What in the World Is “DMARC” and What Exactly Is Changing With Gmail and Yahoo?

If you send emails from an email service provider, or through an application like Shopify, you may have received emails recently about setting up something called “DMARC.” Unfortunately, we’ve found most of these emails to be confusing, to say the least.

Hopefully, this post will shed some light on the confusion.

What is DMARC?

Essentially, DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a tool to stop fraudulent emails and prevent spam. It combines two other authentication standards, SPF and DKIM, to tell email servers what to do if an email doesn’t originate from an approved source.

DMARC works by combining SPF and DKIM to verify that incoming emails are legitimate and genuinely from the domain they claim to originate from. DMARC also allows domain owners to instruct email providers on how to handle emails that don’t pass these checks. For example, you can tell the email servers to reject them, quarantine/spam them, or even to do nothing and just generate a report. These reports provide information that can help with improving delivery, aiding in the monitoring and protection of email security.

What is SPF?

SPF (Sender Policy Framework) verifies that the server that sent the message was authorized to do so. It allows you to identify who is authorized to send email from your domain. For example, if you use Google Workspace or Microsoft 365, you can identify them as approved senders.

What is DKIM?

Similar to SPF, DKIM (DomainKeys Identified Mail) is a security method used to prevent email fraud. However, it is more complex than SPF and works in a different way. Imagine it like a digital signature for your emails that adds a tamper-proof seal to them, ensuring they are genuinely from you and haven’t been altered, thus helping to secure your email communications.

Why am I hearing about DMARC now?

Both Google and Yahoo are rolling out new requirements in early 2024 that bulk email senders implement DMARC. However, requirements are different for each platform.

Google is only enforcing DMARC if you send more than 5,000 emails a day to Google accounts.

Yahoo, on the other hand, is enforcing this for all “bulk senders” who send email to Yahoo accounts. They have not specified a threshold. In addition, Yahoo is enforcing a few other requirements on bulk senders:

1. Use DMARC
2. Enable a quick and easy unsubscribe process
3. Only send emails that users want

What happens if I don’t set up DMARC and follow the recommended guidelines?

If you don’t set up DMARC and adhere to the recommended guidelines, the impact may vary based on your email usage. For businesses that don’t send large volumes of emails daily, the immediate effect might be minimal. However, for those relying heavily on email marketing, not implementing DMARC could significantly hinder their communication efforts.

Regardless of the volume of emails sent, all businesses are advised to enable DMARC and follow Yahoo’s bulk sender recommendations. These are all considered best practices.

The prevalence of email fraud, phishing, and spam makes it crucial to follow these guidelines. Doing so not only safeguards your business but also offers protection to your customers, ensuring trust and security.

What happens if I make a mistake in setting up DMARC?

Setting up DMARC incorrectly can lead to several very serious issues, often causing inconvenience and potential harm to your email communications and business:

1. Legitimate Emails Blocked
   If the DMARC policy is too strict or not configured properly, it might cause your legitimate emails to be rejected or sent to spam folders, leading to communication issues with clients, customers, or partners.
2. Email Delivery Unpredictability
   An incorrect DMARC setup can make the email delivery process unpredictable. You won’t know if your emails are reaching their intended recipients or getting blocked along the way.
3. False Alarms
   An improperly configured DMARC record can lead to frequent false alarms, where legitimate emails are mistakenly identified as fraudulent, consuming time and resources in addressing these unnecessary alerts.
4. Damage to Reputation
   Consistent issues with email delivery can harm the reputation of your domain, making it more likely for email services to block or filter your emails in the future.
5. Missed Fraudulent Activity
   If DMARC isn’t set up to properly authenticate emails, it might fail to detect and prevent phishing or spoofing attacks, leaving recipients vulnerable to fraudulent emails that appear to be from your domain.

How do I setup DMARC for my domain?

Setting up DMARC for your domain involves a few key steps. Here’s a simplified overview, but of course the technical implementation is more complex:

1. Check SPF Records
   Make sure that you’ve set up an SPF record in your DNS for every sender you use. Check the documentation for Google Workspace, Microsoft 365, Shopify, or other vendors you use for more details. Some vendors handle SPF automatically for you if you’ve already set up their service to send email on your behalf.
2. Check and Set Up DKIM
   Similar to SPF, you will need to set up a DKIM record for every vendor you use to send email. Again, check their documentation for the required DNS records.
3. Create a DMARC Record
   Once those steps are complete, you can set up a DMARC record. There are three options you can set for how to handle messages that fail:
   • None
     No action, just collect information and send reports.
   • Quarantine
     Treat suspicious emails with caution (like sending them to the spam folder.)
   • Reject
     Block suspicious emails outright.
4. Set Up Email Addresses for Reports
   Include email addresses in your DMARC record to receive reports. These reports provide insights on who is sending emails on behalf of your domain and whether those emails pass SPF, DKIM, and DMARC checks. Many vendors offer this service, some for free.
5. Publish the DMARC Record
   Add the DMARC record to your domain’s DNS records. This lets email servers know your DMARC policy and where to send reports.
6. Monitor and Adjust
   Initially, set your DMARC policy to None to monitor the reports without affecting email flow. Based on the reports, you can adjust your SPF, DKIM, and DMARC settings. When comfortable, move to a stricter policy like Quarantine or Reject.
7. Regularly Review Reports
   Regularly check the reports to identify and resolve any issues with legitimate email senders, and to keep track of potential unauthorized use of your domain.

Remember, DMARC setup can be technical, and a small mistake can disrupt your email delivery. If unsure, it’s advisable to seek help from IT professionals. Please contact us if you have any questions!