If you send email from an address associated with your domain name (e.g. mail.acoolwebsite.com), you can use a DMARC record to help improve the trustworthiness of your email communications among your recipients. In this article, we will explain what a DMARC record is, where it is set, and why it is important.
What is DMARC?
DMARC stands for Domain-based Message Authentication Reporting and Conformance. In short, DMARC exists to improve reporting on email delivery/trustworthiness, and builds upon the existing SPF and DKIM protocols by adding “From:” fields, policies for how to handle rejection and delivery failures, and adding regular reporting from recipients to domain owners.
How does DMARC work?
DMARC works by applying specific directives and reporting to the email send process. After an email passes standard validation tests (checking whether the sender’s IP was blacklisted, etc), the recipient’s mail server validates the DKIM and SPF records on file to then apply the correct DMARC policy. Then, an aggregate report of how the email server handles the email message (accept, quarantine for extra checks, or reject) is generated and sent regularly to the domain owner. You can find great documentation as to how DMARC works on their Overview page, including their visual Sender to Recipient workflow:
source: https://dmarc.org/overview/
How is DMARC configured?
DMARC policies are set in your DNS provider’s dashboard as a TXT record. Please note: Because DMARC is configured with your DNS provider, WP Engine Support cannot assist with configuring or troubleshooting these records.
The values you set in the TXT record make up the DMARC policy. The DMARC documentation gives the following example TXT record for “sender.dmarcdomain.com”:
"v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]"
Let’s dissect the pieces of this record a bit further to understand what they mean.
- v=DMARC1 is the type of TXT record, or protocol version. We are using DMARC1 as the value in this scenario.
- p=reject is the action that should be taken by recipients if a message they received does not align with SPF and DKIM records. In this case the record says to reject any messages that do not align with the policy.
- pct=100 is the percentage of emails that are subject to filtering by recipients. 100%, or all emails should be filtered in this scenario.
- rua=mailto:[email protected] says to send the aggregate reports generated to the [email protected] email address.
As you can see from the example given, DMARC TXT records adhere to a tag=value;tag=value format. There are a number of DMARC tags that can be used when configuring your DMARC records. See DMARC documentation for more information.
Best Practices for Email Records with WP Engine
WP Engine does not control any of your email records for your domain. However, if you send regular WordPress email (password resets, etc) through WP Engine you may need to ensure our mail relay services are whitelisted in your email records. Read on to learn more.
SPF
If you are sending email through WP Engine’s servers rather that through a 3rd party email provider, you will want to ensure your SPF (Sender Policy Framework) records are configured correctly. WP Engine servers use the email relay services Sendgrid and Mailgun to deliver emails sent from WordPress. As such, we highly recommend whitelisting email sent through Sendgrid and Mailgun in your SPF records.
An SPF record is set as a TXT record similarly to DMARC, like so:
"v=spf1 include:sendgrid.net include:mailgun.org ~all"DKIM
DKIM stands for Domain Keys Identified Mail, and is a record which authenticates an email message was truly sent from your domain. Setting up DKIM involves determining which domains are approved to send mail for you, and then generating a public/private key pair. Your public key will be added as a TXT record created with your DNS provider, while your private key will be saved with your mail relay service (mail relay services include Mandrill, Sendgrid, Mailgun). Because WP Engine does not host your email records, our Support team cannot assist you in finding the proper value for this record or in storing the private key for mail relay services.