Back to 'Definitions'What is DMARC?
Last updated:
If you send emails with your domain, you most likely have a DMARC record in your DNS. This is a piece of verification designed to protect a domain against abuse and phishing attacks. At Lettermint, we also rely on this DNS record to send transactional emails. We'll explain exactly how this works in this article.
What is DMARC
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. That's quite a mouthful of technical terms, but what it boils down to is a protocol designed to prevent phishing.
It was developed in 2012 by PayPal, Google, Microsoft and Yahoo! among others, because they saw enormous abuse of phishing in the financial sector (impersonating a company). With a valid DMARC record, you prevent others from sending emails on your behalf and ensure mail programs recognize legitimate emails instead of marking them as spam.
There's a good chance your spam folder also contains phishing emails. Emails that appear to come from a legitimate email address at first glance, but in reality weren't sent by the actual company. This is also known as email spoofing. Bad actors send these emails, and thanks to DMARC they fortunately land directly in spam and are marked as unsafe.
How DMARC works
DMARC acts as a checkpoint for all emails sent from a domain. It checks whether an email truly originates from that domain and instructs the receiving mail server what to do if it doesn't.
DMARC also uses techniques like SPF and DKIM to verify the authenticity of emails. This determines whether suspicious emails should land in the spam folder, be rejected entirely, or just be monitored. You can also receive reports to gain insight into who's trying to send emails on behalf of your domain and how they're being processed.
How to set up DMARC
As we mentioned earlier, DMARC is managed in your domain's DNS. With a so-called DMARC record, you as the domain owner determine what should happen when your domain is abused. If you choose to block all emails and want to stay informed about abuse, you configure that.
DMARC has 2 required fields and 7 optional fields. Here's an example of what a valid DMARC record looks like with just the required fields:
v=DMARC1; p=none
With 7 optional fields, you can tighten security even further. External tools may also require certain fields, as we see with Apple Branded Mail. They require, for example, the pct value at 100 and p at reject or quarantine.
All DMARC fields
Here's an overview of all DMARC fields:
| Field | Name | Required | Description | Possible values |
|---|---|---|---|---|
| v | Version | Yes | Which version of DMARC you're using | DMARC1 |
| p | Policy | Yes | What happens to emails that don't meet your rules | none, quarantine, reject |
| rua | Aggregate Report URI | No | Where to receive summaries of all email activity | URI (e.g. mailto:dmarc@example.com) |
| ruf | Forensic Report URI | No | Where to receive detailed reports of suspicious emails | URI (e.g. mailto:forensic@example.com) |
| sp | Subdomain Policy | No | Separate rules for subdomains (e.g. mail.lettermint.co) | none, quarantine, reject |
| pct | Percentage | No | What percentage of emails to apply the rules to | 0-100 (default: 100) |
| adkim | DKIM Alignment | No | How strictly to check DKIM signatures | r (relaxed), s (strict) |
| aspf | SPF Alignment | No | How strictly to check sender IP addresses | r (relaxed), s (strict) |
| fo | Failure Reporting Options | No | When to receive detailed reports | 0, 1, d, s |
| rf | Report Format | No | What format to receive reports in | afrf (default) |
| ri | Report Interval | No | How often to receive aggregate reports (in seconds) | Default: 86400 (24 hours) |
As you can see, it's quite a list of fields. That's why it's difficult to advise which fields are important for you, since we don't know beforehand whether you use other tools besides Lettermint.
At Lettermint, we therefore only require a valid DMARC record. This means that Version and Policy must be included in your DNS.
Setting up DMARC
You place a DMARC as TXT in the DNS of the (sub)domain you want to use. If you want to send emails from contact@example.com, you place the DMARC at _dmarc.example.com. If you want to send from contact@mail.example.com, you place the DMARC on the subdomain: _dmarc.mail.example.com.
You can check whether you have a valid DMARC with our DMARC Checker in the next step.
Note: always place an _ before dmarc. Without an underscore, your DMARC won't work.
DMARC Check
Want to check if you have a valid DMARC record? Use the DMARC Checker below to check a domain's DMARC. The tool indicates whether a domain has a valid DMARC or not.
This way you can also see which fields other companies use. For instance, at Lettermint we use Subdomain Policy and Percentage in addition to the required fields.
Conclusion
At Lettermint, we ensure emails arrive in the recipient's inbox, never in the spam folder. We do this as quickly as possible, as you can see from our Time to Inbox statistics. With the required DMARC record, among other things, you can send emails through Lettermint that are considered safe by the recipient's mail server.
With the DMARC record, you control what happens when your domain is abused. Whether you want to be kept informed or want unsafe emails to be automatically rejected, fill in the fields that are important to you. Always test after setup whether you can still send emails through the tools you use.
With our DMARC Checker, you can verify whether your DMARC is valid and which values mail servers should use when receiving emails from your domain.
