---

If you never thought about choosing the right DMARC policy before 2024, you're not alone. Now that Gmail and Yahoo are getting serious about the use of email authentication protocols, many senders and email marketers are trying their best to figure things out.

When Gmail and Yahoo announced new sender requirements, perhaps the most important change was making these three protocols mandatory:

1. SPF (Sender Policy Framework)
2. DKIM (Domain-keys Identified Mail)
3. DMARC (Domain-based Message Authentication, Reporting and Conformance)

When used together, these three DNS TXT records are an effective way to stop email spoofing. That's because they help mailbox providers (like Gmail and Yahoo) verify the identity of a sender before accepting or rejecting a message. While SPF and DKIM are fairly common, DMARC can be a bit more complex and confusing.

The DMARC policy dilemma

When Sinch Mailgun surveyed senders for its State of email deliverability 2023 report, results revealed a lack of implementation and uncertainty for all three of those specifications, but DMARC's was the worst.

More than 18% of legitimate email senders surveyed admitted they had not yet set up a DMARC record. In reality, that number was likely much higher since another 38.8% of senders said they didn't even know if they were using DMARC or not.

Uncertainty was also common for senders who had implemented DMARC. Among those using the email specification, more than 40% said they were unsure of what their DMARC policy was. The most common choice (by a slim margin) was a DMARC policy of p=none. While that's enough to make Gmail and Yahoo happy in 2024, it's the bare minimum, and things are likely to change. Keep reading and we'll explain....

What does DMARC do?

Before we get too far, let's review how DMARC works. Its purpose is to protect sending domains from unauthorized use while making it easier for receiving mail servers to authenticate the identity of the sender. This helps prevent phishing, business email compromises (BECs), and other email scams. DMARC does this by checking for alignment of the two main email authentication protocols, SPF and DKIM. Here's a quick explanation of how they work:

• SPF is a list of hostnames and IP addresses published on your DNS that are approved to send mail for your domain. For example, this may include a subdomain used for sending email or a shared IP your ESP has added you to.
• DKIM verifies the identity of a sender using an encrypted digital signature or private key that matches a public key on a sending domain’s DNS. DKIM also ensures messages are not altered during transit.

After finding out whether SPF and DKIM pass or fail, a DMARC policy informs mailbox providers as to how the message should be filtered.

DMARC also provides regular reporting to senders on authentication failures and who is attempting to send mail on behalf of their domain.

What are DMARC policies?

When implementing DMARC, email senders have three policy options:

1. p=none: This tells mailbox providers to take no specific action on emails that fail authentication. They will most likely be delivered unless it is very obviously spam. A p=none DMARC policy leaves the decision up to mailbox providers.
2. p=quarantine: This policy informs mailbox providers to send emails that fail authentication to spam or junk folders. These messages may also be blocked.
3. p=reject: This is the strongest DMARC policy value. It ensures all malicious email is stopped dead in its tracks. If a message fails DMARC when set to “reject” it will not be delivered at all.

DMARC.org statistic have suggested an uptick in adoption. However, that's only part of the story. The site also states that more than 68% of those DNS records have a DMARC policy that’s set to p=none. And that’s a problem.

The problem with using a p=none policy is that it doesn't do anything to help stop phishing and domain spoofing. While this DMARC policy allows you to receive reports, it fails to do what DMARC is meant to accomplish because nothing is being enforced.

What do Gmail and Yahoo require for DMARC in 2024?

This might surprise you.... In 2024, Gmail and Yahoo are only requiring that senders implement a DMARC policy of p=none. Why wouldn't they push things further you ask? Good question.

The truth is, this requirement is only the first step. At this point, mailbox providers just want more senders to start implementing DMARC. Once those records are in place, it is very likely that more new requirements will emerge that require a policy of either p=quarantine or p=reject (at least for bulk email senders).

In a webinar with Sinch Mailgun, Marcel Becker of Yahoo confirmed this approach saying:

For more insights straight from Gmail and Yahoo, get key takeaways from Mailgun's talk with Marcel Becker and Anu Yamunan who is the Director of Product for Anti-Abuse & Safety at Google.

To be clear... a p=none policy is the minimum requirement. Mailbox providers would much rather have senders enforcing DMARC with a stronger policy.

So, you don't need to enforce DMARC in 2024. Most senders will simply need to get it set up with a p=none policy if they want to keep reaching Gmail and Yahoo users. However, one reason for having the p=none DMARC policy is that it allows senders to have a testing phase. You leave the policy of none in place until you feel comfortable that legitimate mail won't accidentally be rejected or quarantined. Eventually, your goal should be to change that policy.

The benefits of enforcing a stronger DMARC policy

Some senders hesitate to enforce strict DMARC policies due to fears it may hurt email deliverability. While an incorrectly configured DMARC record or other authentication issues may cause deliverability problems, the truth is that email authentication can lead to better deliverability.

The use of email authentication is a strong signal to mailbox providers that you are a responsible and reliable sender When you’ve got a good email reputation, you are less likely to get blocklisted, less likely to get filtered into the junk folder, and more likely to land in the inbox.

Enforcing a strong DMARC policy is a clear signal that you are working to do the right thing. It protects your reputation as an email sender because it makes it easier for mailbox providers to identify your messages as legitimate and messages from spammers and scammers as malicious.

DMARC benefits for mailbox providers

All major mailbox providers support DMARC. That includes Gmail, Outlook, Yahoo, Apple Mail, and AOL. And as we see with Gmail and Yahoo, it's important enough to make it a requirement.

For mailbox providers, DMARC provides information about how to filter messages that fail authentication. This is what your domain’s DMARC policy does. When mailbox providers are unclear about how to handle unauthenticated messages, they may lean toward delivering them. That’s because their users would be more upset about not receiving real emails than dealing with spam. This is one reason why potentially dangerous emails sometimes sneak through.

DMARC benefits for email users

For email recipients, DMARC makes the inbox a safer place because it prevents malicious phishing attempts and brand spoofing emails from getting delivered. Specifically, it stops emails with forged information in the “from” field of an email header.

That means consumers have less to worry about when, for example, they open a transactional email from a brand they do business with regularly. Their inbox can be used for important customer communications. Email is a common and popular way for people to connect with brands. Mailgun's Email and the customer experience report found that around 3/4ths of consumers prefer email for both transactional and promotional messages.

DMARC benefits for senders and email marketers

For email senders, DMARC helps protect brand reputation and also provides valuable reports on the IP addresses that are sending mail on behalf of your domain. This lets you monitor for email spoofing and find out if legitimate emails are encountering authentication issues that impact deliverability. You can set up DMARC so that you get daily reports from servers receiving any emails claiming to be from you.

But more importantly, stronger email authentication helps maintain the integrity of the email channel because it keeps bad actors out of the inbox. It ensures that email continues to be a reliable and useful way to connect.

Try imagining a world in which you could no longer use emails to reach your subscribers, customers, and prospects. Both email senders and mailbox providers want people to keep using email. That's why Marcel Becker called them "our mutual customers." Enforcing a DMARC policy isn't just a good idea, it should be a responsibility. That's why mailbox providers like Gmail and Yahoo are likely to make p=reject mandatory in the future.

BIMI: The bonus benefit

Another potential benefit of a strong DMARC policy is eligibility to have a certified logo show up on your marketing and transactional emails. This is made possible through a specification known as Brand Indicators for Message Idenfitication (BIMI).

BIMI adds more branding to the inbox experience and there’s evidence it could help increase engagement metrics such as open rates. It could also serve as a sign that the email can be trusted.

That’s because any email that displays a BIMI logo has also been authenticated using DMARC. However, mailbox providers won’t show a BIMI logo unless you’re a DMARC policy of either p=quarantine or p=reject.

What does a DMARC record look like?

There’s more to a DMARC record than just the policy. Let’s take a closer look at the TXT record you’ll need to publish on your DNS server.

When you set up your DMARC policy and create a DNS record, there are up to 11 tags you may use. Only two of those are required: the v tag (version) and the p tag (policy). But you also want to use the “rua=” tag, because it defines the email addresses where receiving mail servers should send DMARC reports.

Here’s a quick explanation of all DMARC tags:

v=	The version of DMARC used (DMARC1).
p=	The DMARC enforcement policy: none, quarantine, or reject.
rua=	A list of email addresses where DMARC aggregate reports are sent.
pct=	The percentage of messages that are subject to the enforcement policy. Default is pct=100.
aspf=	Defines the alignment mode for SPF, which could be strict or relaxed with pass/fail scenarios.
adkim=	Defines the alignment mode for DKIM, which could be strict or relaxed with pass/fail scenarios.
sp=	Represents different enforcement policies for subdomains.
ruf=	Lists email addresses for sending DMARC failure/forensic reports, which are more detailed than aggregate reports.
fo=	Indicates the options for creating a DMARC failure/forensic report.
rf=	Declares the forensic reporting format for message-specific failure reports.
ri=	Sets the interval for sending DMARC reports, which is defined in seconds but is usually 24 hours or more.

A DMARC record with only the basics will look something like this:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourcompany.com

The v and p tags must appear first. All other tags can appear in any order.

A somewhat more complex DMARC record might look like this:

v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:dmarc-reports@yourcompany.com;
pct=100; aspf=s; adkim=s

If you’re pursuing BIMI implementation, it’s important to know about the values required for a couple of optional tags. As with your main DMARC policy, subdomain policies cannot be set to none (sp=none). Furthermore, the percentage tag must have a value of 100 (pct=100), which means all emails are subject to your DMARC policy.

How to publish a DMARC record

First, set up SPF and DKIM, if you haven’t done so already. Those should be running for at least 48 hours before you set up DMARC.

Then, go to your DNS hosting provider, and follow these steps:

1. Add your DMARC record to your DNS by creating a new record.
2. Use the TXT record type — this will likely be in a dropdown menu.
3. Enter _DMARC in the Name or Host field.
4. Enter the required tag value pairs (v= and p=) as well as any optional tag values needed.
5. Save, or create, the DMARC record.
6. Validate that the DMARC record has been set up correctly by running a DMARC Record Check.

If you start with a policy value of p=none during initial implementation and testing, you should eventually update it to p=quarantine or p=reject.

Setting up DMARC seems pretty simple on the surface, but it can get very technical. So, you may need to ask your IT department for help. There are also vendors that specialize in DMARC implementation.

For example, Red Sift is a cybersecurity company that offers OnDMARC, which is a service that helps out with many factors of email authentication, including BIMI as well as DKIM and SPF configuration. Other vendors who can help with DMARC include dmarcian and PowerDMARC.

The tools to improve email deliverability in 2024

DMARC is just one of several factors senders are thinking about this year thanks to the changes from Gmail and Yahoo. Research from Sinch Mailgun found the biggest benefits of prioritizing email deliverability are improved customer satisfaction and increased revenue.

If you're ready to get serious about inbox placement, Mailgun Optimize is a complete deliverability suite. It includes reports that tell you if your authentication protocols are working properly. Plus, you'll also find out if your emails are likely to land in spam, email validation tools, email previews, blocklist monitoring, and more.

EMAIL DELIVERABILITY DOESN’T HAVE TO BE A MYSTERY

A lot can happen on the way to your customers’ inboxes. Wondering if your emails will land in spam, why a major mailbox provider is rejecting messages, or why bounce rates are climbing? Mailgun Optimize can get you those answers. It’s a complete email deliverability suite that helps you stop wondering and start improving.

GET BETTER INBOX PLACEMENT