This article is part of a series dedicated to helping you set up DKIM, SPF, and DMARC records to authenticate the custom domain email addresses you use to send emails with Kartra.

What is DMARC?

DMARC (Domain-based Message Authentication Reporting and Conformance) records tell mail servers what to do with emails that could not be verified as legitimate, based on a sorting policy that you define. They are published in the DNS settings for the domain.

Using this guide, create a DMARC policy to monitor DKIM and SPF alignment for your domain(s) and set up reporting so you stay informed.

DMARC alignment refers to how closely a message From: header matches the sending domain specified by either DKIM or SPF.

  1. Identify Your Sender Domain(s)
  2. Create Your DMARC Record
  3. Login to Your Domain Host
  4. Publish Your DMARC Record
  5. Test Your DMARC Record
  6. Monitor and Analyze Reports

Step 1: Identify Your Sender Domain(s)

Start by identifying the domain(s) you want to protect. Your domain is the part of your email address that comes after the '@' symbol, such as yourcompany.com.

To protect all the email domains you use with Kartra, think about the send-from and reply-to email addresses you use when composing a new email message in your account. The addresses you use there are the ones you must authenticate.

Example of the email sender settings in a Kartra broadcast

Example of the email sender settings in Kartra

Remember: If you use more than one domain as the sender for your emails, an SPF record must be added to the DNS settings for each one.


Step 2: Create Your DMARC Record

Now, you'll need to define the DMARC policy. A basic DMARC record includes the following components:

  • v=DMARC1: The DMARC version.
  • p=none: Policy value is “none.” This instructs mail servers to monitor emails but take no action if the sender cannot be authenticated.
  • rua=mailto:[email protected]:Specifies the email address where aggregate reports of mailing activity for the domain should be sent.
    • In your record, replace "[email protected]" with the email address where you want to receive DMARC reports. The address must be located on the same domain as the DMARC record OR be issued by a DMARC monitoring service.

A finished DMARC record value with these components looks like this:

Important:

If you want to use a DMARC monitoring service (we recommend it!) to help you read your authentication reports, the service will generate this DMARC record for you.

Create your account (we recommend a service like Valimail) and add your sending domain. Copy the DMARC record provided from their interface and add it to your DNS in the next steps of this guide.

Understanding DMARC Policies

The DMARC policy is specified by p=value in your record. The value dictates what should happen with a message that could not be verified with DKIM or SPF. 

The policy is set to one of three values:

  • p=none: Deliver all mail, regardless of verification.
  • p=quarantine: Treat the message as suspicious and potentially spam.
  • p=reject: Do not deliver at all.

If you are new to sender verification, it’s best to take a cautious approach to your initial DMARC policy and set it to “none,” with a plan to increase the strictness.

As long as a valid RUA value is defined in your record, you will receive DMARC activity reports with information about the messages that pass or fail the verification process. With the help of a DMARC monitoring service to distill the reports, they can help you find legitimate services that need to be added to your SPF record and see if spoofers are currently using your domain.

As you learn more about how accurately your mail is being verified and delivered, you can increase the strictness of your DMARC policy to make it more secure.


Step 3: Login to Your Domain Host

Your DNS (Domain Name System) provider is where your domain's settings are managed. Popular providers include GoDaddy, Namecheap, or Cloudflare, but there are many similar services available.

Once logged in, find the DNS settings or management section of your account. Look for an option like "DNS Management" or "DNS Settings."Example of Advanced DNS settings in Namecheap domain management

Example of Advanced DNS settings in Namecheap domain management

Source: How do I add TXT/SPF/DKIM/DMARC records for my domain?


Step 4: Publish Your DMARC Record

Create a TXT record for your domain and add the policy defined in the previous step.

  1. Go to the DNS Settings or DNS Management area.
  2. Locate the domain(s) you use to send email.
  3. Add a new TXT record to the domain and enter the DMARC details:
  • Host or Name: Enter _dmarc
  • Value" or Content: Enter the DMARC record details you defined at the previous step, like v=DMARC1; p=none; rua=mailto:[email protected];
    • Remember to update the email address in the rua reference to get reports.
  • TTL: Default/Automatic.

Example of a DMARC TXT record in GoDaddy domain management

Example of a DMARC TXT record in GoDaddy domain management

Note that the terminology you see in your account can vary depending on your hosting service. If you’re not sure how to follow these steps in your DNS console, your domain host support will be able to help.

Example of a saved DMARC TXT record in GoDaddy domain management

Example of a saved DMARC TXT record in GoDaddy domain management

After publishing the DMARC record, wait about an hour for the changes to propagate through the internet.


Step 5: Test Your DMARC Record

Before testing the DMARC, make sure you also have valid DKIM or SPF records set up for your domain. Remember, DMARC works to validate and report on DKIM and SPF authentication, so all the pieces must be in place before you test.

If you have not configured and tested DKIM or SPF records yet, stop here and do that now:

When all your sender authentication records are complete, use a DMARC Record Check tool to confirm that the DMARC record is correct. Your domain host may provide one, or you can use an online service like DMARC Check Tool from MxToolBox.

There are lots of free tools available online to help you test!


Step 6: Monitor and Analyze Reports

Sign up for a DMARC monitoring service and regularly check the mail server reports sent to the email address specified in your record’s rua tag. 

The monitoring service will distill the information contained in each report into usable insights – without it, the XML reports can be difficult to understand. The information you get from the reports will help you review any email authentication failures and fine-tune your DMARC policy over time.

There are many services online that you can use to monitor DMARC reports. One example to get you started with a free monitoring tier is Valimail.