How to Align the New DMARC Policy for Email Security

Discover how to expertly navigate New DMARC Policy. Learn the detailed steps to upgrade and effectively implement Google Consent Mode V2 for site security.

Contributors

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

The DMARC policy does this by enabling domain owners to specify how an email from their domain should be authenticated using SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and how failing emails should be handled (e.g., rejected, quarantined, or reported to the sender).

Major providers like Google and Yahoo have updated their DMARC policies to improve security and handle cyber threats. These updates emphasize the importance of implementing DMARC to ensure email deliverability and security.

So, how to align with the Google Consent Mode V2? Let’s take a look step by step.

Aligning New DMARC Policy

How to Check the Current Records

Here is a step by step guide on checking the current DMARC policy records:

Check Your Existing SPF and DKIM Records

To check for existing SPF and DKIM records:

Use a DNS Lookup Tool: Many online tools allow you to check the DNS records of your domain. Examples include mxtoolbox.com or dnschecker.org.

  • For SPF, select SPF Lookup or TXT Lookup and enter your domain name.
  • For DKIM, it’s slightly more complex as DKIM records are attached to a specific selector. The selector is a domain prefix (like google._domainkey.yourdomain.com) used by sending servers to locate the DKIM DNS record.

You might need to know the selector used by your email service provider to find the DKIM record. If you’re unsure, check your email service provider’s documentation or contact their support.

Setting Up SPF Record

Identify Your Sending IP Addresses: List all the IP addresses that send emails on behalf of your domain. This includes your own mail servers and any third-party services like Mailchimp or SendGrid.

Create the SPF Record: An SPF record is a TXT record in your DNS settings. The basic format looks like this: v=spf1 ip4: include: ~all

  • Replace with your sending IP address(es). If you have multiple, list them all separated by spaces.
  • Replace with the domain of your email sending service. For example, for Google Workspace, you’d use include:_spf.google.com.
  • ~all indicates a soft fail for IPs not listed in the record. For a stricter approach, use -all.

Add the SPF Record to Your DNS: Log into your DNS control panel. Look for an option to add a new record. Select TXT as the type, enter @ or your domain as the host, and paste your SPF string as the value.

Setting Up DKIM Record

Generate a DKIM Key Pair: Your email service provider usually generates this for you. If you’re managing your own mail server, tools like OpenDKIM can generate these keys.

Publish the Public Key: Once you have the public DKIM key, you’ll add it to your DNS settings as a TXT record. The host name for this TXT record typically looks like selector._domainkey.yourdomain.com, where selector is a unique identifier for your DKIM key.

  • The value of this TXT record will be your public key, provided by your email service or generated by your DKIM tool.

Enable DKIM Signing: Ensure your email service or server is configured to sign outgoing emails with the private DKIM key. This process varies depending on your setup, so refer to your service’s documentation or server configuration.

Create a DMARC Policy

Generate Your DMARC Record: A basic DMARC policy for monitoring might look like v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com, where rua specifies where aggregate reports should be sent. It’s recommended to start with a DMARC policy of p=none to monitor and understand how your emails are being authenticated.

  • This allows for a period of observation without affecting the delivery of emails that might fail DKIM/SPF authentication​​.

Publish Your DMARC Record: Like SPF and DKIM, the DMARC policy is added as a TXT record in your DNS. The host for this record should be _dmarc.yourdomain.com. Go to your DNS management panel, add a TXT record, use _darc as the host, and set the value to your DMARC policy string.

DMARC Policy Adjustment and Gradual Enforcement: After a period of monitoring, if no issues are observed, it’s advised to adjust the DMARC policy to a more restrictive setting such as p=quarantine and eventually p=reject. It’s also suggested to start quarantining a small percentage of messages (e.g., pct=5) and gradually increase this percentage as you become more confident in your email authentication process​​.

Additional Notes for Shopify Users

  1. Shopify-Specific Considerations: If your domain is managed by Shopify, they have announced that they will handle the DMARC setup along with the required DKIM and SPF authentication on behalf of their merchants in response to the new email deliverability requirements set by Google and Yahoo.

  2. This means there’s no action required from the merchant’s side if their domain is hosted by Shopify​​.

  3. For merchants who have already set up DMARC or are using domains not managed by Shopify, it’s crucial to ensure that their records are correctly configured. Shopify recommends starting with a p=none policy and suggests using tools for analyzing DMARC reports, such as EasyDMARC, to assist merchants in understanding their email authentication reports​​.

  4. Shopify has highlighted that besides having a DMARC policy, merchants should also maintain a low complaint rate (below 0.3%) to prevent their emails from being filtered into spam folders. This emphasizes the importance of not only technical settings but also the quality and relevance of the emails being sent​​.

What Happens If You Don’t Update DMARC Policy

Increased Risk of Spoofing: Lack of DMARC makes it easier for attackers to send emails that appear to be from your domain, potentially damaging your brand’s reputation.

Phishing Vulnerabilities: Without DMARC, your domain is more susceptible to being used in phishing scams, posing a significant security risk.

Delivery Issues: Inaccurate or outdated DMARC, SPF, and DKIM records can lead to emails being flagged as spam or not delivered, impacting communication.

Compliance Issues: Failing to comply with the updated requirements from email providers like Google and Yahoo could lead to legitimate emails being rejected, particularly affecting entities that send large volumes of emails.

Bonus: We also recommend checking our detailed blog post on Most Faced Shopify GA4 & Ads Tracking Issues!

Latest Posts

The latest news, technologies, and resources from our team.
View all posts
Blog Post Icon
Tracking Solutions for Shopify Merchants: Analyzify Professional Services
Need advanced tracking help? Analyzify’s Professional Services give you expert support for complex setups, custom fixes, and external tools.
Blog Post Icon
How to Connect Shopify to ClickHouse (and Why You Might Want To)
Learn how to send your Shopify data to ClickHouse, with real ETL options, marketing data handling, and practical setup tips for better reporting.
Blog Post Icon
Analyzify vs. Native TikTok Integration for Shopify
Compare Analyzify vs. Shopify's native TikTok integration to see which tracking setup gives you better data, accuracy, and ad performance.
Blog Post Icon
Shopify + ChatGPT: What to Know About AI-Powered Shopping
Learn how ChatGPT’s new shopping feature displays Shopify products—and what you can do to make sure your store is included in future search results.
Sign up for our newsletter
Be the first to know about releases and industry news and insights.
We care about your data in our privacy policy.
Take the first step towards reliable tracking Join 3,000+ merchants who trust their tracking with Analyzify.