Over the last 10 years, email marketing has made powerful strides, many of which leading to a more consumer-friendly experience for all. Mobile friendly optimization, a key focus on data-driven email personalization, and the ability to leverage automated customer journeys all contribute to a more customer-centric and engagement-driven marketing landscape. But, for every new email marketing opportunity, there is a small army of bad actors waiting in the wings to take advantage.

Email authentication protocols like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) have worked wonders to ensure marketing emails are reaching intended inboxes in an ethical way. DMARC (domain-based message authentication) is the next evolution marketers must be familiar with.

What does DMARC mean in email marketing?

About 80% of small to medium-sized businesses rely on email as their primary acquisition and retention channel. Although not all marketers are expected to be email authentication experts (it’s an understandably complex sub-layer of lengthy protocols), they should have a basic understanding of how to protect their brand from email spoofing and phishing attacks.

You represent the voice of your brand, which means you must be certain that it’s coming from the right source!

One of the several benefits of DMARC is the ability for marketers to see exactly who is sending emails on behalf of your domain to identify any parties using it to send fraudulent emails.

The Benefits of DMARC Setup

As gatekeepers of your brand reputation, marketers should be well-versed in the benefits of DMARC setup, most of which heavily revolve around reliability and security.

Email Deliverability

DMARC helps improve email deliverability by reducing the chances of emails being marked as spam or rejected by email filters. By establishing a strong authentication framework with DMARC, you drastically increase the likelihood of your legitimate emails reaching recipients' inboxes.

Your email marketing messages are being broadcast to your most loyal users (and prospective new customers) – confirming the legitimacy of these messages not only helps secure your users’ private information but also ensures your marketing campaigns aren’t going straight to the email spam folder by mistake. This is key to improving email deliverability!

Brand Protection & Security

DMARC setup helps protect your brand from email spoofing and phishing attacks. Email spoofing and phishing are tactics of imitating an email from a trustworthy source with the intent to trick recipients into providing sensitive information, clicking on malicious links, or downloading malware-infected attachments. By implementing DMARC, you can specify policies that instruct receiving servers on how to handle emails that fail authentication checks and prevent unauthorized use of your domain.

Visibility and Insights

DMARC provides reporting capabilities that offer valuable insights into email authentication results. This effectively gives you x-ray vision into details of successful and failed authentication attempts, helping you understand exactly how your email domain is being used. Use these insights to monitor your email ecosystem, identify potential problems that affect performance, and take necessary actions to maintain a strong email infrastructure.


DMARC aligns with today’s marketing privacy regulations and industry standards, making it an essential component for email compliance, regardless of the size of your business. By implementing DMARC, you demonstrate your commitment to secure and trustworthy email practices, which is particularly important in industries with strict compliance requirements such as finance, healthcare, and eCommerce.

Are There Risks of Neglecting DMARC Setup?

Ironically, the worst part about not setting up DMARC is not knowing what’s happening in regard to your email domain. Neglecting DMARC is essentially rolling the dice on trusting whether or not malicious spammers are hijacking your domain name to steal user data.

By not implementing DMARC, you leave your brand vulnerable to the following consequences:

  • Email-based attacks – Without DMARC, it becomes easier for malicious actors to spoof or impersonate your domain in phishing attacks, leaving you susceptible to lead to financial losses and reputational damage.
  • Compromised consumer trust – If recipients frequently encounter phishing emails or spam messages appearing to originate from your domain, they will lose trust in your brand, leading to a decline in customer engagement and loyalty.
  • Decreased deliverability rates – Without DMARC, your emails are more likely to be flagged as suspicious or spammy by ISPs (Internet Service Providers), resulting in decreased deliverability rates and lower engagement with your intended recipients.
  • Potential regulatory non-compliance penalties – Without proper email authentication measures like DMARC, you may fail to meet the requirements set forth by regulations like GDPR (General Data Protection Regulation) or HIPAA (Health Insurance Portability and Accountability Act), leading to potential legal consequences and financial penalties.
For an overview of anti-spam regulations and the process of verifying email addresses, check out our guide on how to clean an email list!

Who Should Use DMARC?

DMARC is invaluable for any online entity that sends emails and wants to ensure the security of their communications. That means businesses and corporations of every size, non-profits whose success hinges on reputation, educational institutions who wish to safeguard their staff and students, government agencies, healthcare providers, financial institutions, and eCommerce platforms.

How it Works

DMARC works by combining existing email authentication protocols, specifically SPF and DKIM, to provide an additional layer of protection against email spoofing and phishing attacks.

Here's a high-level overview of how DMARC works:

1. Sender Authentication: SPF and DKIM

SPF allows domain owners to specify which servers are authorized to send emails on behalf of their domain. It defines a list of authorized sending servers in the DNS (Domain Name System) records. DKIM adds a digital signature to outgoing emails, verifying the integrity of the email content and the authenticity of the sender's domain.

2. DMARC Policy

The domain owner (you!) publishes a DMARC policy in their DNS records. This policy outlines the actions that receiving email servers should take when an incoming email fails SPF or DKIM checks. The policy can be set to monitor, quarantine, or reject such emails.

3. Authentication Results

When an email is received, the receiving email server checks for SPF and DKIM authentication. If the email passes both checks, it is considered authentic. If either check fails, the email fails authentication.

4. DMARC Alignment

DMARC verifies alignment between the "From" domain displayed to the recipient and the domains used in SPF and DKIM checks. It ensures that the domains match or have a defined relationship, adding an additional layer of protection against spoofing.

5. DMARC Actions

Based on the DMARC policy set by the domain owner, the receiving email server takes appropriate actions. If the policy is set to "monitor," the server allows the email to be delivered but generates a DMARC report. If the policy is set to "quarantine," the server may deliver the email but mark it as suspicious or divert it to a spam folder. If the policy is set to "reject," the server rejects the email outright and does not deliver it to the recipient's inbox.

6. DMARC Reporting

DMARC provides reporting capabilities that generate both aggregate and forensic reports. Aggregate reports provide insights into the authentication results of emails sent on behalf of the domain. Forensic reports provide detailed information about individual failed authentication events, including the IP address and other relevant data.

How to Set Up DMARC

Each company divides responsibilities differently. Domain management, email infrastructure, and general marketing operations are often split within different arms of the same department. As a general rule of thumb, whichever department owns branding should be responsible for domain management.

Assess and Define

Before setting up DMARC, ensure that your organization has already implemented SPF and DKIM for your domain. DMARC relies on these authentication protocols to function effectively.

You’ll then want to determine the policy you want to enforce for your domain. The policy specifies how receiving email servers should handle emails that fail SPF or DKIM checks. The policy can be set to "none" (monitoring mode), "quarantine," or "reject." If you aren’t sure where to start, you may begin with a "none" policy for monitoring and gradually progress to more stringent policies.

Create a DMARC Record

Access the DNS management interface of your domain registrar or DNS hosting provider and create a TXT record for your domain with the DMARC policy information. The record should include the following components:

v=DMARC1: Indicates the version of DMARC being used.

p=none/quarantine/reject: Specifies the policy action to be taken.

rua/ruf: Specifies the email addresses where aggregate (rua) and forensic (ruf) DMARC reports should be sent.

pct: Specifies the percentage of emails to which the DMARC policy should be applied (helps with gradual deployment).

Publish the DMARC Record

Save and publish the DMARC TXT record in your DNS settings. The record should be added as a subdomain of your primary domain, such as "_dmarc.example.com".

Monitor DMARC Reports

Monitor the DMARC reports that are sent to the specified email addresses in the DMARC record. These reports provide insights into authentication results, sources of failed authentication, and potential spoofing attempts. Use the reports to analyze and fine-tune your email authentication configuration.

How Much Does DMARC Setup Cost?

The cost of setting up DMARC can vary depending on several factors including the availability of your internal resources, capabilities of third-party services, DNS hosting fees, and ESP (email service provider) pricing structure. Additionally, the costs can vary widely based on the size of your organization, the complexity of your email infrastructure, and the level of external assistance required.

It's important to note that while there may be costs associated with setting up DMARC, the benefits of improved email deliverability, brand protection, and reduced risk of email-based attacks vastly outweigh the financial investment. Many marketing tools may market themselves as must-haves despite only being relevant in niche use cases. DMARC, on the other hand, is a true case of “better safe than sorry.” Don’t gamble with user data security and your brand reputation!

Other Tips to Improve Email Deliverability

While DMARC is just a (rather large) component of your marketing engine, it is still important to consider additional ways to optimize email deliverability to ensure you’re reaching the right inboxes at the right time.

Use the following resources to make sure you’re checking all the boxes:

For a comprehensive "top down view" of the best places to boost campaign performance, the OneSignal guide to email optimization is for you.

An Email Platform You Can Count On

Choosing the right ESP and mobile messaging provider with a strong reputation, deliverability expertise, and compliance practices can significantly improve email deliverability rates.

OneSignal has effectively unified mobile messaging across all channels (email, push, in-app, and SMS) while leveraging best-in-class ESPs to ensure your email campaigns are as effective as they are secure.

Our platform not only offers its own free email composer tool built atop our own affordable email service, but it’s also compatible with trustworthy email service providers like Mailgun, SendGrid, and Mailchimp.

Reach Out to Us to Learn More!