DMARC, also known as DMARC record, is set up to protect you from email spoofing. It notifies you when unauthorized emails are sent under your identity, enabling you to swiftly mitigate potential spoofing threats.
With a DMARC record in place, the Inbox Service Provider (ISP) receiving the email from a sender attempting to impersonate your domain can act according to the policy you’ve set up in the DMARC record. The policy states whether the ISP should accept the received email, send it to the junk folder, or just reject it.
In addition to the policy, a DMARC record should also include an email address. This allows the ISPs to report back to you about send-outs they’ve received on behalf of your domain. These reports make it easier for you to understand if there are any fraudulent emails sent in your name.
Below is some more information regarding DMARC and a step-by-step guide for setting up (external links).
- Information: https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record
- How to set it up: https://mxtoolbox.com/dmarc/details/how-to-setup-dmarc
If you are unsure what to setup, check that you have a DMARC record that at least looks like this:
The DMARC record above is a good start to ensure that you have DMARC in place. We encourage you to change policy (the “p=”-tag) to p=quarantine or p=reject as soon as possible after the initial setup. This is to ensure that unauthorized emails sent from your domain are either put in the spam folder or completely rejected.
Before switching policies to either quarantine or reject, you need to go through the DMARC reports to understand current state of send-outs from your domain. There may be some legitimate emails from you (password reminders, transactional emails) are actually sent with non-authorized setups that you may not know about. The DMARC reports will inform you about this.
Going to quarantine or reject without addressing these setups could potentially cause legitimate emails from your systems to appear as unauthorized—and subsequently, these will end up being rejected by the ISPs.
Once you are sure that all emails sent from your domain(s) have correct authentications in place, you are ready to change the policy to either quarantine or reject.
The reports are sent in a format that that may be hard and understand for everybody. If you are unsure how to read the reports, please consult with your domain administrator for guidance.
- Check DMARC: https://mxtoolbox.com/dmarc.aspx
A correctly setup DMARC record will result in something like this:
You can also verify the DMARC policy by using Google Admin Toolbox as described under “What should you do as a sender?” in this article.
Sending from multiple domains or subdomains
You may be sending emails in different countries and from country-specific domains, from different subdomains for different types of communications—or maybe a mix of both. Look at the examples below for guidance regarding DMARC setup for each case.
You are sending emails from voyado.com, voyado.fi, and voyado.se
In this case, DMARC record must be setup for .com, .se and .fi respectively.
Your root domain is voyado.com and you are sending emails from campaigns.voyado.com. (campaigns.voyado.com is a sub domain for voyado.com)
While you can have different DMARC policies for the root domain and the subdomain, you don’t necessarily need to. By default, the DMARC policy set on a root domain level is inherited by all subdomains and it’s common to have the same policies for both.
The image below shows how it can look if DMARC record is setup only for the root domain (in this case voyado.com) and you are checking for the subdomain campaigns.voyado.com in MX Toolbox:
Whether you should have same or different DMARC policies for your root- and subdomain is up to you as a sender to decide. For the deliverability for your emails, either option is equally fine.