DMARC email authentication

Article author
Kelly Sutter

DMARC defines a policy for how to handle email messages that fail DKIM and SPF authentication. This article explains more about DMARC and how to use DMARC with WordFly.

You should get help from your IT team or IT consultant whenever making changes/updates to your DNS. 

 

DMARC changes for 2024

  • As of April 2024, Google and Yahoo requires all incoming email to have a DMARC record on your sending domain. Strict enforcement starts June 1st.
    This record needs to be published in your DNS. Without it, Google and Yahoo will deny delivery of your emails sent from WordFly (and any other email applications you might use for transactional emails, etc.).

  • The new sender requirements expect a policy to be set in your record, but they do not require a specific policy. A policy of p=none on your sending domain will satisfy the new requirements. The p=none setting allows you to monitor your email traffic without taking any action on messages that fail DKIM and SPF authentication.

  • Your DMARC record should specify a recipient for aggregate reports so you can monitor DMARC compliance and issues. ValiMail Monitor is a free monitoring service that can help with this. Register at Valimail and then add the ValiMail Monitor monitoring address to your DMARC record.

 

How to set up DMARC

You have two options for setting up your DMARC record depending on which domain your WordFly messages use for DKIM signing.

 

Option 1 //
If you use your From address domain for DKIM signing...

FOLLOW THESE STEPS NOW

  • Confirm that you have published a DMARC record for your From address domain
  • Specify a recipient for aggregate reports so you can monitor DMARC compliance and issues


LATER: FURTHER OPTIMIZE DELIVERABILITY & PROTECT YOUR DOMAIN

If you haven’t already, work toward DMARC enforcement to protect your sending domain by setting a stricter policy. Do not take this step until you’ve confirmed that all mail streams for your From name domain are passing DMARC.

 

Option 2 //
If you use wordfly.com for DKIM signing...

FOLLOW THESE STEPS NOW

  • Confirm that you have published a DMARC record for your From address domain
  • Specify a recipient for aggregate reports so you can monitor DMARC compliance and issues
  • Set a policy of p=none in your DMARC record
    Any other policy will create delivery issues for your WordFly messages.


LATER: FURTHER OPTIMIZE DELIVERABILITY & PROTECT YOUR DOMAIN

Email us to start DKIM signing your WordFly emails using the domain used in your From address. Use a DMARC policy of p=none until you’ve confirmed that all mail streams for your From name domain are passing DMARC. Then, work toward DMARC enforcement to protect your sending domain by setting a stricter policy.

 

How do I know what domain I am using for DKIM signing?

You can determine which domain you are using for DKIM signing by viewing the email header in a message sent from your WordFly account. Search in the header for the “Signing-Domain” line.

Signing-Domain examples

Signing-Domain: mctommersoncenter.org
Signing-Domain: wordfly.com


Alternatively, you can search for the `d` attribute within the “DKIM-Signature” line. This line identifies which domain signed the message. The Signing-Domain and the `d` attribute will always match.

DKIM-Signature example

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wordfly.com; s=wordfly02; t=1704841509; bh=2Rg8kkpI7BDhWGhmULttCPujqZbhVUHeB8MFQ=; h=Message-ID:From:To:Date:Subject:Content-Type; b=MiQgVWKYlfUElGDMMmn0gL7QaYomkLRbZAPkFQQWw2gQhQqz+J96Tc2dis36MC
EHk7HIKPn5KQ2dkI/uBN/covFDQOe8Nq5Y83UyrsiP+MRwu8PgQ

 

How to view the email header →

 

How to create a DMARC record

If you have not yet published a DMARC record, you can use this tool from dmarcian to help you create one. To create a basic record for getting started with DMARC, you just need to complete the first three steps.

 

DMARC Record Wizard →

 

  1. Enter your sending domain

    Step 1 asks you to enter your sending domain
  2. Specify your policy

    Select the ‘Nothing yet, just collect data’ option. This will set a policy of `none`. You should always start with a policy of `none` even if you are working toward a stricter policy. Any other policy will create delivery issues for your WordFly messages. This will allow you to monitor your mail to determine when you are ready to apply a stricter policy.

    alt
  3. Specify an address for your aggregate reports

    You should always specify a recipient for aggregate reports so you can monitor DMARC compliance and issues. ValiMail Monitor is a free monitoring service that can help with this.

    Step 3 asks you to enter the email address you are using to monitor DMARC compliance

  4. Move through the remaining steps 4-7 using the supplied default settings

  5. The wizard will generate the syntax for the txt record that you need to publish in your DNS.

 

DMARC record syntax

Version (v)

The v tag is required and represents the protocol version.

  • This should be v=DMARC1

Policy (p)

The policy tells receivers what to do with messages that fail email authentication.

You should always start with this policy:

  • p=none
    Monitor messages that fail email DKIM and SPF authentication, but take no further action. Start with p=none, even if you are working toward a stricter policy. You will meet the new requirements with this policy.

If you are signing with your own domain *and* you’ve confirmed that all mail streams for your From name domain are passing DMARC, you can set a stricter policy.

  • p=quarantine
    Send messages to the spam folder if they fail email DKIM and SPF authentication.

  • p=reject
    Do not deliver messages that fail email DKIM and SPF authentication.

RUA Report Email Address (rua)

The rua tag specifies where monitoring reports should be sent. Valimail Monitor is a free monitoring service that can be used to collect and analyze DMARC reports.

 

More resources

Why DMARC?

How to Publish a DKIM Record

The Ins and Outs of DMARC Monitoring