Google and Yahoo New DMARC Policy Requirements
Gmail and Yahoo announced new email authentication requirements for large senders, effective for February 2024. The objective is to prevent unsolicited and fraudulent emails from reaching the inbox. The new guideline applies to senders that deploy more than 5,000 emails daily to Gmail and Yahoo owned domains. Senders will need to strongly authenticate their emails using DKIM, SPF and DMARC.
WhatCounts senders are provided with a DKIM record and SPF records (via CNAME entry) during the initial onboarding process. With these new requirements coming into effect, senders that have not already included a DMARC record should do so to prevent disruption or bulk folder placement.
Understanding the DMARC Text Value
The key components are the policy tag (p=) and rua tag for report destination. The minimum policy requirement of p=none instructs recipient mail servers to take no action in the event of a failure other than sending a report to the email address specified in the rua section of the record. Other more restrictive policy options include “quarantine” and “reject”. For the purposes of Gmail/Yahoo DMARC compliance the policy of p=none will be required.
The reporting mechanisms(rua) allow domain owners to monitor and analyze email authentication activity. The rua section specifies the address destination for success and failure notifications. As these notifications can be very high in number, senders may opt to associate a mailbox solely for DMARC messages.
DMARC Implementation
Implementing DMARC involves configuring your sending domain DNS with a text record. The text record contains authentication instructions for recipient servers to adhere to. To implement DMARC, enter a text string similar to the one found below to your DNS.
Sample DMARC txt record:
DNS Entry | Value |
_dmarc.domain1. | "v=DMARC1; p=none; rua=mailto:dmarc_reports@yourdomain.com; pct=100;" |
(Optional) External Validation
If you want to send your DMARC reports to a domain other than the one that the record is for, then the receiving domain needs to configure a DNS record so that Email Service Providers know that the recipient is authorizing the reports.
DNS Entry Example:
TYPE: TXT
NAME: v=DMARC1
TXT Data: domain.com._report._dmarc.domain.com
If the domain receiving DMARC reports will do so for numerous domains, you can enter a wildcard record such as follows:
TXT Data: *._report.dmarc.domain.com
CNAME
The CNAME record allows you to brand your email Campaigns URLS and bounce address. To set up this record, create a subdomain on your domain with a CNAME to response.wc07.net.
For example:
DNS Entry | CNAME |
Response.yourdomain.com. | "response.wc07.net" |
Note: You are not required to use response in the DNS entry. The subdomain selection, as at the discretion of the account holder. It must only be a domain that you own and manage.
Implementation Summary
- Add DMARC txt record to the sending domain DNS file.
DNS Entry | Value |
_dmarc.domain1. | "v=DMARC1; p=none; rua=mailto:dmarc_reports@yourdomain.com; pct=100;" |
- Assign an email address for DMARC reports and place address into DMARC value text as seen above. Example dmarc_reports@yourdomain.com
- Ensure you are using a CNAME record that points to WhatCounts domain such as response.wc07.net.
- Each sending domain should also have a DKIM record. If your sending domain does not authenticate with DKIM, please contact support@whatcounts.com to have a DKIM key created.
- Once the authentication records are in place, run a test by emailing a gmail or yahoo address of your own to confirm propagation of the records. This can be verified in the headers of your email client.
DMARC Instructions for Help Page (DNS)
Record Type: DMARC
DMARC, which stands for Domain-based Message Authentication Reporting, and Conformance is an email authentication protocol that helps prevent spoofing or unauthorized use of sending domains.
Implementing DMARC involves configuring your sending domain DNS with a text record. The text record contains authentication instructions for recipient servers to adhere to. To implement DMARC, enter a text string like the one found below to your DNS.
Sample DMARC txt record:
DNS Entry | Value |
_dmarc.domain1. | "v=DMARC1; p=none; rua=mailto:dmarc_reports@yourdomain.com; pct=100;" |
It is advisable to assign a single mailbox to receive DMARC aggregate reports. These reports encompass success and failures of mail sent by your domain or claiming to be from your domain.
For DMARC to authenticate it must be in alignment with DKIM or SPF. These records need to exist on the DNS of your sending domain using the above instructions.
It is advisable to ensure your mail passes DMARC tests before using a more restrictive policy such as p=quarantine or p=reject.
Note: DMARC records on the parent domain are inherited by subdomains.