All about DMARC

Deep dive on DMARC for those that desire more detail.

Updated over a week ago

What's DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is an email protocol designed to protect email recipients from third parties spoofing (hijacking a domain for unintended uses) and sending spam emails. You may choose to think about it like a watermark for a paper check to verify its authenticity.

DMARC, in conjunction with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), are tools that ensure email senders are who they say they are, so email clients are more confident the emails they're delivering are authentic.

Why is it important now?

Though DMARC protocol has been around since roughly 2012 and has been best practice for bulk email senders for some time, an updated email sender requirement from Google and Yahoo has turned it from a recommendation to a requirement for anyone sending greater than 5,000 emails per day to Gmail addresses. (Yahoo and others have not specified a number.)

In short, if your email list is greater than 5,000 people, or will be soon, this new protocol will affect you.

Internet security is always changing, as the sophistication of many bad actors increases. As a result, email clients, bulk email senders, and recipients must adapt. DMARC protocol is the latest in a series of requirements enacted to protect all parties involved.

What actions do I need to perform?

NationBuilder customers will need to acquire and install a DMARC record with their domain provider. This requirement is performed by NationBuilder if we manage all your domains, or will need to be performed by you if you self-manage any of your domains.

Additionally, all nations will need to keep their reported spam threshold (the amount your recipients mark your emails as spam) below 0.3%. This has been a best practice and requirement within NationBuilder already, so it should not come as a surprise that large email clients will now be enforcing a similar ruling.

You can read more about the required actions in our blog post that covers this topic.

Where in the control panel do I set this up?

Navigate to Settings > Domains in your control panel to see if the domain is indicated as โ€œNB managed."

What should I choose for "DMARC email failure policy" in the control panel?

There are three available DMARC policy choices. Below is an explanation for each:

p = none

The "none" policy, also known as the "monitor" policy, instructs the recipient's email provider not to take any action if an email fails DMARC verification.

p = quarantine

The "quarantine" policy relocates suspicious emails to a designated folder, such as the recipient's spam folder, rather than placing them in the inbox.

p = reject

The "reject" policy directs the provider to block any email that fails DMARC, preventing it from reaching the recipient's inbox.

Though "p = reject" might seem like the safest choice, it is often better to start with "p = none" to monitor and receive reports on emails sent from your domain. This helps identify authentic sources without impacting email deliverability.

Afterward, you can progress to a "quarantine" policy, where unauthenticated emails are directed to recipients' spam folders. While suspicious emails land in spam, this approach ensures that authentic emails, even if labeled as such, still reach one of the recipients' email folders.

You only need to move to a "reject" policy if you're having issues with your DMARC verification or email deliverability and you need to triage a problem, at which point [email protected] can be a valuable resource.

What is a DMARC report and how do I read one?

A DMARC report is a report that is generated about the emails being sent from your domain. These reports are good for finding people who are impersonating your organization and trying to send emails impersonating you or your organization.
Here's a little metaphor to explain this:

If Jane wants to send a letter to John. She puts the letter in an envelope and writes John's address and her address as the sender. She takes that letter to the post office, the person at the post office adds a stamp (SPF) on the envelope after verifying the sender and recipient and another stamp (DKIM) on the letter to mark that it is the original.

When John gets the letter he can be sure it is from Jane and the original letter she wrote because of the two stamps. Now, our Post Offices don't do this sort of verification in the real world but DMARC does in the digital world.

You can think of DMARC as an office that is constantly checking the ID of the person sending a letter to make sure they are who they claim to be. In this way, no one except authorized staff/volunteers can send an email on behalf of your organization.
DMARC generates reports on all of this ID checking which are technical in nature and require knowledge of how to read. They are in a data file format called XML (Extensible Markup Language) and include details of suspicious emails that were flagged by the system. It is up to your organization to decide whether it needs to look at these reports and how they will do that.

If your organization doesn't regularly send emails to a lot of recipients (greater than ~5000 per day) and your emails receive healthy engagement (at least 20% verified open rates is a good heuristic), you likely don't need to configure your DMARC to receive reports. These reports can be fairly technical and difficult to parse, and the information you receive from them won't be anything you can act on as long as your sending domain is set up appropriately.

When is the deadline?

Google and Yahoo began enforcing their DMARC policy on February 1st, 2024.

What are some important terms?

DMARC - Domain-based Message Authentication, Reporting, and Conformance is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing

Domain - An Internet domain is a digital framework for organizing, delivering and accessing services on the internet. "Domain" and "domain name" can be used interchangeably in most contexts. Your domain is purchased from a domain provider such as GoDaddy, Namecheap, or Squarespace domains.

DNS - The Domain Name System is like the internet phonebook, translating domains into unique IP addresses to connect parties through the internet.

SPF - An Sender Policy Framework record is a type of DNS record that identifies which mail servers are permitted to send email on behalf of your domain.

DKIM - DomainKeys Identified Mail is a digital signature added to every email sent from a given email address. It is a string of characters hidden in the source code designed to verify the sender's authenticity to email servers for incoming mail.

Where can I learn more?

Check out our blog post or New Gmail and Yahoo Sender requirements for more information.

If you have questions please use the messenger inside your control panel (blue chat bubble overlay at the bottom right) to send our support team a message or send an email to [email protected].

Did this answer your question?