Why did we create this tool?
DMARC is extremely powerful as a tool to stop email spoofing. At the same time, it’s highly complicated and risky to implement. If you set a DMARC policy without knowing all of your email sources (mailboxes, email marketing, CRM, transactional email, server alerts, etc) you could potentially reject legitimate emails. This tool collects reports from ISPs and presents them to you in human-readable emails sent once per week. This will make it much easier to understand and implement DMARC on your domain.
What if I still want to receive the raw aggregate DMARC reports?
You can include multiple email addresses in the rua tag of your DMARC record, allowing you to receive the raw reports while also using the Postmark DMARC reporting tool. For example, if the Postmark DMARC reporting tool generated this DMARC record:
v=DMARC1; p=none; pct=100; rua=mailto:firstname.lastname@example.org; sp=none; aspf=r;
But you want to still receive the raw DMARC reports at email@example.com, you could modify the DMARC record to be:
v=DMARC1; p=none; pct=100; rua=mailto:firstname.lastname@example.org, mailto:email@example.com; sp=none; aspf=r;
Why do Postmark’s emails fail SPF DMARC alignment?
As with most email service providers, Postmark uses a custom domain to collect bounces through the "Return-Path" header in emails. This address resides at the domain pm.mtasv.net. With DMARC, the Return-Path and From address must match the same domain for SPF alignment. This means that ESPs will fail the SPF DMARC alignment. Don’t worry though, DMARC only requires either SPF or DKIM to be aligned. Some ESPs get around this by using a Sender header, but we never liked that option due to the “on behalf of” message that can show up in email clients. In addition, we like our customers to build a reputation on their own domains by using custom DKIM in their DNS. To fully support DMARC when sending emails from Postmark, you can add a custom Return-Path domain for your own domain. This will allow the Return-Path to match the From address, resulting in a passing DMARC alignment for your emails. To learn more, please read our support article on adding a custom Return-Path domain.
Why does my DMARC DNS record fail verification?
It’s quite common for DNS providers to take up to 24 hours to propagate. If this is the case, we will attempt to verify your DMARC DNS record every 30 minutes. Once verification is successful you will receive an email confirming your weekly subscription.
Are there any limitations imposed by this service?
We provide DMARC reports as a free service. As such, there are certain limitations to the service at the moment to help us keep everything running smoothly:
- We will only fully process DMARC reports with less than 100,000 records (DMARC report records are XML nodes that contain aggregated information for a specific IP address). Any report exceeding this limit will be truncated to the first 100,000 items.
- We will store raw reports for up to 9 months. The maximum size of an unarchived DMARC report that we will store is 3MB. For larger reports we will first extract the metadata and make it available to you, and then the reports will be discarded.
- We will store the reports metadata in a form retrievable via the API for up to 9 weeks.