DMARC Essentials - Boost Email Open Rates and Enhance Security

Email deliverability is crucial for any sender reaching out to leads, customers, and audiences via email.

However, technical aspects must be addressed to ensure your emails reach their intended recipients. One of these crucial technical aspects is setting up DMARC records.

Without DMARC, an email authentication method, you risk landing in the spam folder.

Even worse, criminals could commit cybercrimes through emails that appear to come from your domain!

What is DMARC? 🤷‍♂️

Back in the early 2010s, fraudulent email was so prevalent that it threatened email altogether.

Some of the biggest senders and receivers of email, like Gmail and Yahoo, had to do something about it.

Together, they developed DMARC. Their aim was to protect people against email spoofing and cyber crimes like phishing.

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is a protocol that checks emails to make sure they’re legit. It uses SPF and DKIM records to do this.

💡Just like DMARC, SPF, and DKIM are DNS records designed for domain authentication. Email servers can’t authenticate the sender if the records are absent.

By using a DMARC record, the receiving server of an email can check that the email is really from the claimed domain and that it aligns with both the SPF and DKIM records. The main goal of DMARC is to make email more trustworthy and secure.

To learn more about DMARC, check out our guide: What is DMARC? And Why Should You Care?

How Does DMARC Work? 👷

DMARC leverages the authentication results of both SPF and DKIM.

For a DMARC check to pass, it requires not only SPF or DKIM to pass but also a domain alignment.  The domain in the ‘From’ address should match or align with the SPF or DKIM domain.

The DMARC policy (published in a DMARC record within the domain’s DNS) specifies how to handle emails that fail this check.

The policies can be:

• → p=none (do nothing)
• → p=quarantine (potentially put it in spam)
• → or p=reject (discard the message - do not deliver).

To gain a deeper understanding of DMARC’s technical aspects, we created a guide on how DMARC works.

Who Needs to Set up Their DMARC Records? 👨‍💼

In short, any company or professional sending emails to their audience.

It’ll help protect your brand from fraudulent emails.

Organizations without DMARC are almost five times more likely to be the target of email spoofing.

If you’re doing sales email outreach, your technical setup must be on point to avoid the spam folder. DMARC is an essential component of that. It can increase your open rates by 10%, on average.

Other organizations that need to set up their DMARC include:

• 1. E-commerce platforms & banks: It’ll ensure that transactional emails are genuine, and it reduces the risk of phishing attacks.
• 2. Email Service Providers: It’ll improve the delivery of genuine emails by authenticating them.

How to Set up a DMARC Record 📝

A DMARC record looks like this:

v=DMARC1; p=none; rua=mailto:youremail@yourdomain.com

You already know that the “p” stands for policy. This determines what to do with unauthenticated emails.

The other two tags are:

• ➡️ The “v” tag is the DMARC version. There’s only one valid version currently.
• ➡️ The “rua” tag is the email address to which you want the DMARC reports to be sent.

⚠️ Since DMARC works in a team with SPF and DKIM, ensure you have had both SPF and DKIM records in place for at least 48 hours before adding your DMARC record.

Where to set up your DMARC record 🔎

You can only set up a DMARC record in your domain provider’s account.

Usually, this is the organization from which you bought your domain.

However, in some cases, you have pointed your name servers to, for example, your hosting provider. If so, you have to add the DMARC there.

We have tutorials on how to set up your DMARC on specific domain providers:

• ➡️ Set up DMARC on GoDaddy
• ➡️ Set up DMARC on Namecheap
• ➡️ Set up DMARC on Cloudflare
• ➡️ Set up DMARC on OVH

And for email providers:

• ➡️ Set up DMARC for Office 365
• ➡️ Set up DMARC for Google Workspace
• ➡️ Set up DMARC for Zoho Mail

Setting up a DMARC record isn’t hard once you know how it works.

For more detailed info, check out our guide on how to easily set up a DMARC record. ⬅️

Alternatively, use our DMARC Generator below. ⬇️

How to validate your DMARC ✅

A DNS needs to propagate before it’s active.

This process can take up to 48 hours.

You can use a DNS checker to check the status of your DMARC record.

Use lemwarm’s free Deliverability Tester, or try its DNS Checks feature.

It verifies your complete technical setup so you know when you’re ready to start your email outreach.

Common DMARC questions ❓❓

1. How to fix 554 5.7.5 permanent error evaluating DMARC policy? 😖

If you get the error 554 5.7.5 Permanent error evaluating DMARC policy when sending emails, it means the receiving server couldn't check your DMARC policy.

This can stop your emails from being delivered.

Here's what you can do to fix it:

1. Check your DMARC record:‍ Use online tools to check your DMARC record and make sure there are no mistakes. The only valid policies are p=none, p=quarantine, and p=reject.‍
2. Check SPF and DKIM: Use online tools to verify your SPF and DKIM setups. Ensure the sending IP is listed in your SPF record and that the public key in the DNS matches the private key on the sending server.‍
3. Check for Alignment:‍ ‍Make sure the domain used in SPF or DKIM matches the domain in the 'From' header.‍
4. Review DMARC Policy: If your policy is set to p=reject or p=quarantine, consider changing it to p=none while you troubleshoot. Once issues are fixed, you can revert to a stricter policy if desired.‍
5. Monitor DMARC Reports: Check DMARC reports to see which servers are sending emails on your behalf and if they're failing or passing DMARC checks.‍
6. Ensure your Mail Server's Clock is Correct:‍ Check that your mail server's clock is accurate to prevent DKIM signature issues.‍

If none of these steps solve the error, reach out to your email provider for more details.

2. How to read DMARC reports 📈

DMARC reports, specified by the "rua" tag in the DMARC record (for instance, rua=mailto:reports@example.org), provide insights on who is sending mail on behalf of your domain.

These reports are invaluable for tuning and maintaining your DMARC policy.

The interval for reviewing DMARC reports may vary based on the volume of emails your organization sends. However, frequent checks enhance visibility and ensure attackers aren't exploiting your domain.

Understanding your DMARC reports is essential in tracking authentication success and potential issues.

You can use tools like SEMRush to analyze these reports, identifying:

• The IP addresses sending emails on behalf of your domain.
• The alignment success rate.
• Any ongoing or attempted phishing activities.

3. Is DMARC better than SPF? ⏫

SPF allows senders to specify which servers are permitted to send email on behalf of a given domain.

It checks the return-path domain against a list of authorized sending IPs in the DNS.

If an email is received from an unauthorized server, it may be marked as spam or rejected.

DMARC, on the other hand, builds upon both SPF and DKIM.

It introduces a policy that a domain owner can publish to guide receivers on how to handle emails that fail these checks.

This can range from doing nothing (p=none), sending it to quarantine (potentially marking it as spam), or outright rejecting the email.

Additionally, DMARC provides domain alignment features to ensure the authenticity of the sending domain and offers visibility into email flows through DMARC reports.

In essence, DMARC complements SPF by adding an additional layer of security, authentication, and reporting.

So, it's not that DMARC is "better" than SPF; instead, when DMARC is used in conjunction with SPF (and DKIM), it offers a more comprehensive approach to secure email communication for an organization.

4. What is the difference between DKIM and DMARC?

DKIM:

• Authentication: DKIM lets senders sign emails, proving the email's content wasn't altered during transit.
• Verification: Email receivers check the DKIM signature using the sender's public key from their DNS.

DMARC:

• Policy: DMARC dictates how receivers should handle emails failing authentication (monitor, quarantine, or reject).
• Alignment & Reporting: Ensures the 'From' domain matches the SPF or DKIM domain and provides feedback via DMARC reports.

In essence, DKIM ensures email integrity, while DMARC sets the rules for handling and offers insights on email traffic.

Both work together for robust email security.

In conclusion, DMARC records are an indispensable tool in the cybersecurity toolkit for any organization or individual.

By understanding and implementing DMARC, you are taking a significant step towards more secure and trustworthy email communication.

If you have any specific questions or need personalized guidance, don't hesitate to reach out to our team of experts.

What other technical settings do I need to complete? ➕

If you’ve just set up your DMARC records, congrats on the first step! To keep your emails out of spam and ensure they reach your audience’s inboxes, there are 4 other technical settings to complete:

• SPF (Sender Policy Framework): This verifies that your emails have been sent from your domain.
• DKIM (DomainKeys Identified Mail): This guarantees that your emails are not changed after they are sent.
• MX Records: This helps providers know what servers accept emails for your domain. Without it, you won’t be able to receive emails.
• Custom Tracking Domain: This allows you to track open and click rates in your emails safely and without using your ESPs tracking domain that most of their customers use, including spammers.

Once you’ve completed your setup, use our free Deliverability Tester or lemwarm’s DNS Checks to ensure all settings are in place!

And as a faster option (it only checks your email authentication records), here's our email authentication checker.