Why DMARC Matters
Without DMARC, attackers can send emails that appear to come from your domain. DMARC:- Prevents Spoofing - Blocks unauthorized senders from using your domain
- Improves Deliverability - Authenticated emails are more likely to reach the inbox
- Provides Visibility - Reports show who is sending email as your domain
- Enables BIMI - Required for displaying your logo in email clients
- Builds Trust - Recipients know emails from your domain are legitimate
How DMARC Works
DMARC works with SPF and DKIM to authenticate emails:- Sender sends an email claiming to be from
@yourcompany.com - Receiving server checks SPF (authorized sending servers)
- Receiving server checks DKIM (cryptographic signature)
- Receiving server checks DMARC policy for instructions
- Based on the policy, the email is delivered, quarantined, or rejected
DMARC Policies
DMARC has three policy levels:| Policy | Action | Use Case |
|---|---|---|
p=none | Monitor only, deliver all emails | Initial setup, gathering data |
p=quarantine | Send failing emails to spam | Transitioning to enforcement |
p=reject | Block failing emails entirely | Full protection |
Setting Up DMARC
Basic DMARC Record
Add a TXT record to your domain:| Field | Value |
|---|---|
| Type | TXT |
| Name | _dmarc |
| Value | v=DMARC1; p=none; rua=mailto:dmarc@example.com |
Record Parameters Explained
| Parameter | Required | Description |
|---|---|---|
v=DMARC1 | Yes | DMARC version identifier |
p= | Yes | Policy for the domain |
rua= | No | Email address for aggregate reports |
ruf= | No | Email address for forensic reports |
pct= | No | Percentage of messages to apply policy (1-100) |
adkim= | No | DKIM alignment mode (r=relaxed, s=strict) |
aspf= | No | SPF alignment mode (r=relaxed, s=strict) |
sp= | No | Policy for subdomains |
Recommended DMARC Rollout
A gradual rollout minimizes the risk of blocking legitimate emails:Monitor (2-4 weeks)
Start with Review reports to identify all legitimate email sources.
p=none to receive reports without affecting email delivery.Quarantine at Low Percentage (2-4 weeks)
Move to This applies quarantine to only 10% of failing messages.
p=quarantine with a low percentage to test enforcement.Increase Quarantine Percentage
Gradually increase the percentage as you confirm legitimate emails pass.Then:
DMARC Alignment with Lettr
When you verify a sending domain in Lettr, the SPF and DKIM records are configured to pass DMARC alignment automatically. Here’s how Lettr’s infrastructure interacts with each check:DKIM Alignment
- Lettr signs every email with a DKIM key specific to your domain
- The
d=parameter in the DKIM signature matches your sending domain (e.g.,d=yourcompany.com) - Supports both relaxed and strict alignment — relaxed allows subdomains to match (e.g.,
mail.yourcompany.comaligns withyourcompany.com)
SPF Alignment
- Lettr uses a return-path domain (configured via the bounce CNAME record) that aligns with your sending domain
- This means the envelope sender domain matches your From domain for SPF alignment
- Supports both relaxed and strict alignment
What This Means for Your DMARC Policy
Because Lettr handles DKIM signing and SPF return-path alignment for you, emails sent through Lettr will pass DMARC as long as:- Your sending domain is verified in Lettr (SPF and DKIM DNS records are in place)
- Your DMARC record exists at
_dmarc.yourdomain.com
p=reject policy will block emails from any source that fails authentication — not just Lettr.
Check DMARC Status
Via Dashboard
- Go to Domains → Sending
- Select your domain
- View the DMARC status indicator
Via API
DMARC Status Values
| Status | Description |
|---|---|
valid | DMARC record found and valid |
unverified | Record not yet detected |
invalid | DMARC record has syntax errors |
missing | No DMARC record found |
not_applicable | DMARC check not required for this domain type |
DMARC Reports
DMARC reports provide visibility into email authentication:Aggregate Reports (RUA)
Daily XML reports containing:- Source IPs sending email as your domain
- Authentication results (SPF, DKIM pass/fail)
- Policy applied (none, quarantine, reject)
- Volume of emails from each source
| Source IP | Messages | SPF | DKIM | Policy Applied |
|---|---|---|---|---|
| 192.0.2.1 | 1,500 | Pass | Pass | None |
| 192.0.2.2 | 50 | Fail | Fail | Quarantine |
| 192.0.2.3 | 10 | Fail | Fail | Reject |
Forensic Reports (RUF)
Individual failure reports containing:- Original email headers
- Authentication failure details
- Timestamp and recipient information
Forensic reports may contain sensitive information. Many receivers don’t send them due to privacy concerns.
Report Analysis Tools
Raw DMARC reports are XML files that can be difficult to read. Consider using:- DMARC Analyzer - Parses and visualizes reports
- Postmark DMARC - Free weekly DMARC digests
- Valimail - Enterprise DMARC management
- dmarcian - DMARC monitoring and analysis
Subdomain Policies
Control how DMARC applies to subdomains:Inherit Parent Policy (Default)
Subdomains inherit the parent domain’s policy:p=reject to example.com and all subdomains.
Explicit Subdomain Policy
Set a different policy for subdomains usingsp=:
p=reject to example.com but only p=quarantine to subdomains.
Subdomain-Specific Records
Create a separate DMARC record for a subdomain:Common DMARC Configurations
Monitoring Only
Best for initial setup:Standard Protection
Good balance of security and flexibility:Maximum Protection
For domains with full authentication:BIMI-Ready
Required for BIMI logo display:Troubleshooting
DMARC failing despite SPF/DKIM passing
DMARC failing despite SPF/DKIM passing
DMARC requires alignment between the From address and SPF/DKIM domains:
- Ensure DKIM signature domain (
d=) matches the From domain - Ensure return-path domain matches the From domain (or subdomain with relaxed alignment)
- Check alignment mode (
adkimandaspfparameters)
Not receiving DMARC reports
Not receiving DMARC reports
- Verify the
ruaemail address is correct - Check spam folder for reports
- Allow time for reports to arrive (they are sent daily)
- Ensure the receiving mailbox can accept XML attachments
- Some receivers don’t send reports for low-volume domains
Legitimate emails being rejected
Legitimate emails being rejected
- Review DMARC reports to identify the failing source
- Ensure all sending services are configured with proper SPF/DKIM
- Consider lowering
pcttemporarily - Use
p=quarantineinstead ofp=rejectwhile investigating
DMARC record not found
DMARC record not found
- Verify the TXT record is at
_dmarc.example.com - Check for typos in the record name
- Allow time for DNS propagation
- Use a DNS lookup tool to verify the record exists
Third-party services failing DMARC
Third-party services failing DMARC
For services that send email on your behalf:
- Add them to your SPF record
- Configure DKIM signing with your domain
- Or use a subdomain with a separate DMARC policy
Best Practices
- Start with
p=none- Always monitor before enforcing - Review reports regularly - Identify legitimate senders before they’re blocked
- Use aggregate reports - They’re more useful and widely sent than forensic reports
- Increase enforcement gradually - Use the
pctparameter to phase in policies - Configure all senders first - Ensure SPF and DKIM are set up for all email sources
- Don’t forget subdomains - Set explicit subdomain policies if needed
- Consider strict alignment - Use
adkim=s; aspf=sfor maximum security