How to set up DMARC authentication

Essential email authentication protocols 

SPF, DKIM and DMARC are essential email authentication protocols that help protect your domain from email spoofing and phishing attacks. Setting them up correctly is vital for improving email deliverability and building a positive domain reputation.

SPF (Sender Policy Framework) creates the ability to specify which servers are allowed to send email on behalf of your domain. 

DKIM (DomainKeys Identified Mail) adds a digital signature to the emails you send, allowing the recipient's server to verify the authenticity of the email. 

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds upon SPF and DKIM by providing a policy that instructs receiving servers on how to handle emails that fail SPF and/or DKIM checks. It also provides a reporting mechanism for email authentication results.

How these authentication protocols affect your beehiiv account 

  • beehiiv handles the creation of SPF and DKIM for all accounts: Over the course of a custom domain setup, beehiiv handles the SPF and DKIM records by creating CNAME records for users to add to the DNS settings of their domain.

  • Custom domain users are also required to have DMARC: As of February 2024, DMARC is a mandatory authentication protocol for all beehiiv accounts using a custom domain, serving as an added layer of security.

  • These authentications require accessing DNS settings: To configure SPF, DKIM, or DMARC records, you'll need access to your website's domain DNS settings, typically requiring domain ownership or authorized access.

  • Utilize additional DMARC resources: DMARC records, in particular, are sensitive and their accurate setup is important. To assist you with this delicate matter, we've provided a convenient wizard to create your DMARC record as well as some general guidance in this article. Should you require additional assistance beyond this resource, we recommend seeking help from an email deliverability expert or checking out Dmarcian and/or Agari.

When creating a new DMARC policy record, it is required to add an email address for data collection and reporting purposes. Please be aware that this email address will be publicly visible in DNS records. Additionally, since DMARC reporting can generate a significant volume of emails, it's advisable to use an email address specifically designated for this purpose rather than a personal email address.

Use our DMARC wizard to create your DMARC record

Start by entering your custom domain below, then follow the prompts to produce a unique DMARC record. After you have your DMARC record, please follow the steps for How to set up DMARC authentication.

Sending emails from your beehiiv subdomain? If so, there’s no need to worry about adding a DMARC record! As a result, beehiiv domains will not be accepted by this wizard.

How to set up DMARC authentication

  1. Log into your DNS provider, this is usually where you initially set up your domain. (Examples include GoDaddy, Namecheap, and Cloudflare.)

  2. Navigate to your website's DNS settings, this is where you will add your DMARC record as a new TXT record.

  3. Create a new TXT record by adding in the details of your DMARC record that was produced by the wizard above. The Hostname value for this TXT record should be _dmarc.

    An example if using a p=none for your DMARC policy is:

    Type:TXT

    Host/Name: _dmarc

    Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yoursite.com;

  4. Take a moment to review the new TXT record and ensure everything is correct. Lastly, make sure to save these changes to your DNS!

  5. Your new record will be published, but please note that the time it takes for each DNS provider to fully process may vary. DNS propagation for a DMARC policy can take anywhere from 10 seconds to 72 hours.

 


What a DMARC policy does

DMARC policies specify how the receiving server should treat emails that fail SPF and/or DKIM authentication. DMARC policy options include:

  • 'none': Do nothing, just collect and report data
  • 'quarantine': Move unauthenticated emails to the spam or junk folder
  • 'reject': Reject unauthenticated emails outright

A DMARC policy also includes assigning a percentage, which determines the portion of your domain's email traffic to which the policy should apply. Additionally, the policy includes instructions on how it should be enforced.

  • A ‘none’ policy’s percentage should be left blank. This will default to 100%. 
  • For ‘quarantine’ or ‘reject’ policies, we suggest starting with a low percentage (10% for example), then gradually increase it as you monitor the reports and gain confidence in your email authentication setup.

DMARC policy examples:

  • If you choose ‘reject’ as the policy with a 50% application rate and report emails as "dmarc-reports@yoursite.com", your DMARC record would look like this:
    v=DMARC1; p=reject; pct=50; rua=mailto:dmarc-reports@yoursite.com; ruf=mailto:dmarc-reports@yoursite.com;
  • If you chose a ‘none’ policy and only wish to collect aggregate reports, your DMARC record would look like this:
    v=DMARC1; p=none; rua=mailto:dmarc-reports@yoursite.com;

Both of these examples provide valid records. The first tells the recipient mailbox provider to reject 50% of mail seen that doesn’t pass DMARC. Whereas, the second simply collects DMARC reports and sends them back to you.

After setting up DMARC, be sure to monitor the reports you receive and adjust your policy and percentage as needed. This will help to optimize your email deliverability and further protect your domain from spoofing and phishing attacks.

 


Frequently asked questions about DMARC 

  1. You can use a lookup tool to see if your record is live. Alternatively, you can use your Terminal to run a dig/nslookup for your domain using:

    nslookup _dmarc.yourdomain.com txt
    dig _dmarc.yourdomain.com txt
  2. While DMARC and SPF can be seen with a regular lookup in most checkers, DKIM requires an example message to check its status. This means that you’ll need to send some mail in order for your DKIM to show as “Found.”

  3. No. When using a ‘none’ policy, you should keep the percentage blank, especially if you are using a wizard to create your record. If you are entering the record by hand, you should leave the pct= field off of your record, and use the percentage field for enforcement policies.

  4. Enforcement is the term used for choosing either ‘quarantine’ or ‘reject’ as your policy. These enforce what a mailbox provider should do in the event of a DMARC failed message.

  5. Yes, when you set up a custom domain with your beehiiv account, you'll need to add three CNAME records. These records cover your SPF and a dual DKIM signature. Once you've added these three records and your domain is verified, there's nothing else to do. SPF and DKIM are covered going forward.

  6. Choose Relaxed. Currently, there is no benefit to selecting Strict.

  7. No, you don't. DMARC is typically set up at the root domain level. Unlike SPF and DKIM, DMARC employs a "rolling up" mechanism. This means that any subdomain you create under yoursite.com will be covered by your chosen policy. If you wish to apply a different policy to your subdomains, you can include the 'sp=' tag in your record and specify a different policy.

    This would look like:

    v=DMARC1; p=reject; sp=none; rua=mailto:dmarc-reports@yoursite.com;

    Do not reuse this exact example.

    Using this option would give yoursite.com a ‘reject’ policy and any subdomain of example.com a ‘none’ policy.

  8. Technically yes, but you don’t need to do anything. We’ve taken care of it all. This is because anyone sending across a beehiiv shared domain is fully covered by SPF, DKIM, and DMARC.

  9. If you're receiving numerous emails related to your DMARC policy, it's likely due to the reporting mechanism built into DMARC. These emails provide valuable insights into how your domain is being used for email authentication purposes and help identify potential spoofing attempts or delivery issues. To reduce the volume of these emails, consider setting up a dedicated email address specifically for DMARC reporting. Additionally, you can adjust the frequency or granularity of reporting (the percentage) in your DMARC policy settings to better suit your needs.

  10. DMARC has become essential for ensuring email delivery to providers like Gmail and Yahoo, among others. More importantly, DMARC:

    • Shields senders from domain spoofing
    • Safeguards recipients against phishing attempts
    • Identifies and consolidates mailing infrastructure
    • Empowers domain owners to dictate actions in case of failure

Was this article helpful?