In this article, we will explain the following:
- What is DMARC?
- Why is DMARC important?
- How does DMARC work, briefly, and in non-technical terms?
- How does DMARC work (detailed)?
- Why some ESPs reject/quarantine emails if DMARC is not set up?
- How to create and verify a DMARC record on VBOUT?
What is DMARC:
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Why is DMARC important?
With the rise of the social internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards, and more. Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users.
Users can’t tell a real message from a fake one, and large mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users. Senders remain largely unaware of problems with their authentication practices because there’s no scalable way for them to indicate they want feedback and where it should be sent. Those attempting new SPF and DKIM deployment proceed very slowly and cautiously because the lack of feedback also means they have no good way to monitor progress and debug problems.
DMARC addresses these issues, helping email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse.
How does DMARC work, briefly, and in non-technical terms?
A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
How does DMARC work (detailed)?
More detailed explanation can be found here.
Why some ESPs reject/quarantine emails if DMARC is not set up?
Large scale email receivers, such as Yahoo, Comcast, AOL and many more are increasingly requiring that email messages be properly authenticated, and when they say properly authenticated it means in a DMARC-compliant way.
When DMARC is not verified, some ESPs automatically reject or quarantine the email.
Most of the time, the quarantine emails, meaning they send them to SPAM.
How to create and verify a DMARC record on VBOUT?
For your convenience, VBOUT has a built-in DMARC policy check and generator.
To check and create a DMARC policy, go to Settings > Domain Sender Verification, add your Sending Domain and click on Generate:
Once you click on the Generate button, VBOUT will create a default record for your convenience. You can edit this record by clicking the Edit icon.
The changes that you make to “DMARC policy type”, “Email analysis percentage”, “Email aggregate DMARC reports to”, and “Email forensic DMARC failure reports to” will be reflected in the Value:
DMARC policy types:
There are three types of policies: None, Quarantine, and Reject.
- None: The mailbox provider won’t take action for emails that fail DMARC.
- Quarantine: This will make the mailbox providers treat all emails that fail DMARC as suspicious. Quarantining an email delivers it into an area outside of the inbox, such as the spam or junk folder.
- Reject: The mailbox providers will reject all emails that fail DMARC.
Email analysis percentage: The percentage of emails that will be checked.
Email aggregate DMARC reports to: The aggregate DMARC reports contain information about the authentication status of messages sent on behalf of a domain.
Email forensic DMARC failure reports to: A forensic report is essentially a copy of the email that failed DMARC validation and is typically sent immediately after the failure.
Once you finish, click on the value to copy it to your clipboard:
Once you finish, add the entry to your DNS record and click Verify on VBOUT.
Here’s an example:
Depending on the DNS server, changes might take anywhere from a few minutes to 24 hours to reflect.
If the verify does not work after that time, please contact support for further assistance.