DMARC uses a concept called alignment to tie the results of SPF and DKIM to the content of an email. Adding a DMARC record into the DNS of your domain will allow you to troubleshoot your DKIM and SPF configurations if needed. 

Getting started with safeguarding your domains with DMARC, requires you to create and publish a DMARC record. Start gaining control over the way your domains are handling email. Implementing DMARC helps you with:

  • Receiving feedback about the emails you have sent, including information about DKIM and/or SPF alignment. 
  • Tells email receivers like Yahoo and Gmail how to handle emails that fail to align with these email protocols. 

DMARC Advisor helps you visualize all this feedback/XML data and can assist your organization in every step towards your goal of becoming DMARC compliant. Not just on the deployment side of the project but making sense of all the data as well. Restore full control over your domains. 

We discuss the following items:

  • Assess your organization
  • Adding a DMARC record
  • Getting data into DMARC Advisor
  • DMARC policy
  • The road to p=reject
  • Troubleshooting

Assess

The size and complexity of an organization’s email structure are directly related to the work that is required to deploy DMARC. Email domains are often shared within an organization, with external parties that send emails on behalf of the organization and the organization’s own internet-facing applications. 

So, whenever you are deploying DMARC, it’s always a best practice to roll it out across all of an organization’s domains. Especially the inactive domains, which, as the name suggests, are not in use. Unfortunately, these domains are loved by phishers since nobody is looking after them. Deploying DMARC across the entire domain portfolio simplifies the process of deployment because the entire organization’s visibility is in place.

Publishing a DMARC record

The first step to generating data is to publish a DMARC record. If you wish to create a DMARC record yourself, use our free DMARC Generator

After creating your DMARC record, publish the DMARC record with your DNS host. You can find instructions for your host in our article How to add a DMARC record.

It takes about a day or two to start generating reports with data after publishing your DMARC records. Unfortunately, it’s difficult to interpret these XML-based reports, especially if you’re running hundreds or even thousands of reports. Our platform specializes in processing these reports and identifying the actions required for you to deploy DMARC throughout the organization. We even categorize the sources of email and present them with DMARC compliance status. Feel free to start a free 14-day trial to experiment with our platform.

Getting data into DMARC Advisor

DMARC Advisor offers three different ways of getting data processed within the platform:

  • Directly

This is the most convenient option. Reports are processed directly. After creating an account, you will receive an email address to which you can send DMARC reports. 

  • Forward your data

You can provide another address upon registration to have your reports sent to. 

  • Upload your data

You can upload your own DMARC XML data by using our XML Converter. You will see a detailed report of your data, but the data will not be stored unless you’re logged in.

DMARC policy

In order for an email message to be considered DMARC-compliant, the domain in the “From: header” must match the domain validated by SPF, or the source domain found in a valid DKIM signature. Receivers can safely say that the email comes from the specified domain if the domains match with one another and at least SPF or DKIM succeeds verification.

Table with different forms of alignment with dmarc, spf and dkim

Domain owners can set their DMARC policy to determine what needs to be done with an email that is non-compliant:

  • p=none; only DMARC feedback is collected. No interruption of email flows
  • p=quarantine; messages will be moved to the spam folder
  • p=reject; messages that fail DMARC will not be delivered in the mailbox at all

The road to p=reject

Every project starts with p=none. It’s vital to start monitoring your email flows at first to gain full visibility of what is happening. If you are moving to p=quarantine too fast, it is possible that legitimate email is being flagged as spam. Once you are certain that every source and email flow is known, p=quarantine can be activated. 

Even though p=quarantine does help with flagging illegitimate emails, p=reject should always be the goal when implementing DMARC. It is estimated that only 30% of organizations starting the process of deploying DMARC ever complete the process. Changing the policy is not the issue. The challenge is the interpretation of the feedback that is provided from the DMARC reports. Adopting DMARC can be daunting, but with the proper partner, it can be easily managed.

Troubleshooting

DMARC Record Issues

It happens often that a DMARC record isn’t set up correctly, which blocks the generation of reliable data. Feel free to use our DMARC Check to discover any issues regarding your DMARC record.

Some of the most common questions/issues we encounter are:

  • The addresses inside rua and ruf tags are not in URI format (i.e. mailto:user@example.com)
  • The DMARC record is not located correctly. The proper location is _dmarc.[yourdomain].(*) 
  • The v=DMARC1 tag is not optional and is case-sensitive. Remember: DMARC1 must be in caps lock!

Trouble delivering DMARC Data to DMARC Advisor 

Not every domain is sending emails every day; these domains will typically begin to see DMARC data within 24 to 48 hours. Having trouble generating data in your DMARC Advisor account, you can try some of our resources:

Let us know if you have any questions regarding any information mentioned above.