What’s all the hype about my email being rejected – the best possible DMARC guide for marketers
It’s been a huge week for me at Get Leads, we setup DMARC records for all customers who have DNS through us in order to deal with the upcoming changes with email verification. Google and Yahoo came out a few weeks ago and said they will be bouncing messages to their accounts if email was not configured correctly with a DMARC record. I’m not an IT guy well I try to not call myself an IT guy as I’d like to be called more of a marketing guy and so most of my articles concentrate around messaging, brand and marketing however sometimes there’s some crossover.
Email has always been an area that IT crosses over with Marketing but if your Marketer in Wagga and you choose to ignore the news you could be setting yourself up for failure. This has huge impacts especially for marketing campaigns where messages are paid to be sent and not delivered.
Email is also a specialist area that marketers and IT struggle to stay ahead of. Gone are the days when you’d add a mail account for free to your cPanel hosting account. Email is a far more specialised area and because it’s mission critical you need to rely on it to work 100% of the time.
Over 20 years I’ve probably setup over a hundred Gsuite or Google Workspaces accounts for clients. Sometimes it could be hard convincing them of the value in reducing SPAM and giving them more functionality while paying $8+ per month per mailbox. In the old days we could signup for a Gsuite plan for free but this changed a few years back when Google in the commercial glory forced all users on the legacy plan to switch.
This isn’t an article about the history of Google Workspaces or Office 365 though although. I’ve had loads of pain in each over the years and still aren’t properly setup as a reseller in either.
How DMARC works with DKIM and SPF
This should clarify exactly how it works with some visuals and a great video from Easy DMARC.
Source: Easy DMARC
Understanding the configuration basics
These are the elements worth understanding even for a marketer:
- Domain – Is just a name that you have the rights to lease. It could be .com.au or .com or even a .au
- DNS – Your domain has a setting called the nameserver it points to where your DNS is setup and responding to the world what to do with internet based traffic.
- DNS Config – You can think of this as your phone book, there’s a bunch of records that point to the right addresses and locations. Some of these might be for email and others for web and others for furhter marketing services and Google. It can be complicated. My DNS provider of choice is Cloudflare.
- A name records – These are your name pointer to what’s called an IP address of the server on the internet that provides a service. Generally your website main root domain will be pointed to a webserver address. (Cloudflare allows you to proxy or point another address in front to fool hackers) An example A name could like like mydomain.com.au -> 45.56.78.98
- C name records – This one points to other A names setup and is a bit simpler. You may find your www alias that prefixes your address uses a C Name and points to the main domain name. An example CName could look like the following www -> mydomain.com.au
- TXT – This is where the action is for what’s called SPF, DKIM and DMARC. It’s also used for a bunch of other authentication for providers. I’ll dealve into each of these below.
- SPF – These are a record that allows mailservers to check if the email they have just received has come from an IP address or C Name that is authorised to send it. It has very specific syntax but you can use a SPF generator to get the syntax right. For me this has always been a must on all sites because in the past websites using the domain name of the client would send it’s contact form from the web server which would need the ip listed. An example could be something like spf
v=spf1 include:_spf.google.com ~all - DKIM – Unfortuantely I haven’t been as regimented in setting up DKIM over the years mainly because it requires you to login into the customers admin area and generate the record to copy to your DNS. When you first setup Google Workspaces it also won’t let you do this for a period of time until the account has been established. Could be a day or two. Effectively what DKIM does is provides a record that is added to your DNS but on every email you send it’s like a fingerprint that your mail program stamps the message with to be checked by the receiving server via a DNS check. It’s a bit more complicated than that but it’s the general gist. Having DKIM will help your deliverability of emails. An example DKIM could look like the following noting the subdomain often varies. domain.default.mydomain.com.au -> v=DKIM1; k=rsa; p=”random encrypted numbers and letters”
- DMARC – Here’s our big one for Feb 2024, DMARC can also be as simple or as complicated as the person setting it up makes it. In general you should set it up to be reporting to an email address over a period of time so you can figure out where the emails from your domain are being sent from. The idea being is that you can investigate if emails are spoofing your address which is to say people using your address without your permission. Generally as you start with DMARC this is the situation your in but it’s not a setup and forget. Once you have set it up and know that all your emails are allowed to be sent by all the services you use utilising SPF and DKIM then you can set a flag on DMARC to tell other mail servers if your list on SPF of senders or/and if there’s no DKIM then reject the messages on your domain. You do not have to have DKIM setup for DMARC to work, it will still pass on messages that meet the criteria but ideally DMARC is setup to use both.
- SPF – These are a record that allows mailservers to check if the email they have just received has come from an IP address or C Name that is authorised to send it. It has very specific syntax but you can use a SPF generator to get the syntax right. For me this has always been a must on all sites because in the past websites using the domain name of the client would send it’s contact form from the web server which would need the ip listed. An example could be something like spf
- There are other records such as SOA and AAA and even more that don’t really relate to DMARC so we’re going to skip them. If you do want a run down on the other DNS records let me know.
Syntax of DMARC Explained
A starter example
v=DMARC1; p=none; rua=mailto:address@dmarcinput.com; ruf=mailto:address@dmarcinput.com
Like the other TXT records the value starts with identifying the record type
v=DMARC;
p comes next and stands for policy. This can be equal to “none”, “reject” or “accept” and refers to rules aligned in SPF and DKIM. None is usually used for a period of time while the operations person figures out if they need extra rules for SPF.
p=none
rua is our next part of the record and is the email address collecting data goes to.
rua=mailto:address@dmarcreprotingsytem.com
ruf is all about sending forensic reports and isn’t just like our feedback from the rua as it doesn’t contain a list of emails unlike the rua record
fo=1
Turn forensic option on or off. You guessed it 1 is for on, 0 is for off. in addition to these two you can also use a d or s to check for DKIM or SPF specifically.
What does DMARC reporting look like?
As an aggregate report systems will collate these in a dashboard like the following:
It’s starting to get pretty interesting right, we have a mix of compliance, rejected, quarantined. If your p from above is setup to reject and there’s non-compliance then we’re probably going to see more rejections.
What to do if you do see rejected emails from DMARC
Don’t panic, it might even be an IT guy who’s done some work on this before you and those emails should be rejected. Someone could be trying to use the domain to spoof email as a SPAM address. The best option I think is to change your policy to p=none to better understand those emails that end up in non-compliant and go from there. If an email is non-compliant it could be that it has an SPF but doesn’t have a DKIM. or vice versa.
Clarifying the DMARC categories
- DMARC Compliant – Both SPF and DKIM are all good and checked by receiving servers of your emails
- DMARC Non-Compliant – Houston we have a problem, but let’s look at it calmly first and figure it out.
- Rejected – The worst possible one if your emails not being abused you have most likely forgotten something on your DNS setup.
- Total Emails Reported – Sometimes you could have a split between DMARC non-compliant and compliant if your using multiple systems to send email.
- Quarantined – It’s gone to SPAM
As a website design agency are there any other considerations
Yes, and listen closely because this is important to you but not to the IT guy managing an Office 365 account. If you use a transational email server like mailgun to relay email these are usually setup on subdomains. eg. mg.yourdomainname.com giving the service authority to send on your domain. It has SPF, DKIM and alignment settings that also need to be added in order to use their services on the subdomain. It also has it’s own DMARC setting which should include an sp flag which is the same as our p= for the main root. Sometimes you may find on the root an sp=reject if this happens your transactional email on the subdomains may not work.
The Marketers Perspective
As a marketer we want our messages to reach our audience. We as the guide need to provide a solution to our hero, our customer. That’s why this stuff can’t just be given to the IT crowd and we hope that they implement it correctly.
IT Professionals’ Oversight
Now don’t get me wrong, not every IT professional get’s the above wrong or won’t do the DMARC for Feb 2024. I strongly think that IT is under rated and there should be some sort of professional body like the associations that look after plumbers and electricians. It should almost be as legislated that you can’t install a router without an IT guy on the ground. Something goes wrong you’re going to need to call one anyway. I will say that in my check amonst my non-managed domains in Wagga that 90% of these managed by IT “professionals” are without a DMARC, some without SPF or DKIM. What really annoys me is they often have service contracts making sure they look after this stuff. This is why I’d prefer to manage the DNS for my clients and provide the IT guy direct access via CloudfFlare at an auditable level.
If you’re a marketing team I strongly suggest you contact your clients IT contacts and ask “Have you setup a DMARC for my client?”
How do I check if I have a DMARC, DKIM or SPF?
Great question, there’s many ways and if your technical you’ll probably do it via the command line on a mac entering the follwing commands:
dig domain.com txt
Looking for SPF in the returned information and a record that is identified with v=DMARC at the beginning.
OR you can use for SPF:
dig _dmarc.domain.com txt
OR for DMARC
OR command line Mac looking to see if it exits.
dig _default.dkim.domain.com txt
I will say that this sub domain _default.dkim varies greatly and so I’d suggest the best way is to log into your email admin area and check the DKIM area to see what the subdomain really is.
DMARC Tools
Why would you need a DMARC tool to setup your DNS config. It’s for the reporting, so that when you receive an XML DMARC report it goes into these tools as data metrics we can more easily understand. Threre’s alot of DMARC tools out there for the IT pro and they should all use one to manage their clients email. There could be 50 of these products on the market last Googling. To be clear this is absolutly necessary when first starting with your DMARC record and ongoing monitoring.
Some I can recommend are Power DMARC probably the best hands down, the most expensive always are. They do however have a limited free account that just doesn’t include as many domains or some of the more advanced email checking mechanisms such as BMI or TLS.
Easy DMARC – Given I used their video and resources I’d be remiss not to mention these guys. They’re similar pricing to Power DMAC and the feature inclusions are very similar. If you’re an agency unless you’re charging decent money to your client it’s a bit expensive. Pay for the best, you get the best naturally. Big names use Easy DMARC and are clearly a reliable vendor in the area. They do have a free trials for 14 days that supports the rua flag for aggregate reports for a single domain and worth a try.
I personally use a pretty basic one called DMARC Report which if your lucky you might be able to pickup on Appsumo for a steal life time deal. It is no where near as good as Power DMARC but is good enough for me until Google comes along and demands marketers have even more email boxes ticked.
Email Marketing DMARC in Conclusion
If you want help with DMARC, just ask, if you want us to look after all your DMARC, DKIM and SPF needs because you need to make sure your next email marketing campaign doesn’t end up in the trash again let me know.
There’s alot I haven’t covered under the headings of eDM systems and the records they ask for such as MailChimp, Flodesk, Mailerlite and the list goes on and on. If you’d like a break down for each again let me know.
Other DMARC Readings
Dark Reading – Cybersecurity Operations / Google and Yahoo to Push DMARC
