Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.sequenzy.com/llms.txt

Use this file to discover all available pages before exploring further.

Implementing DMARC

DMARC helps protect your domain from being used in phishing attacks and improves email deliverability by giving mailbox providers confidence that your emails are legitimate.

Prerequisites

Since DMARC relies on DKIM and SPF, first ensure your existing emails are passing these checks:
  • DKIM verifies the email wasn’t altered in transit using cryptographic authentication
  • SPF authorizes IP addresses to send email for a domain
If you have a verified domain with Sequenzy, your emails are already passing SPF and DKIM.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that instructs mail servers what to do if an email message fails SPF and DKIM, preventing email spoofing (forged headers). DMARC is added to a domain through a TXT record at _dmarc. By preventing spoofing, a domain can build trust with mailbox providers, as it allows them to verify that emails are authorized to send on behalf of that domain. An email must pass either SPF or DKIM checks (but not necessarily both) to achieve DMARC compliance and be considered authenticated. A message fails DMARC if both SPF and DKIM fail.

Implementing DMARC

1. Add a TXT _dmarc Record

To start, add a flexible DMARC record to your domain:
NameTypeValue
_dmarc.example.comTXTv=DMARC1; p=none;
This record specifies a few parameters (see Reference section for more details):
  • v - Version: The version of DMARC
  • p - Policy: Tells the inbox how to process messages that fail DMARC. Options are none, quarantine, reject. It’s best practice to use quarantine or reject, but only do so once you know your messages are delivering and fully passing DMARC.
Once you’ve added a basic record, you should set up DMARC reporting to monitor your results.
To ensure you don’t accidentally introduce breaking changes to your email sending, we suggest starting with a policy of p=none; before moving to a stricter policy.

2. Test to Confirm Delivery and Passing

To test emails, send an email from all the applications and services your domain uses. Confirm that the messages are delivered to the inbox and that the headers show DMARC passing. Spend a few days at this step to ensure you’re checking all sources of email from your domain and catch email that is sent at a different cadence than daily. To confirm DMARC passed, you can inspect the email headers and confirm there is dmarc=pass.
Gradually identify email sources using tools like Google Postmaster Tools, which provides DKIM/SPF feedback. DMARC monitoring services can aggregate your email sources by collecting DMARC reports, helping you discover any services sending email on your domain’s behalf.

3. Upgrade Policy

Once you have verified DMARC is passing across all your sending, you should upgrade your policy to p=quarantine;. This policy gives mailbox providers greater confidence in your domain since your domain only allows authenticated email.
PolicyDescription
p=none;Allow all email. Monitoring for DMARC failures only.
p=quarantine;Send messages that fail DMARC to the spam folder
p=reject;Bounce delivery of emails that fail DMARC
Once your policy is p=quarantine; or p=reject;, you can explore setting up BIMI (Brand Indicators for Message Identification), which can provide established brands even greater sending credibility by displaying a logo as an avatar in an email client.

DMARC Reporting

DMARC includes a reporting mechanism via the rua parameter, which tells mailbox providers where to send aggregate reports about emails from your domain. These reports are XML files that show which IP addresses are sending email on your behalf and whether those emails pass SPF and DKIM.

Why you need a monitoring service

Raw DMARC reports are XML files sent as email attachments — they’re not meant to be read directly. To get value from DMARC reporting, you should use a free monitoring service that parses these reports into a readable dashboard.
  • EasyDMARC — free tier with a dashboard that visualizes your DMARC data, shows sending sources, and highlights failures.
  • URIports — free DMARC report monitoring with a clean dashboard and real-time alerts.
  • DMARC Analyzer (Mimecast) — free analysis tools with detailed reporting.

How to set it up

  1. Sign up for a DMARC monitoring service
  2. The service will give you a reporting address (e.g., abc123@ag.easydmarc.com)
  3. Add rua to your DMARC record pointing to that address:
NameTypeValue
_dmarc.example.comTXTv=DMARC1; p=none; rua=mailto:abc123@ag.easydmarc.com;
Don’t point rua at your own email address (e.g., dmarc@yourdomain.com). You’ll receive raw XML files that are difficult to interpret without specialized tooling.
Reports typically arrive daily. Give it a week or two to collect enough data before making policy decisions.

Reference

While the DMARC protocol includes both pct and ruf parameters, they are not widely followed by mailbox providers. These settings may not be respected or followed.
ParameterPurposeExample
vProtocol versionv=DMARC1
pctPercentage of messages subjected to filteringpct=20
rufReporting URI for forensic reportsruf=mailto:authfail@example.com
ruaReporting URI of aggregate reportsrua=mailto:aggrep@example.com
pPolicy for organizational domainp=quarantine
spPolicy for subdomains of the ODsp=reject
adkimAlignment mode for DKIMadkim=s
aspfAlignment mode for SPFaspf=r

Why Sequenzy Doesn’t Require DMARC

Sequenzy requires 5 DNS records for domain verification (3 DKIM + 1 SPF + 1 MX), but DMARC is optional. Here’s why:
  1. DMARC is domain-wide - A DMARC record applies to all email from your domain, not just emails sent through Sequenzy
  2. You may already have one - Many domains already have a DMARC policy set up
  3. Configuration varies - The right DMARC policy depends on your organization’s email infrastructure
However, we strongly recommend setting up DMARC for better deliverability and domain protection.

Domain Verification

Set up your sending domain with DNS records

Transactional Emails

Send triggered emails via API