Implement DMARC to control and improve email delivery.
Adam Palicz
Apr 30, 2024
DKIM Troubleshooting Tips
Incorrect Selector: If your DKIM isn't validating, double-check the selector used in your DNS record. The selector must match the one your email sending service uses to sign your emails.
Public Key Mismatch: Verify that the public key in your DNS matches the key your email service provider uses. Any discrepancy will cause DKIM verification to fail.
DNS Record Formatting: Ensure your DKIM TXT record is correctly formatted, including the correct use of semicolons and quotes. Incorrect formatting can prevent DKIM verification.
Test Your DKIM Record: Use online DKIM record testing tools to verify that your DKIM record is valid and accessible. These tools can provide insights into what might be wrong with your DKIM setup.
DMARC: Taking Control of Email Authentication
DMARC (Domain-based Message Authentication, Reporting & Conformance) acts as an extra layer of security by instructing email servers on how to handle emails failing DKIM and SPF (another authentication protocol) checks.
Why is DMARC Important?
DMARC safeguards your users from malicious emails attempting to steal personal information or impersonate your brand. Additionally, it enhances email deliverability by ensuring legitimate emails from your domain land in inboxes, not spam folders.
How Does DMARC Work?
Imagine DMARC as a set of instructions for email servers. It relies on the results of DKIM and SPF checks:
DKIM: Digitally signs your emails, verifying their origin (as explained earlier).
SPF (Sender Policy Framework): Identifies authorized servers allowed to send emails on your behalf.
If both checks fail, DMARC dictates how the email server should handle the email. There are three policy options:
None: Emails are delivered to the inbox, but DMARC reports allow you to monitor unauthorized email activity.
Quarantine: Suspicious emails are placed in spam folders for further review.
Reject: Emails failing authentication are entirely blocked, ensuring maximum security (requires careful configuration to avoid blocking authorized senders).
How to Set Up DMARC
Access your Domain Registrar's Control Panel: Locate the DNS management section.
Understand DNS Records: DNS records act like phonebook entries, directing traffic to your website and email. You'll be adding a new TXT record for DMARC.
Generate a DMARC Record: Use AI DMARCLY's free DMARC Record Generator (link included at the end of this FAQ) or your ESP's settings to create a DMARC record. This record specifies details like hostnames and policy preferences.
Add the Record to your DNS Zone: In your domain registrar's control panel, create a new TXT record. Copy the specific details from your generated DMARC record into the corresponding fields. Save your changes.
DMARC Settings Explained:
DMARC records contain specific tags, some required and some optional:
Required Tags:
v=DMARC1: Specifies the DMARC protocol version (always 1).
p=: Defines the policy for handling emails failing authentication (choose "none," "quarantine," or "reject").
You have to write:**"v=DMARC1; p=none"**
Optional Tags (for finer control):
aspf & adkim: Allow checking SPF and DKIM authentication (values: "r" for relaxed or "s" for strict checking).
pct: Percentage of emails subject to the DMARC policy (e.g., "pct=20" applies the policy to 20% of emails for initial monitoring).
sp: Defines a separate DMARC policy for specific subdomains within your domain.
rua: Specifies an email address to receive daily aggregated DMARC reports for analysis.
rf: Instructs email servers to send reports if an email fails authentication checks.
fo: Defines failure reporting options for situations where the report mechanism fails. Values can be:
fo=0: Default option. Send a report if none of the authentication steps are passed.
fo=1: Send a report if at least one authentication stage is not passed.
fo=d: Send a report if DKIM authentication fails.
fo=s: Send a report if SPF authentication fails.
Choosing the Right DMARC Policy
For beginners, start with the "none" policy to observe its impact without affecting email delivery. Once comfortable, you can gradually transition to a stricter policy like "quarantine" or "reject."
Enhanced Security: Protects users from spam and phishing attempts.
Insights & Control: DMARC reports provide valuable data on email authentication activity for your domain.
Free DMARC Record Generator
Generate your DMARC record easily with DMARCLYs free tool! Simply follow these steps:
Input your email address.
Select the "Generate DMARC Record" option.
The generated record will be displayed at the bottom of the page within a green box.
DMARC Troubleshooting Tips
Policy Too Strict: Starting with a 'reject' policy can lead to legitimate emails being blocked. Begin with a 'none' policy, monitor your reports, and adjust as necessary.
Receiving No Reports: If you're not receiving DMARC reports, check that the rua= tag in your DMARC record is correctly formatted and points to an email address that can receive messages. Ensure your email service doesn't block these reports as spam.
Alignment Issues: DMARC requires that the domain in the From address aligns with the domains in the SPF and DKIM checks. Ensure your email sending practices adhere to this requirement.
Utilize DMARC Analytical Tools: Several online tools can help you analyze your DMARC reports and settings. These tools can highlight issues and offer actionable recommendations.
Conclusion
By implementing DNS, DKIM, and DMARC together, you can significantly enhance your email deliverability and security.
DNS: Ensures emails are routed correctly by translating domain names into IP addresses.
DKIM: Adds a digital signature to your emails, verifying their authenticity.
DMARC: Instructs email servers on how to handle emails failing authentication checks, providing additional security and insights.
AI Piping is here to help you navigate the world of email deliverability. We offer a user-friendly platform and resources to ensure your emails reach their intended recipients. Have any questions? Feel free to contact our AI Piping support team!