Overview

DMARC is a DNS record intended to verify both the sender's and their email's legitimacy, and thereby, increase email security. As a type of TXT record, DMARC incorporates the results of SPF and DKIM to verify a message's validity. Mailgun partners with Red Sift to generate DMARC DNS records during Mailgun domain setup. Aggregate DMARC reporting is available under our Optimize product for all paid mailgun customers including Basic, Foundation, and Scale customers.

Interested in the 2024 Google and Yahoo DMARC changes? Read more here!

Seeking to know more about One-Click Unsubscribes and List-Unsubscribes? Check this article!

What Is DMARC?

The goal of DMARC is to authenticate that the person who claims to be sending the email really is the person sending the email. As more email service providers adopt DMARC, emails with misaligned sending/from domains will be quarantined, marked as spam, or rejected completely.

How does DMARC work exactly? A receiving email server checks whether the SPF and DKIM values in the email are aligned, i.e. the consistency among the facets of authentication evaluated by SPF and DKIM. If a misalignment is detected, the receiving email server checks whether the domain listed in the From address has a DMARC record. If a DMARC record exists, an email server then will check whether the domain that sent the email is permitted to do so by the DMARC record as well as the action the receiving email server should take upon the email in light of the misalignment.

In short: DMARC relies on the sending domain's SPF and DKIM records as the basis for the authentication checks; moreover, depending on the outcome of those checks, informs how the recipient email server must handle the email - such as quarantining or rejecting the email.

Let's clarify this concept through example. John Doe (john.doe@johndoe.com) sends an email through Mailgun to Jane Doe (jane.doe@yahoo.com), but John configures a From address (john.doe@superelitebusiness.com) with a domain that differs from the sending domain. 

• John's sending domain (sometimes contained in the Sender header) is johndoe.com
• John's domain in the From address is superelitebusiness.com
• The recipient's domain in the To address is yahoo.com

Yahoo, as the recipient email server, first evaluates whether the Sender and From domains match. If they do not match, Yahoo next performs a lookup of the DMARC record for superelitebusiness.com, which is the domain listed in the From address. If a DMARC record exists for superelitebusiness.com, Yahoo then checks the DMARC policy of superelitebusiness.com to see what action to take upon the email.

Most DMARC policies are set to bounce, reject, or quarantine emails that are not DMARC-compliant; we have on a rare occasion noticed some DMARC policies that request delivery of all emails (regardless of any compliance failures). Nonetheless, if neither a DMARC record nor a DMARC policy exists, the email will be processed normally.

How can my emails be DMARC-compliant?

Emails will be DMARC-compliant when the following three conditions are met: 

1. Your Mailgun (sub)domain's DKIM record is configured within your DNS provider's system and verified by Mailgun's system.
   • A verified domain is indicated by a green check next to a domain on the Domains page of the Mailgun Control Panel.
2. The (sub)domain present in the From address of the emails matches the Mailgun sub(domain) you're using to authenticate with and send your emails through.
   • For example, someone authenticating with and sending emails through the subdomain marketing.johndoe.com will need to ensure the From addresses uses the subdomain of marketing.johndoe.com or root domain of johndoe.com.
   • Special Note: Authenticating and sending with a subdomain? Do not use the root domain in the From address if your DMARC record has the aspf tag set to "strict", i.e. aspf=s. You will need to use "relaxed", i.e. aspf=r
3. Your Mailgun sub(domain) has a DMARC record configured within your DNS provider.
   1. Special Note: Do you send bulk email (commercial, marketing, etc.)? This step is especially important for you: create a DMARC record for your sending domain(s) with your DNS provider with a minimum policy set to none.
   2. Further, ensure your emails have one-click unsubscribes enabled.

What policy should I use?

While we cannot prescribe what specific policy you need for your use case, we can say is that for Google/Yahoo, you must have at least a policy of none (i.e. p=none). The below list reviews the DMARC policy options available for DMARC records:

• Reject: Messages that fail authentication should not be delivered (p=reject).
• Quarantine: Messages that fail authentication should be filtered into the spam folder (p=quarantine).
• None: Provides no guidance. Mailbox providers must decide how to filter authentication failures (p=none). 

Can you explain the DMARC syntax?

Here is an example record for a fictional domain, called testdomain.com, with its DNS host(name) and value:

• Host(name): _dmarc.testdomain.com
• Value: v=DMARC1; p=quarantine; pct=100; rua=mailto:frodo.baggins@hobbiton.co.nz; aspf=s; adkim=s

Required:

• _dmarc - identifies the TXT record as a DMARC policy.
• v=DMARC1 - version of DMARC used (there is only 1 version at this time).
• p=quarantine - is the policy action with three possible options.
  • quarantine - Option to send a failed message to the spam folder.
  • none - Option to do nothing; also known as reporting only.
  • reject - Option to refuse mail that fails DKIM and SPF.

Optional:

rua=mailto: - Identifies the destination for the aggregate reports.

pct=100 - specifies how much traffic should be subject to policy validation(percentage).

aspf=s - is the strictness for alignment of domain used in SPF check.

adkim=s - is the strictness for alignment of domain used in DKIM check.

Please note: "strict" alignment will reject subdomains whereas "relaxed" will allow any subdomains i.e. with a strict policy a mail-from of "mg.domain.com" and a from of "domain.com" will fail but would pass with a relaxed policy.

What tools can help me configure as well as monitor DMARC?

Ultimately, your DNS provider will be the primary source to contact regarding DMARC configuration questions and monitoring. Additionally, tools such as Red Sift Investigate, Red Sift BIMI Checker, MX Toolbox and Dmarcian Record Wizard can be helpful in checking your configuration as well as pointing out certain problems the configuration may have.

How do I receive replies to my email?

If you need to ensure that any reply emails are routed to a specific address, we recommend using the Reply-To header so that while the From address is configured in a DMARC-compliant manner you will still receive any replies to your emails.

What is the best way to check if my DMARC configuration is working as expected before it goes live?

Ideally, your team has a test domain (a personal domain, a subdomain, etc.) that is set up similarly to your live domain. Set Up a DMARC record and test sending your emails through the test domain to test email addresses at various mailbox providers (Gmail, Yahoo, etc.). You can check the headers on the received messages to see whether the SPF, DKIM, DMARC are verified, the List-Unsubscribe is present and One-Click Unsubscribe is possible, and that the emails are delivered as expected (Inbox vs. Spam or not at all).

Ongoing reporting can be achieved through our aggregate DMARC reporting in the Mailgun app.

For additional testing, consider running an inbox placement test and monitoring your DMARC authentication success rates with Google Postmaster Tools.

Need Support?

Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support page of your Mailgun Control Panel, and we'll be with you shortly!