As more small business owners use their own domain registrars, many have questions about DMARC and how DMARC reporting works. This is especially important if you’re trying to improve your domain reputation.
If you manage your own domain and use it to send email, then DMARC records can help you secure your domain to prevent spoofing and troubleshoot sending issues.
In this article, I’m covering some DMARC basics, including some known false positive DMARC fails.
What is a DMARC record and how does it work?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance, and it is a way for email servers to understand how strictly you want them to apply the security rules you have set with your SPF and DKIM records. It also gives email servers the address where you want to receive email reports.
The DMARC record itself is a TXT record in your DNS settings.
Here’s a basic example that will pass all emails and request reports sent to the email specified:
TXT Record Name: _dmarc
TXT Record Value: v=DMARC1; p=none; rua=mailto:example@example.com
TTL: 4 hours
Make sure you set the address to an address of your choosing to receive these reports.
What’s in the DMARC Value?
Just as in the example above, at a minimum, there are 3 tags that must be included. There are more, depending on your email needs.
The required 3 are v, p, and rua.
V is the version of DMARC that you’re using for this DMARC TXT records. is DMARC1.
P is the policy you want email servers to enforce. None means pass through the email even if it failed authentication. The other options for the policy value include quarantine or reject. These options might result in non-deliverability of legitimate emails depending on your email setup.
Rua is the last required tag. It stands for reporting URI(s) for aggregate data. This is the email address where you want to receive these reports.
This value will be a TXT record inside the DNS records for your domain. Lookup the directions from your domain registrar on how to add the record.
Understanding DMARC Reports
These email reports are XML files and aren’t easily readable without converting them into a table. You can see examples of both here (look for “Example DMARC report in raw XML format”).
Luckily, there are some online tools you can use to understand what they are saying. Here is one DMARC report analyzer.
Each report is the email received by a single server. With this configured, you will most likely get these reports from multiple servers (email hosts).
Once you’ve got the data from your report, you’ll see a table with columns for IP Address, Email Volume, DMARC Compliance, SPF, and DKIM.
For each row, it gives the IP address of the sending server and how many emails this email host received from that IP address. It continues with how many emails Passed and Failed DMARC compliance and the percentage of emails that Passed. After DMARC, is SPF, and it gives the number of emails in each of these categories: Passed/Failed Authentication, Passed/Failed Alignment, and if the policy passed. Finally, there are sub-columns under DKIM, giving the number of emails for each: Passed/Failed Authentication, Passed/Failed Alignment, and if the policy passed.
If you see emails that are marked as Fail under DMARC Compliance, then it’s time to audit your DMARC, SPF, and DKIM settings to make sure that your legitimate emails are being delivered.
False Positives and Known DMARC Failures
There are some known false positives that fail DMARC compliance.
If you use Google Calendar and send invites, then using the policy for quarantine or reject (p=quarantine or p=reject), will result in your calendar invites being blocked. This is a limitation in Google Calendar. You must use p=none to pass Google Calendar invites so they are delivered.
When you use a 3rd party service to send emails with your domain, make sure you’ve updated the necessary records in your DNS. If you see some ‘Alignment’ Fails in DMARC reports, this happens when the DKIM and SPF records for the sender’s email domain do not match the source of the email. Depending on the settings in the service, you may or may not be able to correct it. Please check the documentation or contact someone that can help you.
Conclusion
DMARC is meant to help make email more secure and prevent people from spoofing your domain and ruining your domain reputation.
If you’re using a custom domain for your business (which you should!), then it’s important to take the time and make sure your email is sending correctly.
And, while it’s mostly 1-and-done, if you add a new email sending service (like a CRM, Mailing List app, etc.), then you’ll need to audit and update your DMARC, SPF, and DKIM records.
What other questions do you have about sending email with a custom domain? Do you want to learn more about email records like SPF and DKIM? Do you know of any other DMARC false positives? Share them with us in the comments!
References
- Overview. (n.d.). DMARC. Retrieved June 15, 2022, from https://dmarc.org/overview/.
- What is a DMARC Record?. (n.d.). MXToolbox. Retrieved June 15, 2022, from https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record.
- DMARC Reports. (n.d.). Google Workspace Admin Help. Retrieved June 15, 2022, from https://support.google.com/a/answer/10032472.
- DMARC Report Analyzer. (n.d.). MXToolbox. Retrieved June 15, 2022, from https://mxtoolbox.com/DmarcReportAnalyzer.aspx.
- What is a DMARC Record?. (2020, February 3). Dmarcian. Retrieved June 15, 2022, from https://dmarcian.com/dmarc-record/.
- How to get Google Calendar Invites to Pass DMARC. (2019, February 7). Dmarcian. Retrieved June 15, 2022, from https://dmarcian.com/google-calendar-invites-dmarc/.
- (2022, June 9). Domains and domain alignment. ActiveCampaign. Retrieved June 15, 2022, from https://help.activecampaign.com/hc/en-us/articles/360014290939-Domains-and-domain-alignment.
- DMARC Alignment. (n.d.). Dmarcian. Retrieved June 15, 2022, from https://dmarcian.com/alignment/.
- Harpp, A. (2022, March 16). How to improve domain reputation for improved deliverability. Postmark. Retrieved June 15, 2022, from https://postmarkapp.com/guides/how-to-improve-domain-reputation-for-better-email-deliverability.
