What is DMARC?
DMARC is a standard that allows you to set policies on who can send email for your domain based on DKIM and SPF. If you are new to email authentication, we recommend first reading about SPF and DKIM. In combination with SPF and DKIM, a DMARC policy in DNS allows you to set rules to reject or quarantine (junk folder) emails from sources you do not know. Through support from ISPs (Gmail, Yahoo, Microsoft and more) DMARC also allows you to receive reports on sending activity for your domain.
How does it work?
DMARC is based on a DNS TXT record that is added to the _dmarc subdomain of your domain. The format and values of the record defines your DMARC policies as well as where you would like to receive reports. A typical DMARC record looks like this:
v=DMARC1; p=none; pct=100; rua=mailto:email@example.com; sp=none; aspf=r;
Here is a quick description of the tags:
The important tags are p= and pct= when it comes to controlling how ISPs accept your email. The p= record can be set to quarantine, reject or none. ISPs that support DMARC will look up the results of your DKIM and SPF records for messages they receive for your domain. If SPF and DKIM are not aligned, the messages can be quarantined (sent to junk folder) or rejected completely. The pct= allows you to define how many messages you would like to be filtered based on the DMARC results. And finally, the rua= tag is the email address where you would like to receive reports.
How can I implement DMARC for my domain?
DMARC is extremely powerful as a tool to stop email spoofing. At the same time, it's highly complicated and risky to implement. If you set a DMARC policy without knowing all of your email sources (mailboxes, email marketing, CRM, transactional email, server alerts, etc) you could potentially reject legitimate emails. It is recommended that you first set your DMARC policy to p=none. This will allow you to receive reports on the sending sources of your emails and slowly align all outgoing email with DKIM and SPF for your domain.
To make this easier, we created a tool at dmarc.postmarkapp.com. This tool collects reports from ISPs and presents them to you in human-readable emails sent once per week. This will make it much easier to understand and implement DMARC on your domain as you slowly move to implementing a quarantine or reject policy.