DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.
The DMARC policy does this by enabling domain owners to specify how an email from their domain should be authenticated using SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and how failing emails should be handled (e.g., rejected, quarantined, or reported to the sender).
Major providers like Google and Yahoo have updated their DMARC policies to improve security and handle cyber threats. These updates emphasize the importance of implementing DMARC to ensure email deliverability and security.
So, how to align with the Google Consent Mode V2? Let’s take a look step by step.
How to Check the Current Records
Here is a step by step guide on checking the current DMARC policy records:
Check Your Existing SPF and DKIM Records
To check for existing SPF and DKIM records:
Use a DNS Lookup Tool: Many online tools allow you to check the DNS records of your domain. Examples include mxtoolbox.com or dnschecker.org.
- For SPF, select SPF Lookup or TXT Lookup and enter your domain name.
- For DKIM, it’s slightly more complex as DKIM records are attached to a specific selector. The selector is a domain prefix (like google._domainkey.yourdomain.com) used by sending servers to locate the DKIM DNS record.
You might need to know the selector used by your email service provider to find the DKIM record. If you’re unsure, check your email service provider’s documentation or contact their support.
Setting Up SPF Record
Identify Your Sending IP Addresses: List all the IP addresses that send emails on behalf of your domain. This includes your own mail servers and any third-party services like Mailchimp or SendGrid.
Create the SPF Record: An SPF record is a TXT record in your DNS settings. The basic format looks like this: v=spf1 ip4: include: ~all
- Replace with your sending IP address(es). If you have multiple, list them all separated by spaces.
- Replace with the domain of your email sending service. For example, for Google Workspace, you’d use include:_spf.google.com.
- ~all indicates a soft fail for IPs not listed in the record. For a stricter approach, use -all.
Add the SPF Record to Your DNS: Log into your DNS control panel. Look for an option to add a new record. Select TXT as the type, enter @ or your domain as the host, and paste your SPF string as the value.
Setting Up DKIM Record
Generate a DKIM Key Pair: Your email service provider usually generates this for you. If you’re managing your own mail server, tools like OpenDKIM can generate these keys.
Publish the Public Key: Once you have the public DKIM key, you’ll add it to your DNS settings as a TXT record. The host name for this TXT record typically looks like selector._domainkey.yourdomain.com, where selector is a unique identifier for your DKIM key.
- The value of this TXT record will be your public key, provided by your email service or generated by your DKIM tool.
Enable DKIM Signing: Ensure your email service or server is configured to sign outgoing emails with the private DKIM key. This process varies depending on your setup, so refer to your service’s documentation or server configuration.
Create a DMARC Policy
Generate Your DMARC Record: A basic DMARC policy for monitoring might look like v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com, where rua specifies where aggregate reports should be sent. It’s recommended to start with a DMARC policy of p=none to monitor and understand how your emails are being authenticated.
- This allows for a period of observation without affecting the delivery of emails that might fail DKIM/SPF authentication.
Publish Your DMARC Record: Like SPF and DKIM, the DMARC policy is added as a TXT record in your DNS. The host for this record should be _dmarc.yourdomain.com. Go to your DNS management panel, add a TXT record, use _darc as the host, and set the value to your DMARC policy string.
DMARC Policy Adjustment and Gradual Enforcement: After a period of monitoring, if no issues are observed, it’s advised to adjust the DMARC policy to a more restrictive setting such as p=quarantine and eventually p=reject. It’s also suggested to start quarantining a small percentage of messages (e.g., pct=5) and gradually increase this percentage as you become more confident in your email authentication process.
Additional Notes for Shopify Users
Shopify-Specific Considerations: If your domain is managed by Shopify, they have announced that they will handle the DMARC setup along with the required DKIM and SPF authentication on behalf of their merchants in response to the new email deliverability requirements set by Google and Yahoo.
This means there’s no action required from the merchant’s side if their domain is hosted by Shopify.
For merchants who have already set up DMARC or are using domains not managed by Shopify, it’s crucial to ensure that their records are correctly configured. Shopify recommends starting with a p=none policy and suggests using tools for analyzing DMARC reports, such as EasyDMARC, to assist merchants in understanding their email authentication reports.
Shopify has highlighted that besides having a DMARC policy, merchants should also maintain a low complaint rate (below 0.3%) to prevent their emails from being filtered into spam folders. This emphasizes the importance of not only technical settings but also the quality and relevance of the emails being sent.
What Happens If You Don’t Update DMARC Policy
Increased Risk of Spoofing: Lack of DMARC makes it easier for attackers to send emails that appear to be from your domain, potentially damaging your brand’s reputation.
Phishing Vulnerabilities: Without DMARC, your domain is more susceptible to being used in phishing scams, posing a significant security risk.
Delivery Issues: Inaccurate or outdated DMARC, SPF, and DKIM records can lead to emails being flagged as spam or not delivered, impacting communication.
Compliance Issues: Failing to comply with the updated requirements from email providers like Google and Yahoo could lead to legitimate emails being rejected, particularly affecting entities that send large volumes of emails.
Bonus: We also recommend checking our detailed blog post on Most Faced Shopify GA4 & Ads Tracking Issues!