Created to protect the inbox from spam, DMARC is an easy method that gives recipients of an email the ability to verify its validity and prevent domain abuse. Existing email SPF and DKIM protocols have been subject to scrutiny for years, but DMARC is a major step forward in the fight against cybercrime, building on the existing protocols to strengthen the authentication system further. 

Cybercriminals are well-known for their devious tactics. They use the reputation of trusted brands to trick victims into opening malicious files or emails that contain malware, allowing them access to the victim’s computer to find confidential data, through email spoofing. A common method for conducting abuse of company domains is through spoofing when attackers impersonate the domains of small, medium, and large enterprises that do not practice email authentication.

How to Add a DMARC Record?

DMARC is an email authentication standard that enables the identification and prevention of email phishing and the misuse of company domains. It allows organizations to publish email policies, revealing details about the use of their domains for sending emails. Configuring the protocol requires the domain owner to add a DMARC record to their Domain Naming System.

A DMARC record is a text record with a specific syntax that points towards the DMARC policy you want to select for your outbound emails, your SPF and DKIM alignment modes, and email addresses wherein you wish to receive your DMARC aggregate and forensic reports.

With DMARC you can direct your email receiving servers to either:

  • Deliver emails failing authentication (with p=none policy)
  • Quarantine emails failing authentication (with p=quarantine policy)
  • Reject emails failing authentication (with p=reject policy)

It’s easy to get your record syntax wrong that can render it invalid. We recommend using a DMARC record generator tool that instantly creates it for you. Moreover, it individually explains all mechanisms in the toolbox so you have a better understanding of the protocol and its functionalities.

How Does DMARC Protect Your Domain’s Emails?

For a company that sends out newsletters and makes use of email marketing campaigns, DMARC ensures that you only receive authentic and verified emails from sources that are authorized to send emails to your recipients on your behalf. Spam and other fraudulent emails with fake information are immediately stopped. Working together with SPF and DKIM, DMARC aligns email headers to identify whether the email originates from a legitimate source or has been manipulated using social engineering tactics to forge a legitimate domain.

Along with its various advantages against domain abuse and spoofing, DMARC also:

  • Improves server reputation
  • Improves email deliverability
  • Reduces the chance of your emails being marked as spam

PowerDMARC Makes DMARC Adoption Easy for Businesses

Configure our DMARC report analyzer today to not only implement the protocol in 3 easy steps but shift to an enforced policy with maximum protection, in no time. Receive your first DMARC reports within 72 hours of configuration and view them on an organized dashboard customized for your domain!

PowerDMARC brings to you the additional benefit of implementing other authentication protocols such as MTA-STS and BIMI to make your brand visually identifiable and boost your email marketing campaigns. Get the best out of your DMARC software solution today!

Having Multiple DMARC records on your domain is a complete no-no, and here’s why! We know that implementing email authentication protocols like DMARC is essential to an organization’s reputation and data security, and to do that domain owners need to publish a TXT record in their DNS. But a question that often resurfaces again and again in the community is that “ Can I have multiple DMARC records on my domain?” The answer is no. Multiple DMARC records on the same domain can invalidate your record and hence the DMARC authentication policy set for your domain fails to function.

How is a DMARC Record Processed by MTAs?

A DMARC record published in your domain’s DNS looks something like this:

TXT  mydomain.com  v=DMARC1; p=reject; rua=mailto:[email protected]

Therefore, when a domain that has DMARC configured for it sends an email, the email receiving MTA fetches all TXT records that begin with v=DMARC1. The MTA queries the DNS of the sending domain and may come across the following scenarios:

  1. It finds a single valid DMARC record in the DNS of the source domain and processes the email according to the DMARC policy specifications
  2. It finds no DMARC record for the sending domain and DMARC processing automatically ceases, the email is delivered without verifying the source
  3. It finds multiple DMARC records on the same domain and in this case DMARC processing is also discontinued and the applied policy fails to be executed

Multiple DMARC Records: How to Fix It?

When you configure DMARC for your domain and set a policy, you want MTAs to respond to your emails in a way that aligns with your intentions. This is how DMARC can protect your domain against impersonation and spoofing. In order to help the configured protocol function effectively, we recommend the following steps:

  • Make sure you have not published multiple DMARC records for your domain
  • Make sure that your DMARC record does not contain syntax errors
  • Instead of manually generating your DMARC record, use reliable tools like our free DMARC record generator to do the job for you
  • Enable DMARC reports for your domain to monitor your email flow and authentication results from time to time, so that you can track delivery issues and take action against malicious sending sources
  • Make sure you stay under the SPF 10 lookup limit to avoid permerror result

An alternative to the several steps you can take to implement DMARC correctly for your domain and avoid multiple DMARC records would be to simply sign up with our DMARC analyzer.

PowerDMARC handles most of the complexities in the background to automate your email authentication journey and help you mitigate any configuration errors that may cause issues in email deliverability.

What is a DMARC Report?

Before we get to how to read DMARC reports let’s first get to know what is a DMARC report. Domain-based Message Authentication Reporting and Conformance (DMARC) does not only protect your domain against BEC, domain impersonation, and email fraud attacks, it also provides you visibility into your email channels, so that you are always aware of what is going on in the background.

DMARC provides a reporting mechanism, in the form of DMARC reports that allows domain owners to read authentication results for every email that is sent on behalf of their domain. This essentially helps you track deliverability issues, take action against malicious sending sources and resolve protocol implementation errors promptly. 

Why Do You Need DMARC Reports?

Before we get to how to read DMARC reports, let’s understand why you need it in the first place. Despite SPF and DKIM mechanisms, there is a certain probability that the original messages will be correctly processed, and the identity of the sender will go unnoticed. Also, frequently, the recipient’s reports about failures do not reach the sender. In general, the services are continuously evolving and improving.

DMARC steps in as an email authentication program that ensures your email communication is authenticated by SPF or DKIM. It ensures that your emails can be trusted and helps remove chances of spoofing by allowing the receiver to check for valid headers before even opening the mail. In order to ensure the security of your data, you need highly reliable and robust email security. DMARC is one such standard that checks the integrity of your addresses and helps prevent phishing attacks all while improving your email deliverability rates.

When you publish a DMARC record in your DNS, it allows you to specify how your domain should react when an email is received that fails DKIM and SPF authentication. With a properly configured DMARC record, mailbox providers will send you reports directly to your email address, HTTP or HTTPS, letting you monitor the delivery of emails sent from your domain. By setting up DMARC reports you’ll be able to get a lot of valuable information about your outgoing mail traffic. This information can be used for the purpose of authenticating your genuine sources and blocking your illegitimate ones.

Now we will cover how to read DMARC raw reports, and how you can make them human-readable for your ease of understanding.

How to Read DMARC Reports: Reading DMARC Raw Reports

Your DMARC reports, also called raw reports, provide essential data about email activity on your domain that are necessary to help protect you against future phishing attacks. They’re available in XML format and they’re usually sent by email with the subject “DMARC Report.” There are essentially two types of reports:

  • DMARC Aggregate (RUA) Report
  • DMARC Forensic (RUF) Report

You can visit PoweDMARC’s knowledge base to learn more about each of them and how to configure them for your domain easily.

Reading DMARC RUA reports can be a bit of a hassle for a non-technical person, here is an example of a raw report:

<?xml version=”1.0″ encoding=”UTF-8″ ?>

<feedback>

  <report_metadata>

    <org_name>google.com</org_name>

    <email>[email protected]</email>

   <extra_contact_info>http://google.com/dmarc/support</extra_contact_info>

    <report_id>8293631894893125362</report_id>

    <date_range>

      <begin>1234573120</begin>

      <end>1234453590</end>

    </date_range>

  </report_metadata>

  <policy_published>

    <domain>yourdomain.com</domain>

    <adkim>r</adkim>

    <aspf>r</aspf>

    <p>none</p>

    <sp>none</sp>

    <pct>100</pct>

  </policy_published>

  <record>

    <row>

      <source_ip>302.0.214.308</source_ip>

      <count>2</count>

      <policy_evaluated>

        <disposition>none</disposition>

        <dkim>fail</dkim>

        <spf>pass</spf>

      </policy_evaluated>

    </row>

    <identifiers>

      <header_from>yourdomain.com</header_from>

    </identifiers>

    <auth_results>

      <dkim>

        <domain>yourdomain.com</domain>

        <result>fail</result>

        <human_result></human_result>

      </dkim>

      <spf>

        <domain>yourdomain.com</domain>

        <result>pass</result>

      </spf>

    </auth_results>

  </record>

</feedback>

Breaking Down a DMARC Raw Report

Let’s take you through the various sections of the report to help you understand how to read DMARC reports, what they stand for and how to read it. In the raw file for your reports, you can find information about:

  •  Your ISP, the name of your email service provider

<?xml version=”1.0″ encoding=”UTF-8″ ?>

<feedback>

  <report_metadata>

    <org_name>google.com</org_name>

    <email>[email protected]</email>

   <extra_contact_info>http://google.com/dmarc/support</extra_contact_info>

  •  The report ID number

 <report_id>8293631894893125362</report_id>

  • The beginning and ending date range (in seconds)

<date_range>

      <begin>1234573120</begin>

      <end>1234453590</end>

    </date_range>

  • Your DMARC record specifications as published in your domain’s DNS

 <policy_published>

    <domain>yourdomain.com</domain>

    <adkim>r</adkim>

    <aspf>r</aspf>

    <p>none</p>

    <sp>none</sp>

    <pct>100</pct>

  </policy_published>

  • IP address of the sending source

<source_ip>302.0.214.308</source_ip>

  • An overview of your authentication results (SPF and DKIM pass/fail result summary)

  <policy_evaluated>

        <disposition>none</disposition>

        <dkim>fail</dkim>

        <spf>pass</spf>

      </policy_evaluated>

  • From: domain

 <header_from>yourdomain.com</header_from>

  • DKIM authentication results

<dkim>

        <domain>yourdomain.com</domain>

        <result>fail</result>

        <human_result></human_result>

      </dkim>

  • SPF authentication results

<spf>

        <domain>yourdomain.com</domain>

        <result>pass</result>

      </spf>

PowerDMARC’s Human-Readable DMARC Reports

As you have probably already understood, while DMARC reports are extremely important to monitor your organization’s email flow and view authentication results, they are not very pleasing to the eyes. With DMARC reports flooding your inboxes every day, you wouldn’t want the pain to go through them and analyze them line by line, fishing for useful information. Here we will talk about how to read DMARC reports more easily with PowerDMARC.

This is why PowerDMARC helps you view your DMARC Aggregate  RUA reports easily in an organized tabular format, parsing data and segregating information into categories with the option to filter data according to IP addresses, organizations, sending sources and specific stats.

Perks of configuring PowerDMARC’s DMARC Reports : 

  • On the dashboard, you can view DMARC RUA reports in 7 distinct viewing formats, to view results: per organization, per result, per sending source, per host, per country, according to geo-locations, and segregate detailed stats.
  • Enter domain(s) of your choice to filter results for that particular domain only in the search bar
  • Select a specific date range to filter results for that timeline
  • Bright colour scheme and interactive dashboard that helps you understand your authentication results at a glance when in a hurry, as well as in great detail.

Sign up today to get your free DMARC analyzer! 

If you keep coming across the prompt “ DMARC policy not enabled” for your domain, that means that your domain is not protected against spoofing and impersonation with DMARC email authentication. You may often encounter this prompt while conducting reverse DNS lookups for your domain. However, it often has an easy fix to it. Through this article, we are going to take you through the various steps you need to implement to configure DMARC and set up the right policy for your domain so that you never have to come across the “DMARC policy is not enabled” prompt again!

Configuring DMARC to Protect Against Spoofing 

DMARC, which is the abbreviation for Domain-based Message Authentication, Reporting and Conformance, is a standard for authenticating outbound email messages, to ensure that your domain is adequately protected against BEC and direct-domain spoofing attempts. DMARC works by aligning the Return-path domain (bounce address), DKIM signature domain, and From: domain, to look for a match. This helps to verify the authenticity of the sending source and stops unauthorized sources from sending emails that appear to be coming from you.

Your company domain is your digital storefront that is responsible for your digital identity. Organizations of all sizes make use of email marketing to gain reach and engage their clients. However, if your domain gets spoofed and attackers send out phishing emails to your customers, that drastically impacts not only your email marketing campaigns, it also takes a toll on the reputation and credibility of your organization. This is why adopting DMARC becomes imperative to safeguarding your identity.

In order to start implementing DMARC for your domain:

  • Open your DNS management console
  • Navigate to the records section
  • Publish your DMARC record which you can generate easily using our free DMARC record generator tool and specify a DMARC policy to enable it for your domain (this policy will specify how the receiving MTA responds to messages failing authentication checks)
  • It can take 24-48 hours for your DNS to process these changes, and you’re done!
  • You can verify the correctness of your record using our free DMARC record lookup tool after configuring it for your domain

How to Fix “DMARC Quarantine/Reject Policy Not Enabled”

When you get a warning of “DMARC Quarantine/Reject policy not enabled” or sometimes just “DMARC policy not enabled” or “ No DMARC protection” that simply indicates to your domain is configured with a DMARC policy of none that allows monitoring only.

If you are just starting out on your email authentication journey, and you want to monitor your domains and email flow to ensure smooth email delivery, then we recommend you start off with a DMARC policy of none. However, a none policy offers zero protection against spoofing, and hence you will come across the frequent prompt: “DMARC policy not enabled”, where you are reminded that your domain isn’t adequately protected against abuse and impersonation.

In order to fix this, all your need to do is modify the policy mechanism (p) in your DMARC record from p=none to p=reject/quarantine, and thereby shift to DMARC enforcement. If your DMARC record was previously:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];

Your optimized DMARC record will be:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];

Or, v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected];

I Fixed “DMARC Policy Not Enabled”, What Next?

After resolving the “DMARC policy not enabled” prompt, monitoring domains should be a continuous process to ensure DMARC deployment doesn’t affect your email deliverability, rather improves it. DMARC reports can help you gain visibility on all your email channels so that you never miss out on what’s going on. After opting for a DMARC enforcement policy, PowerDMARC helps you view your email authentication results in DMARC aggregate reports with easy-to-read formats that anyone can understand. With this, you might be able to see a 10% increase in your email deliverability rate over time.

Moreover, you need to ensure that your SPF doesn’t break due to too many DNS lookups. This can lead to SPF failure and impact email delivery. Dynamic SPF is an easy fix to stay under the SPF hard limit as well as updated on any changes made by your ESPs at all times.

Make your DMARC deployment process as seamless as it can get, by signing up with our free DMARC analyzer today!