Following on from the changes to email marketing at the start of February (more about this here)a lot of people have set up DMARC but are still seeing issues.

If you run your domain through an authentication checker you might see something like this:

Report showing DKIM and SPF passed and DMARC=none with alert

The yellow exclamation makes it look like there is a big issue here but it isn’t necessarily something you need to worry about… you need to decide for yourself so let me explain more.

DMARC stands for Domain-based Message Authentication Reporting and Conformance and when I think of it I am reminded of Derek, the very diligent health and safety officer at one of my previous workplaces. Slightly annoying but doing it for your own good. 

So what does Derek, sorry DMARC do for your emails? Under the new rules you will (hopefully) have authenticated your domain with both SPF and DKIM records. This means that emails legitimately sent from you will have all the right signatures on and get through. 

But what if they don’t? 

What if someone pretends to be you and sends emails that look like they are you but without the authentication? This happens a lot more than you might think and this is where Derek comes in. 

By setting your DMARC policy you will tell the email filters what to do with an email that appears to be from you but doesn’t meet the authentication criteria. You choose what they do and there are 3 options:

  1. Any email that isn’t properly authenticated should be immediately deleted.
  2. Any email that isn’t properly authenticated should be quarantined.
  3. Unauthenticated emails should just be delivered as usual. 

For ease, most instructions have shown you how to set up the 3rd option which as you do nothing gives the above result; p=none with no reporting. This tells the filters they should continue to deliver the emails and nothing happens. However, this is the setting that triggers a warning from the authentication checkers as they would much prefer you were going for option 1 or 2 or at the very least getting a report about how many emails are being sent without authentication.

So what should you do if you get this result?

Either you can just leave it as it is, from a deliverability perspective you should be fine. Or set up reporting too which will allow you to track how many emails are being set ‘as you’ but not authenticated. Once you are confident none of these are from you (using a tool you might not realise is sending on your behalf) then you could change your policy to quarrantine emails that don’t meet the critera.

To set up reporting you will need to amend your DMARC record and I recommend you use a third party to track this for you or you will get a whole load of emails, most of which will make no sense at all.

I use Postmarks free tool which you can find here: https://dmarc.postmarkapp.com/

You get a weekly report which tells you whether all your emails are authenticated and will help you to spot any services you have missed.

I hope that helps explain why you might have done everything right but still be seeing the alert and if you need any help then do get in touch.

Skip to content