Your Email Deliverability Score

Audit a domain and get recommendation on how to improve your email deliverabiity & security.

Domain

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
What is a DMARC record?

A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record is a DNS record that helps protect email domains from unauthorized use, such as spoofing. It does this by specifying how emails that fail SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) checks should be handled (e.g., rejected or quarantined). Additionally, DMARC provides feedback to domain owners about the emails being sent from their domain, helping them identify and address security issues.

How can I interpret the results of DMARC failure reports to improve email security?

DMARC failure reports provide insights into emails that failed DMARC checks, indicating potential authentication issues or unauthorized use of your domain. To improve email security, analyze the source IPs and sending domains of failed emails to identify unauthorized senders. Adjust your SPF and DKIM configurations to tighten authentication and consider revising your DMARC policy to better protect against unauthorized email sending.

What is the impact of a 'p=reject' DMARC policy on email marketing campaigns?

A 'p=reject' DMARC policy ensures that only emails that pass SPF and DKIM checks are delivered, enhancing the legitimacy of your email campaigns. However, if your email sending practices are not fully aligned with SPF and DKIM standards, this policy might lead to legitimate emails being rejected. It's crucial to ensure all your email sources are properly authenticated to minimize disruptions to your campaigns.

How does DMARC interact with mailing lists and email forwarding services?

DMARC can affect how emails are handled by mailing lists and forwarding services, as these services might alter emails in a way that causes them to fail SPF or DKIM checks. To mitigate issues, use alignment options in your DMARC policy and work with services that are DMARC-aware, ensuring they preserve authentication results or use ARC (Authenticated Received Chain) for forwarding.

How does DMARC work?

DMARC works by aligning SPF and DKIM authentication results with the sender's domain, and it specifies how receivers should handle emails that fail these checks. When an email is sent, DMARC verifies that it passes SPF and/or DKIM authentication and matches the sender's domain. Based on the DMARC policy set by the domain owner (none, quarantine, reject), the receiving server then decides how to treat emails that fail these checks, enhancing email security and integrity.

How does DMARC influence the deliverability of emails?

DMARC influences email deliverability by providing a clear policy on how email receivers should handle messages failing SPF and DKIM checks. Proper DMARC implementation can improve a domain's trustworthiness and reduce the likelihood of legitimate emails being marked as spam, thus enhancing overall email deliverability. Conversely, a strict DMARC policy without proper alignment of SPF and DKIM can lead to legitimate emails being rejected or quarantined.

Can DMARC be bypassed, and what measures can be taken to prevent this?

While DMARC significantly enhances email security, sophisticated attackers might find ways to exploit any gaps in email authentication practices. To minimize bypass risks, maintain strict SPF and DKIM configurations, regularly review and update your DMARC policy, and employ additional security measures like multi-factor authentication and email encryption.

How do I adjust my DMARC policy based on aggregate report feedback?

Aggregate DMARC reports provide a comprehensive view of your email traffic, allowing you to see which emails pass or fail DMARC checks. Use this feedback to identify and authorize legitimate sending sources while blocking or fixing sources of failure. Gradually tighten your DMARC policy from 'none' to 'quarantine' to 'reject' as you gain confidence in your email sending practices.

What are the common challenges when implementing DMARC for a large organization?

Large organizations often face challenges like managing multiple email sending sources, ensuring all legitimate emails are properly authenticated, and interpreting DMARC reports across diverse systems. Overcoming these challenges involves centralized management of email sources, consistent policy enforcement, and using specialized tools for DMARC reporting and analysis.

How does DMARC contribute to reducing Business Email Compromise (BEC) attacks?

DMARC helps reduce BEC attacks by verifying that the sender's email comes from the claimed domain and meets SPF and DKIM authentication standards. This prevents attackers from spoofing the domain, significantly reducing the risk of successful BEC attacks where attackers impersonate company officials in email communications.

What role does DMARC play in brand protection strategies?

DMARC is crucial for brand protection as it prevents unauthorized use of a brand's domain in email attacks, safeguarding the brand's reputation and customer trust. By ensuring that only authenticated emails are delivered, DMARC helps maintain the integrity of brand communications.

How can DMARC policy settings be optimized for international email communications?

For international email communications, consider the diversity of email systems and practices across different regions. Ensure your SPF and DKIM records accommodate legitimate international sending IPs and domain names. Also, monitor DMARC reports closely to adjust your policy and authentication practices as needed to support global email delivery without compromising security.

What are the latest advancements in DMARC technology and reporting?

Recent advancements in DMARC technology focus on improving reporting capabilities, enhancing user interfaces for easier analysis of DMARC reports, and integrating AI and machine learning to automatically identify and address authentication issues. Developments in standards like ARC for handling forwarded emails also represent significant progress in maintaining email authenticity across complex delivery paths.

DMARC Glossary
v
The Version tag is essential in a DMARC record and must strictly be set to 'DMARC1'. If this value is not correctly specified or if the tag is absent, the DMARC record will not be considered valid and will be disregarded.
p
The DMARC policy setting is crucial and accepts three possible values: 'none', 'quarantine', or 'reject'. By default, it is set to 'none', which means it doesn't actively intervene with emails that fail authentication. This setting primarily serves to gather DMARC reports, aiding in understanding the existing email traffic and its authentication status. On the other hand, the 'quarantine' option flags unauthenticated emails as dubious, and 'reject' outright prevents their delivery.
rua
The destination for sending aggregate reports is specified using a 'mailto:' URI, which Email Service Providers (ESPs) utilize to dispatch failure reports. While this tag is not mandatory, omitting it means you will not receive any reports."
ruf
The destination for Forensic (Failure) report transmission is designated by a 'mailto:' URI, which is employed by Email Service Providers (ESPs) for the delivery of failure reports. Although this tag is not obligatory, failing to include it will result in not receiving any reports.
sp
The policy for subdomains defaults to inheriting the main domain's policy tag (p=), as previously described, unless explicitly stated otherwise. Similar to the domain policy, the permissible values for subdomains are 'none', 'quarantine', or 'reject'. However, this option is not commonly employed in current practices.
adkim
The alignment of the DKIM signature, indicated by this tag, refers to the congruence between the DKIM domain and the originating domain in the 'Header From'. The acceptable values for this tag are 'r' for relaxed and 's' for strict. The default setting, 'r', permits a partial match between these domains, whereas the 's' setting demands an exact match of the domains.
aspf
This tag pertains to the SPF alignment, which concerns the compatibility between the SPF domain (the sender) and the domain in the 'Header From'. It allows two settings: 'r' for relaxed and 's' for strict. By default, it is set to 'r', which tolerates a partial match between the domains. In contrast, the 's' setting necessitates an exact correspondence of the domains.
fo
The options for forensic reporting include '0', '1', 'd', and 's'. The default setting is '0', which triggers a forensic report only when both SPF and DKIM alignments do not pass. Use '1' if the outcome of either SPF or DKIM is anything other than a pass. The option 'd' is selected to generate a report specifically for DKIM validation failures, and 's' is used for SPF-related issues. To actually receive these forensic reports, it's necessary to specify the 'ruf' tag.
rf
The format for failure report generation can be set to either 'afrf' or 'iodef', as these are the two permissible options.
pct
The Percentage tag is relevant exclusively for domains operating under a 'quarantine' or 'reject' policy. It specifies the proportion of email failures to which the chosen policy should apply. The remainder is managed under a less stringent policy. For instance, with 'pct=70' set on a domain with a 'quarantine' policy, this policy is enforced on only 70% of failed emails, while the other 30% are treated as if under a 'none' policy. Similarly, for a domain with 'p=reject' and 'pct=70', the 'reject' policy is applied to 70% of failures, with the remaining 30% defaulting to 'quarantine'.
ri
The Reporting interval specifies how often XML reports are received, measured in seconds. The standard setting is 86400 seconds, which equates to daily reporting. However, it's important to note that despite the specified interval, Internet Service Providers (ISPs) typically send these reports on their own schedules, which in most cases, is also once a day.

Basic

Popular
$96/year
Basic features for up to 10 users with everything you need.
Get started

Business

$192/year
Advanced features and reporting, better workflows and automation.
Get started

Enterprise

$384/year
Personalised service and enterprise security for large teams.
Get started
Overview
Basic features
Users
10
20
Unlimited
Individual data
20GB
40GB
Unlimited
Support
Automated workflows
200+ integrations
Reporting and analytics
Analytics
Basic
Advanced
Advanced
Export reports
Scheduled reports
API access
Advanced reports
Saved reports
Customer properties
Custom fields
User access
SSO/SAML authentication
Advanced permissions
Audit log
Data history