DMARC record dmarc-record
What is DMARC? what-is-dmarc
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication method that allows domain owners to protect their domain from unauthorized use. By offering a clear policy to email providers and Internet service providers (ISPs), it helps prevent malicious actors from sending emails claiming to be from your domain. Implementing DMARC reduces the risk of legitimate emails being marked as spam or rejected, and improve your email deliverability.
DMARC also offers reporting on messages that fail authentication, along with control over the handling of emails that do not pass DMARC validation. Depending on the implemented DMARC policy, these emails can be monitored, quarantined, or rejected. These capabilities empower you to take actions to mitigate and address potential errors.
To help you prevent deliverability issues while gaining control over mail that fail authentication, Journey Optimizer is now supporting the DMARC technology directly in its administration interface. Learn more
How does DMARC work? how-dmarc-works
SPF and DKIM are both used to associate an email with a domain and work together to authenticate email. DMARC takes this one step further and helps to prevent spoofing by matching the domain checked by DKIM and SPF.
To pass DMARC, a message must pass SPF or DKIM:
- SPF (Sender Policy Framework) helps verify that the email message comes from an authorized source by checking the sending server’s IP address against a list of authorized IP addresses for the domain.
- DKIM (DomainKeys Identified Mail) adds a digital signature to email messages, allowing the recipient to verify the message’s integrity and authenticity.
If both or either of these fail authentication, DMARC will fail, and the email will be delivered according to your selected DMARC policy.
DMARC policies dmarc-policies
If an email fails DMARC authentication, you can decide which action will be applied to that message. DMARC has three policy options:
- Monitor (p=none): Instructs the mailbox provider/ISP to do whatever they would normally do to the message.
- Quarantine (p=quarantine): Instructs the mailbox provider/ISP to deliver mail that does not pass DMARC to the recipient’s spam or junk folder.
- Reject (p=reject): Instructs the mailbox provider/ISP to block mail that does not pass DMARC resulting in a bounce.
DMARC requirement update dmarc-update
As part of their enforcing industry best practices, Google and Yahoo! are both requiring that you have a DMARC record for any domain you use to send email to them. This new requirement applies starting February 1st, 2024.
Consequently, Adobe strongly recommends you take the following actions:
Implement DMARC in Journey Optimizer implement-dmarc
The Journey Optimizer administration interface allows you to set up DMARC record for all the subdomains that you have already delegated or are delegating to Adobe. The detailed steps are described below.
Check your existing subdomains for DMARC check-subdomains-for-dmarc
To make sure that you have DMARC record set up for all the subdomains that you have delegated in Journey Optimizer, follow the steps below.
-
Access the Administration > Channels > Subdomains menu, then click Set up subdomain.
-
For each delegated subdomain, check the DMARC Record column. If no record was found for a given subdomain, an alert is diplayed.
note caution CAUTION To comply with the new requirement from Gmail and Yahoo!, and avoid deliverability issues with top ISPs, it is recommended to set up DMARC record for all delegated subdomains. Learn more -
Select a subdomain with no DMARC record associated and fill in the DMARC record section according to your organization’s needs. The steps to populate the DMARC record fields are detailed in this section.
-
Consider the two options below:
-
If you are editing a subdomain set up with CNAME, you must copy the DNS record for DMARC into your hosting solution to generate the matching DNS records.
Make sure that the DNS record has been generated into your domain hosting solution and check the box “I confirm…”.
-
If you are editing a subdomain fully delegated to Adobe, simply fill in the DMARC record fields detailed in this section. No further action is required.
-
-
Save your changes.
Set up DMARC for new subdomains set-up-dmarc
When delegating new subdomains to Adobe in Journey Optimizer, a DMARC record will be created in DNS for your domain. Follow the steps below to implement DMARC.
-
Set up a new subdomain. Learn how
-
Go to the DMARC record section.
If the subdomain has an existing DMARC record, and if it is fetched by Journey Optimizer, you can use the same values as highlighted in the interface, or change them as needed.
note note NOTE If you do not add any values, the pre-filled default values will be used. -
Define the action that the recipient server will perform if DMARC fails. Depending on the DMARC policy you want to apply, select one of the three options:
- None (default value): Tells the receiver to perform no actions against messages that fail DMARC authentication, but still send email reports to the sender.
- Quarantine: Tells the receiving email server to quarantine email that fails DMARC authentication - this generally means placing those messages in the recipient’s spam or junk folder.
- Reject: Tells the receiver to completely deny (bounce) any email for the domain that fails authentication. With this policy enabled, only email that is verified as 100% authenticated by your domain will even have a chance at inbox placement.
note note NOTE As a best practice, it is recommended to slowly roll out DMARC implementation by escalating your DMARC policy from None, to Quarantine, to Reject as you gain understanding of DMARC’s potential impact. -
Optionally, add one or more email addresses of your choice to indicate where DMARC reports on emails that fail authentication should go within your organization. You can add up to five addresses for each report.
note note NOTE Make sure you have a genuine inbox (not Adobe) in your control where you can receive those reports. There are two different reports generated by ISPs that senders can receive through the RUA/RUF tags in their DMARC policy:
- Aggregate reports (RUA): They do not contain any PII (Personally Identifiable Information) that could be GDPR-sensitive.
- Forensic failure reports (RUF): They contain GDPR-sensitive email addresses. Before utilizing, check internally how to deal with information that needs to be GDPR-compliant.
note note NOTE These highly technical reports provide an overview of emails that are attempted spoofing. They are best digested through a third-party tool. -
Select the applicable percentage of emails for DMARC.
This percentage depends on your confidence in your email infrastructure and the tolerance for false positives (legitimate emails being marked as fraudulent). It is common for organizations to start with DMARC policy set to None, gradually increase the DMARC policy percentage, and closely monitor the impact on legitimate email delivery.
note note NOTE Work with your email administrators and IT team to gradually increase the percentage as you gain confidence in your email authentication practices. As a best practice, aim for a high DMARC compliance rate, ideally close to 100%, to maximize the security benefits while minimizing the risk of false positives.
-
Select a reporting interval between 24 and 168 hours. It allows domain owners to receive regular updates on email authentication results and take necessary actions to improve email security.