 'pct' tag can be applied in this phase as well. If you set 'pct=0', it means that the DMARC is still in quarantine phase (phase 2) and unauthentic emails will not be rejected.

"v=DMARC1; p=reject; pct=20; rua=mailto:admin@yourdomain.com" 

When 'pct' is 20, it means that 20% of the emails that fails the DMARC alignment validation will be rejected. The remaining 80% falls back to the next lower policy which is 'p=quarantine'. The next step is to gradually increase the 'pct' in steps like pct=30pct=40, etc., Finally you will remove the 'pct' tag.  

Note:

Before you get started it is important to know that ZeptoMail is for sending transactional emails like welcome emailers, password resets emails, OTPs. We do not support sending of bulk emails or promotional emails like newsletters or marketing campaign emails. If you are looking for a bulk email provider, check out Zoho Campaigns.