Tactical Marketing Automation search icon
DMARC is important email security for Google compliance
Categories
Marketing Basics Marketing Technology

What is DMARC and How Do I set It Up?

DMARC just stopped being a “Best Practice”
Now it’s “Do it or else.”

Download Now: Tactical MA DMARC Setup step-by-step guide.

By February 2024, Google and Yahoo will be implementing strict email security for anyone sending over 5,000 emails a day. DMARC, being a “Best Practice,” will now be mandatory. What does all this mean and how can you be ready for this change?

Let’s begin with WTF is DMARC? DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the rule you set on your domain (e.g., tacticalma.com) that tells a receiving email client (e.g., Gmail or Yahoo) what to do if they receive a suspicious message from your domain.

DMARC comes in three flavors – none, quarantine, and reject. These are called “Policies,” and they are basically instructions to the receiving mail server on what to do if DMARC fails. These policy types are defined as follows:

  • None: If this message fails authentication, you (the email client) should handle it as if no policy existed.
  • Quarantine: If this message fails authentication, you (the email client) should mark it as Spam.
  • Reject: If this message fails authentication, you (the email client) should delete it without delivering it.

 

Why Do I Care About DMARC?

Probably you don’t, but now you have to.

There are two reasons email marketers implement basic email security (SPF/DKIM). For IT-minded marketers, email security is essential to protect the brand, block security vulnerabilities, and combat fraudulent spoofing of your domain.

For the other 98%* of email marketers, it’s something mail applications require you to do so you can send email on their platform.
(*I made that statistic up as a joke. I have no idea what the actual breakdown is. I’m pretty sure that this is close, though.)

With Gmail and Yahoo’s email policy changes for bulk senders (Email sender guidelines), DMARC is suddenly at the top of everyone’s radar. While DMARC isn’t new, it’s also not widely adopted due to the potential headaches with configuration. A strict DMARC policy will prevent anything misconfigured from being sent – for example, your MailChimp account without SPF. With new policies requiring DMARC on bulk sends (send days over 5,000), it is suddenly more urgent than many email marketers planned.

Famously a pain in the ass for email marketers, Gmail is ratcheting up its enforcement to combat Spam by requiring the same compliance methods it already did PLUS one additional detail – if you don’t have a DMARC policy, you can’t send to @gmail.com addresses. Fortunately, DMARC is easy to set up. How far you want to take it is up to you. Here is the down-and-dirty of what you need to know.

How Does it Work?

DMARC is very jargony, so let’s review the basics. There are really only three pieces:

    • Email From: This is the email address that sent the message
    • SPF (Sender Policy Framework): This is configured in the email software as a security measure. It’s a TXT record on your website that allows software to send on your behalf.
    • DKIM (Domain Keys Identified Mail): This is configured in the email software as a security measure. It’s a CNAME (Canonical Name) record on your website that allows software to send on your behalf.

 

Without DMARC, email clients (Outlook, Apple Mail, Gmail, Yahoo, etc) look at Email From, SPF, and DKIM. If the domain values don’t match or check out, they usually flag the message as Spam and move on.

With DMARC, however, there is an additional layer of security. Instead of arbitrarily deciding what to do with the message, the email client (Outlook, Apple Mail, Gmail, etc) will look to your domain for instructions on how you would like to handle it.

    • None = You don’t care
    • Quarantine = Put it in Spam
    • Reject = Delete it

 

Starting in February 2024, Gmail and Yahoo have a new rule – “If you didn’t set up DMARC, you aren’t being careful enough to send email to our users.”

How Do I Set it Up?

  1. Log into your DNS (Domain Name System) configuration
  2. Create TXT Record
  3. Set your HOST to _DMARC
  4. Set your value to the desired policy
    • p=none
    • p=quarantine
    • p=reject
  6. Set your alerts to go to someone using rua=mailto:YOUREMAILADDRESS; ruf=mailto:YOUREMAILADDRESS
    • RUA sends daily summaries
    • RUF sends forensic details
    • You don’t have to do this, but you should at least do RUA
  8. Save and get back to the fun stuff in your job

Download Now: Tactical MA DMARC Setup step-by-step guide.

What about Subdomains?

DMARC applies to all subdomains UNLESS you configured different DMARC rules for your subdomains specifically. So, there are two ways to affect subdomains:

First, you can specify a global policy for subdomains using SP (Subdomain Policy) tags. These will affect ALL subdomains the same way. They are just modified policy (p) tags.

  • sp=none
  • sp=quarantine
  • sp=reject

 

Alternatively, you can specify policies for individual subdomains. To do so, configure a new TXT record on the Subdomain using the standard DMARC steps.
Unless you have a specific reason to do so – I recommend keeping this simple and stick to a global policy.

I Need Help?

If you’re a Tactical MA retainer client, let us know, and we’ll get this sorted out for you. If you’re not a Tactical MA retainer client, I suggest sending this article (or our step-by-step guide) to your IT team, who should be able to make short work of it. I suppose if you wanted to be a Tactical MA retainer client, you could also visit Contact Us to see if we are currently accepting new clients.

Download Our Guide:


Free Marketing Automation Process Guide

Well-designed automation leads to 12% lower marketing costs and a 15% increase in sales productivity. Download our Guide Today
Download Our Process Guide
to top