Updated: Sep 9, 2024
How to set up DMARC authentication
Essential email authentication protocols
SPF, DKIM and DMARC are essential email authentication protocols that help protect your domain from email spoofing and phishing attacks. Setting them up correctly is vital for improving email deliverability and building a positive domain reputation.
SPF (Sender Policy Framework) creates the ability to specify which servers are allowed to send email on behalf of your domain.
DKIM (DomainKeys Identified Mail) adds a digital signature to the emails you send, allowing the recipient's server to verify the authenticity of the email.
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds upon SPF and DKIM by providing a policy that instructs receiving servers on how to handle emails that fail SPF and/or DKIM checks. It also provides a reporting mechanism for email authentication results.
How these authentication protocols affect your beehiiv account
-
beehiiv handles the creation of SPF and DKIM for all accounts: Over the course of a custom domain setup, beehiiv handles the SPF and DKIM records by creating CNAME records for users to add to the DNS settings of their domain.
-
Custom domain users are also required to have DMARC: As of February 2024, DMARC is a mandatory authentication protocol for all beehiiv accounts using a custom domain, serving as an added layer of security.
-
These authentications require accessing DNS settings: To configure SPF, DKIM, or DMARC records, you'll need access to your website's domain DNS settings, typically requiring domain ownership or authorized access.
-
Utilize additional DMARC resources: DMARC records, in particular, are sensitive and their accurate setup is important. To assist you with this delicate matter, we've provided a convenient wizard to create your DMARC record as well as some general guidance in this article. Should you require additional assistance beyond this resource, we recommend seeking help from an email deliverability expert or checking out Dmarcian and/or Agari.
Use our DMARC wizard to create your DMARC record
Start by entering your custom domain below, then follow the prompts to produce a unique DMARC record. After you have your DMARC record, please follow the steps for How to set up DMARC authentication.
How to set up DMARC authentication
- Log into your DNS provider, this is usually where you initially set up your domain. (Examples include GoDaddy, Namecheap, and Cloudflare.)
- Navigate to your website's DNS settings, this is where you will add your DMARC record as a new TXT record.
- Create a new TXT record by adding in the details of your DMARC record that was produced by the wizard above. The Hostname value for this TXT record should be _dmarc.
An example if using a p=none for your DMARC policy is:
Type:TXT
Host/Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected];
-
Take a moment to review the new TXT record and ensure everything is correct. Lastly, make sure to save these changes to your DNS!
-
Your new record will be published, but please note that the time it takes for each DNS provider to fully process may vary. DNS propagation for a DMARC policy can take anywhere from 10 seconds to 72 hours.
What a DMARC policy does
DMARC policies specify how the receiving server should treat emails that fail SPF and/or DKIM authentication. DMARC policy options include:
- 'none': Do nothing, just collect and report data
- 'quarantine': Move unauthenticated emails to the spam or junk folder
- 'reject': Reject unauthenticated emails outright
A DMARC policy also includes assigning a percentage, which determines the portion of your domain's email traffic to which the policy should apply. Additionally, the policy includes instructions on how it should be enforced.
- A ‘none’ policy’s percentage should be left blank. This will default to 100%.
- For ‘quarantine’ or ‘reject’ policies, we suggest starting with a low percentage (10% for example), then gradually increase it as you monitor the reports and gain confidence in your email authentication setup.
DMARC policy examples:
- If you choose ‘reject’ as the policy with a 50% application rate and report emails as "[email protected]", your DMARC record would look like this:
v=DMARC1; p=reject; pct=50; rua=mailto:[email protected]; ruf=mailto:[email protected];
- If you chose a ‘none’ policy and only wish to collect aggregate reports, your DMARC record would look like this:
v=DMARC1; p=none; rua=mailto:[email protected];
Both of these examples provide valid records. The first tells the recipient mailbox provider to reject 50% of mail seen that doesn’t pass DMARC. Whereas, the second simply collects DMARC reports and sends them back to you.
Frequently asked questions about DMARC
- Shields senders from domain spoofing
- Safeguards recipients against phishing attempts
- Identifies and consolidates mailing infrastructure
- Empowers domain owners to dictate actions in case of failure
How will I know that my DMARC record has been published?
You can use a lookup tool to see if your record is live. Alternatively, you can use your Terminal to run a dig/nslookup for your domain using:
nslookup _dmarc.yourdomain.com txt
dig _dmarc.yourdomain.com txt
My record is published, but my DKIM shows as 'Not Found,' what should I do?
While DMARC and SPF can be seen with a regular lookup in most checkers, DKIM requires an example message to check its status. This means that you’ll need to send some mail in order for your DKIM to show as “Found.”
Should I put a percentage on my ‘none’ policy?
No. When using a ‘none’ policy, you should keep the percentage blank, especially if you are using a wizard to create your record. If you are entering the record by hand, you should leave the pct= field off of your record, and use the percentage field for enforcement policies.
What does ‘enforcement’ mean in DMARC?
Enforcement is the term used for choosing either ‘quarantine’ or ‘reject’ as your policy. These enforce what a mailbox provider should do in the event of a DMARC failed message.
Do I need to add an SPF or DKIM record when setting up a custom domain?
Yes, when you set up a custom domain with your beehiiv account, you'll need to add three CNAME records. These records cover your SPF and a dual DKIM signature. Once you've added these three records and your domain is verified, there's nothing else to do. SPF and DKIM are covered going forward.
My DMARC wizard offers SPF/DKIM Relaxed or Strict. Which do I choose?
Choose Relaxed. Currently, there is no benefit to selecting Strict.
Do I need to make 2 DMARC records if I send from a subdomain [mail.yoursite.com] instead of from my root domain [yoursite.com]?
No, you don't. DMARC is typically set up at the root domain level. Unlike SPF and DKIM, DMARC employs a "rolling up" mechanism. This means that any subdomain you create under yoursite.com will be covered by your chosen policy. If you wish to apply a different policy to your subdomains, you can include the 'sp=' tag in your record and specify a different policy.
This would look like:
v=DMARC1; p=reject; sp=none; rua=mailto:[email protected];
Using this option would give yoursite.com a ‘reject’ policy and any subdomain of example.com a ‘none’ policy.
Do I need DMARC if I don’t have a custom domain?
Technically yes, but you don’t need to do anything. We’ve taken care of it all. This is because anyone sending across a beehiiv shared domain is fully covered by SPF, DKIM, and DMARC.
Why am I getting so many emails from my DMARC policy? How do I make them stop?
If you're receiving numerous emails related to your DMARC policy, it's likely due to the reporting mechanism built into DMARC. These emails provide valuable insights into how your domain is being used for email authentication purposes and help identify potential spoofing attempts or delivery issues. To reduce the volume of these emails, consider setting up a dedicated email address specifically for DMARC reporting. Additionally, you can adjust the frequency or granularity of reporting (the percentage) in your DMARC policy settings to better suit your needs.
Why is setting up DMARC necessary?
DMARC has become essential for ensuring email delivery to providers like Gmail and Yahoo, among others. More importantly, DMARC: