What you need to know now about Google’s email DMARC requirements

You may have heard that effective February 1st, there’s new domain security requirements that all bulk email senders need to implement. One of the key changes is that Google and Yahoo now require strict alignment between the “From” address in your email header and the sending domain’s SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records. Put simply, it will soon be difficult for your messages to avoid your recipient’s spam folder unless your message headers are in alignment with these measures. DMARC (Domain-based Message Authentication Reporting and Conformance) is a mail policy and reporting protocol that prevents domain spoofing while offering feedback reporting showing where trouble spots may exist.

For now, this officially only impacts big bulk senders (about 5000 messages per day)—which is a lot—but it’s likely that this will expand further in the future as DMARC is more widely adopted. If you use a email marketing platform like ConvertKit, MailChimp, Keap, etc… it’s possible you’ve been sent an email explaining the new changes.  In some cases, these services will not send additional messages until a DMARC record has been added to your sending domain.

So, what does DMARC do?

DMARC (short for Domain-based Message Authentication Reporting and Conformance) is a text record added to your domain’s DNS that instructs recipient servers what to do with email messages whose headers don’t comply with the required domain alignment. For DMARC to work, a sending domain’s DNS must also have a SPF and a DKIM record already in place. If in the event these two records don’t line up with the message header, the DMARC record tells the receiving server what to do with the message: nothing (deliver it), quarantine (hold it), or reject it entirely. Optionally, the DMARC record will include an email address so that actions taken with messages are reported to the domain owner for further review.  These reports help large senders spot security vulnerabilities and take action to reduce risk.

The good news is that most businesses with domain email will already have an SPF record and (hopefully) a DKIM record in place, making DMARC compliance relatively simple with a DNS update.

Who is affected by the new requirements?

For now, only large-scale senders are affected, but there’s no reason not to be proactive and implement SPF/DKIM and DMARC today. If you send mail using a subdomain, those are also subject to the new requirements. If you send marketing emails using an email service like MailChimp, and don’t use a custom sending domain, be sure to contact your provider and see if there’s any additional action you need to take. However, the service will do their part to be sure their sending domain is fully authenticated and consistent in the message header.

How to comply with the new DMARC requirements

1. Check with your email marketing platform, if they haven’t already contacted you. In most cases, they will provide instructions on how to get your DMARC record set up and published.

2. Implement SPF and DKIM: To comply with DMARC, you need to ensure that your domain has Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) configured properly. SPF verifies that the sender’s IP address is authorized to send emails on behalf of the domain, while DKIM adds a digital signature to each outgoing email for added authenticity.

3. Publish a DMARC record: The next step is to publish a DMARC record in your DNS settings. This record specifies how receiving mail servers should handle messages from your domain – whether they should pass, quarantine, or reject emails that fail authentication checks. There’s multiple options for this, but the simplest approach is to add a TXT record to your domain’s DNS as follows:

Host:   _dmarc.yourdomain.com
Value:  v=DMARC1; p=none;

4. Optionally, enable reporting features provided by DMARC to receive feedback on how your emails are being handled by different receivers’ servers. These reports will give you insights into any unauthorized use of your domain or attempts at spoofing.  This is totally optional but only needed with high-volume senders or ecommerce domains, or if you’re simply curious.

5. If you decide to enforce strict alignment policies, go gradually.  Start with a “p=none” policy when implementing DMARC initially so that you can gather data about legitimate sources sending emails on behalf of your domain without affecting deliverability rates. Enabling the (p=quarantine or p=reject) enforcement options should be done with great caution, unless you know what you’re doing. Before moving towards enforcement mode, run thorough tests by gradually increasing the percentage of rejected messages until you are confident there won’t be any false positives or disruptions.

An experienced webmaster can help!

Editing your domain’s DNS records isn’t rocket science, but it can be daunting if you don’t do it regularly. ProVirtual Solutions can help. Save time and ensure your domain’s DNS and DMARC settings are correct and updated. Schedule an introductory call today to learn more about how an experienced webmaster can set your mind at ease.

Scroll to Top