We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

DMARC

Article Preview

     

    Overview

    DMARC is a DNS record intended to verify both the sender's and their email's legitimacy, and thereby, increase email security. While Mailgun neither offers DMARC records nor checks for their presence, your emails sent through Mailgun can still comply with DMARC.

    Interested in the 2024 Google and Yahoo DMARC changes? Read more here!

    Seeking to know more about One-Click Unsubscribes and List-Unsubscribes? Check this article!

     

    What Is DMARC?

    The goal of DMARC is to authenticate that the person who claims to be sending the email really is the person sending the email. As more email service providers adopt DMARC, emails with misaligned sending/from domains will be quarantined, marked as spam, or rejected completely.

    How does DMARC work exactly? A receiving email server checks whether the SPF and DKIM values in the email are aligned, i.e. the consistency among the facets of authentication evaluated by SPF and DKIM. If a misalignment is detected, the receiving email server checks whether the domain listed in the From address has a DMARC record. If a DMARC record exists, an email server then will check whether the domain that sent the email is permitted to do so by the DMARC record as well as the action the receiving email server should take upon the email in light of the misalignment.

    In short: DMARC relies on the sending domain's SPF and DKIM records as the basis for the authentication checks; moreover, depending on the outcome of those checks, informs how the recipient email server must handle the email - such as quarantining or rejecting the email.

    Let's clarify this concept through example. John Doe (john.doe@johndoe.com) sends an email through Mailgun to Jane Doe (jane.doe@yahoo.com), but John configures a From address (john.doe@superelitebusiness.com) with a domain that differs from the sending domain. 

    • John's sending domain (sometimes contained in the Sender header) is johndoe.com
    • John's domain in the From address is superelitebusiness.com
    • The recipient's domain in the To address is yahoo.com

    Yahoo, as the recipient email server, first evaluates whether the Sender and From domains match. If they do not match, Yahoo next performs a lookup of the DMARC record for superelitebusiness.com, which is the domain listed in the From address. If a DMARC record exists for superelitebusiness.com, Yahoo then checks the DMARC policy of superelitebusiness.com to see what action to take upon the email.

    Most DMARC policies are set to bounce, reject, or quarantine emails that are not DMARC-compliant; we have on a rare occasion noticed some DMARC policies that request delivery of all emails (regardless of any compliance failures). Nonetheless, if neither a DMARC record nor a DMARC policy exists, the email will be processed normally.

     

    How can my emails be DMARC-compliant?

    Emails will be DMARC-compliant when the following three conditions are met: 

    1. Your Mailgun (sub)domain's DKIM record is configured within your DNS provider's system and verified by Mailgun's system.
      • A verified domain is indicated by a green check next to a domain on the Domains page of the Mailgun Control Panel.
    2. The (sub)domain present in the From address of the emails matches the Mailgun sub(domain) you're using to authenticate with and send your emails through.
      • For example, someone authenticating with and sending emails through the subdomain marketing.johndoe.com will need to ensure the From addresses uses the subdomain of marketing.johndoe.com or root domain of johndoe.com
      • Special Note: Authenticating and sending with a subdomain? Do not use the root domain in the From address if your DMARC record has the aspf tag set to "strict", i.e. aspf=s
    3. Your Mailgun sub(domain) has a DMARC record configured within your DNS provider.

     

    How do I receive replies to my email?

    If you need to ensure that any reply emails are routed to a specific address, we recommend using the Reply-To header so that while the From address is configured in a DMARC-compliant manner you will still receive any replies to your emails.

     

    Need Support?

    Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support section of your Mailgun Control Panel, and we'll be with you shortly!