What is DMARC, Why Should I Care?

Content provided by Cloud Brigade

Beginning in February 2024, Google and Yahoo will begin to enforce an email standard called DMARC. You may have received a notification from other vendors who send email on your behalf (Website or ecommerce host, mailing list company, etc.), requesting that you set up a DMARC “DNS” record.

Unfortunately this is a more complex task than appears on the surface, and this article seeks to simplify the topic and what needs to be done. Failure to take action will result in a higher proportion of your email not reaching the intended recipient. It’s a big deal.

TL;DR: You need to have someone implement these records on your behalf, typically an IT practitioner who understands DNS and email deliverability.

What is DNS? DNS stands for Domain Name System. In short it is like an internet telephone book which translates your domain name (i.e. yourbusiness.com) into “internet addresses”, which are connected to your website, your email provider, and for other purposes as we will describe here.

What is DMARC? DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”. In technical terms it is an email authentication, policy, and reporting protocol which builds on the widely deployed SPF and DKIM protocols.

In plain english, DMARC is a special DNS record attached to your domain to make your email more deliverable, and reduce the chances your email will be routed to a “SPAM” folder. DMARC combines two other types of DNS records called SPF and DKIM. All three types of records are involved in the deliverability of your email.

If you haven’t heard of these records before, you aren’t alone. Many domain name owners have never set up these records. In the early days of the internet when SPAM became prevalent, multiple parties created solutions to prove the sender of an email was legitimately allowed to do so. By creating a system to validate the authenticity of these emails, email providers like Google, Yahoo, and Microsoft could determine if the email was legitimate or SPAM.

For better or worse, two competing approaches became standard, each with their strengths and weaknesses. In order to implement DMARC as required by Google and Yahoo (and soon others), you must first set up SPF and DKIM.

What is SPF? SPF stands for Sender Policy Framework, and it is a DNS record which provides a list of servers which are permitted by you to send email on your behalf. For example if your website has a form on it, you should have an SPF record which says it’s OK for email to be sent from your website on behalf of your domain name.

What is DKIM? DKIM stands for DomainKeys Identified Mail. This provides a “digital signature” which is used to “sign” each email at its source. It’s the email equivalent of certified mail. More than just a DNS record, this signature needs to be created at every vendor your company uses to send email. For most companies, this ranges from 2-5 separate vendors as follows:

  • Your primary email provider (Google, Microsoft, etc)

  • Your E-commerce hosting provider (Shopify)

  • Email relay provider, used by web hosting providers (Sendgrid, Mailgun, etc)

  • Mailing List provider (Mailchimp, Constant Contact, etc)

  • CRM System (Salesforce, Pardot, SugarCRM, Insightly, CapsuleCRM, etc)

  • Software hosting providers (AWS, Azure, Google Cloud, etc)

  • Hardware devices like Office Printers

To complicate matters, you must setup DKIM and SPF for all of the above services. If you simply implement this for a single provider, the result will be undeliverable email for the others.

Where do I start? The first thing you should do is perform an internal inventory of all the systems you use to send email. Each one will need to be assessed to determine if they use your domain to send email, if they use a relay service as mentioned above, or if they are connected to your primary email provider.

Next, gather the login credentials for all of these providers, as well as your DNS provider. Oftentimes the DNS provider is the same company you purchased your domain from, or it may be your website hosting provider, or a third party vendor like CloudFlare or others.

Make sure you are able to login to each of these accounts with the credentials you have collected. If not, use password reset tools to regain access.

You are now ready for someone to conduct a review of your email configuration, and determine which changes need to be implemented at which provider. If you wish to manage these changes internally, you can learn more about each of these DNS records using the links below.

https://dmarc.org/

https://www.dkim.org/

http://www.open-spf.org/

If you would like to hire someone to help with this process, we are happy to help. Reach out to sales@cloudbrigade.com for more information.