DMARC Updates | What You Need to Know


You might have been hit with several emails in your inbox over the last few days regarding authenticating and adding a DMARC to your domain to send emails from your branded email (through either Google or Yahoo.) 

Jump to:

    What is a DMARC record?

    DMARC stands for Domain-based Message Authentication, Reporting, and Conformance (DMARC). It is a way to check the legitimacy of a URL to prevent spam - essentially a background check!

    Why the push to add DMARC records?

    Google and Yahoo recently announced that if you are sending more than 5000 emails a day through your branded email hosted with Google or Yahoo, you need to have DMARC set up. This includes any emails you send through email marketing platforms like MailChimp, Klaviyo, ActiveCampaign, etc.

    This is all in an effort to...

    • Block malicious emails
    • Stop spam messages
    • Increase email security

    Although they have specified this is for people sending 5000 emails daily, Shopify has announced that if you don't have DMARC set up, they will revert to sending emails from a Shopify-branded email rather than your branded email address.

    Spam rates are also becoming crucial

    The announcement also comes with a strict guide for spam rates - marketers must have spam rates below 0.3% and provide the ability to unsubscribe with a single click (this means you need to make sure people don't have to click unsubscribe on another page once they have clicked unsubscribe in an email)

    Here are some other ways to keep spam rates low:

    • Avoid spammy subject lines
    • Monitor key engagement metrics like open rates, click through rates etc.
    • Double opt-in (as annoying as these are, they will help keep spam rates low)
    • Keep images to a minumum (no full image emails!)

    So, how do you set this up?

    Before you can set up DMARC, you must ensure SPF and DKIM records are set up first. Most hosting providers should have these set up automatically already. But ensure you check this first before enabling DMARC. SPF and DKIM records need to be active for at least 48 hours before you can turn DMARC on.

    Jess walks you through the process in the video below for SiteGround. Note this will be different for every host (some will fill in the details for you, and others will require you to put in the information yourself. Please Google your hostname and [DMARC set up] to get the instructions relevant to you.)

    NB: Once you set this up, you will receive at least daily emails with reports. We recommend using a free service like Postmark DMARC, where they will send you a recap each week, which is much easier to understand. Postmark will give you their own txt record to put in.

    Play Video
    1. Log into your domain host (i.e. GoDaddy, VentraIP, Crazy Domains, etc.)
    2. Navigate to your domain DNS settings
    3. Add a new record*. Some hosts will have a record for 'DMARC', which will fill in the required details automatically. If your host does not have this, add a txt record and fill in the details yourself as per the set-up guide provided by your host.

    *Some companies will require you to create the DMARC record yourself. You can do this through a website such as Email Auth. Once you have this record, you add this to the txt value.

    We suggest selecting none for the how strict question initially (see below for when to change it) Leave the policy % blank. Add your email to both the Agreggate data and Forensic data boxes.

    You can check that your DMARC setup is complete using a DMARC lookup tool.

    You need to ensure this is completed by February 2024. Shopify has said this is when they will switch you to a Shopify-branded email if DMARC authentication is not in place.

    What to do with those pesky DMARC report emails

    Now you have DMARC set up, you will notice an increase in DMARC reports (how many you get depends on how many emails you send.) What do they mean and what should you do with them?

    These reports essentially help you understand

    • Who is sending emails for your domain (i.e. you, your online store etc.)
    • Which emails have passed DMARC
    • Which are failing
    • What happens when they reach the recipient

    They are vital as they can alert you to potential spammers or security risks (which is the whole point of having DMARC set up)

    For example, in the report below, we can see that on this particular day, emails have been sent from our lorrainevirtual.com domain as well as our sub-domain courses.lorrainevirtual.com. We actually don't use that domain anymore so that is something worth investigating.

    Once you see the majority of emails are passing checks, you could consider moving the strictness from none to reject or quarantine.

    DMARC Report Example Lorraine Virtual

    So what should you do with them?

    As mentioned above, we recommend using a free service like Postmark DMARC, which will send you a recap each week, which is much easier to understand. Postmark will give you their own txt record to put in.

    Google and other authority figures in the industry recommend having either a separate email for these to be sent to OR having folders set up that they can automatically go into. You can then check these messages periodically to see if anything is amiss.

    We'll link to instructions below from major providers on how to set up emails to automatically go into a folder.

    Lorraine Virtual Newsletter

    You’ll receive a monthly freebie, the latest industry news, tech tips, access to an exclusive newsletter subscriber only podcast episode and all the latest happenings at Lorraine Virtual!

    Please enter your name.
    Please enter a valid email address.
    Something went wrong. Please check your entries and try again.

    Recent Posts