Starting in February 2024, Gmail and Yahoo will require all email senders to have a SPF, DKIM, and a DMARC record which aligns with a DKIM record on their DNS record.
Setting up your DMARC record is like setting up an SPF or DKIM record. Currently, you can quickly satisfy Gmail's requirements by "aligning" your DMARC record to your DKIM record.
Adding a DMARC record to your domain's DNS tells mailbox providers (Gmail, AOL, Yahoo, Hotmail, etc.) how to handle emails that fail both SPF and DKIM checks.
Alignment refers to the relationship between the domain in the From Header address of an email and the domain associated with the DKIM authentication check. Alignment requires that these domains match.
Setting up DMARC with DKIM alignment
-
Gain access to the service that hosts your domain’s DNS record (Cloudflare, Godaddy, etc.).
-
Check that both SPF and DKIM records have been created for your domain. You can check in Salsa Engage if this is configured under the Sender Details of an email blast - note the green checks by SPF and DKIM in the screenshot below:
- Once you have verified your DKIM record exists, add a new TXT record in your DNS host which will hold your DMARC information. This record should be added to your apex domain (your domain without any subdomains, for example, mydomain.com, not subdomain.mydomain.com). A basic sample DMARC record would look like this:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.org (mailto:rua=mailto:dmarc@yourdomain.com)
NOTE: rua= is an optional parameter. Mailbox providers will regularly email reports of your domain’s usage on their platform. This can be helpful but also generate a lot of email. You can use an email address from your organization but we suggest using a DMARC monitoring service and inserting their provided email address. - Once your DMARC record is created, check that it is aligned correctly with your DKIM record.
Checking your DMARC record is aligned correctly with your DKIM record
You can check your DMARC to DKIM alignment by sending an email through Salsa Engage to a Gmail account.
Send the email using an email address with your domain as the From Address (as you normally would). Open the email in Gmail and select “Show Original” from the ellipse menu in the upper right. A new page will open and in the table at the top, you will see rows for SPF, DKIM, and DMARC with an indication of Pass or Fail.
Additional information about DMARC
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It's used to prevent malicious email senders from sending email that appears to be from your domain, also known as spoofing.
Adding a DMARC record to your domain's DNS tells mailbox providers (Gmail, AOL, Yahoo, Hotmail) how to handle email that fails both SPF and DKIM checks. Your DMARC record will tell mailbox providers to either quarantine (spam), reject (bounce), or do nothing with these emails (none). Gmail only requires a DMARC record set to ‘none’.
If set up properly, DMARC can help prevent malicious senders from spoofing your domain. If set up improperly, DMARC can cause your email to be sent to the spam folder or bounced. Gmail and Yahoo have stated that DMARC records can have a policy of 'none’. If you are setting up DMARC for the first time, we suggest setting your DMARC record to 'none' for now.
You can add an optional parameters, rua=, ruf= and pct= to your DMARC record that will instruct mailbox providers to regularly email you reports about the email they received from your domain. This is helpful but can be difficult to keep up with if you are not using a DMARC monitoring tool that consolidates this information for you. We recommend using a DMARC monitoring service and providing the email address that your DMARC tool provides. You can also choose to send these reports to yourself if you do not want to use a DMARC monitoring service.
The “rua” tag is used to specify an email address where aggregate reports of DMARC failures are sent, while the “ruf” tag (optional) is for forensic reports that provide more detailed information about individual failures. These reports are crucial for understanding and improving your email authentication setup.
A sample DMARC record with the rua, and ruf parameters could look like this (but with an actual email address):
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; (mailto:rua=mailto:dmarc@yourdomain.com) ruf=mailto:dmarc@yourdomain.com;
There are other optional parameters you can add to your DMARC record (pct=, adkim=, etc). Depending on your DNS Host, you may have to add them. For more information, see DMARC Overview.