DMARC Checker: The Full-Scale Guide for DMARC Monitoring in 2024

Virtually all businesses use emails one way or another to engage with their existing and potential customers, whether it’s to share promotional materials or schedule a demo. 

Therefore, a lot of responsibility lies on the shoulders of these simple emails—they could trigger the beginning of a future sale and drive retention, or they could result in your company’s domain going right into spam, preventing you from ever reaching out to them in the future. 

But all those scenarios are only possible if your emails actually get delivered in the first place, meaning they reach their recipients’ primary inboxes. 

The giant ESPs (email service providers) like Gmail, Outlook, and Yahoo have been increasingly ramping up their email-sending policies, especially in the context of high-volume emails that businesses operate with. 

They do this to protect their users from the growing number of malicious and spam emails that travel through the web, and while that’s great news, unfortunately, businesses that are not careful run the risk of getting their emails flagged as well. 

This is where email authentication protocols like DMARC come into play, playing a crucial role in ensuring that your emails remain compliant and legitimate in the eyes of email providers. 

In this comprehensive guide, we’ll take a closer look at one of the three main authentication protocols — DMARC, and explain what it is, how it works, and how to monitor it in light of the growing email-sending policies in 2024.  

What is the DMARC record? 

Without getting too technical, a DMARC record (Domain-based Message Authentication, Reporting & Conformance), is an email authentication protocol that determines what happens to an email should it fail authentication tests during sending. 

Most important of all, DMARC enforces the linking of all these mechanisms together by requiring domain alignment — this means that the domain shown in the “From” line of an email matches with the domains that were validated in the SPF and DKIM sections. 

To better understand DMARC and its impact on email deliverability, let’s take a quick look at the SPF and DKIM authentications: 

SPF and DKIM both work in combination to provide email authentication, but they are separate mechanisms. DMARC came to solve this challenge by combining the best of both to ensure the email’s “From” domain conforms to the domains being authenticated. 

In simple terms, while SPF and DKIM are the foundation of email authentication, DMARC’s mission is to align the two and set up the procedure for sending and receiving should they fail to pass those two authentication tests. 

DMARC acts as the final piece in the chain of email authentication protocols, not only improving email deliverability by giving your emails and domain a stamp of legitimacy but also protecting businesses from all sorts of email fraud. 

Why is the DMARC check important? 

The importance of DMARC and other email authentication procedures simply cannot be brushed off in 2024—they have the potential to determine the success of your business email communications, hence having a direct impact on prospecting, lead generation, customer acquisition, and revenue. 

The biggest advantage of DMARC is its direct impact on email deliverability. In light of Google’s new 2024 security policies, email authentication has become a crucial element for ensuring your email campaigns reach their audience. 

Businesses that fail to correctly set up all the email authentications, including but not limited to SPF, DKIM, and DMARC will be much more likely to be grouped with malicious and spam email senders, and therefore flagged as spam, potentially blacklisting your business domain. 

This rule goes double for businesses and individuals sending 5k+ emails per day, so if we think in the context of email newsletters, marketing promos, and sales engagement campaigns, authentication has never been more important than now. 

DMARC is the final nail in your email authentication, significantly decreasing the chances of your email correspondence getting rejected by email servers or getting flagged as spam. With the new strict 0.3% spam rate threshold recently announced by Google.

On top of that, DMARC builds your company’s sender reputation by only allowing authenticated emails to be delivered from your end. On the other hand, a weak sender reputation, caused by emails being regularly flagged as suspicious, has long-term effects on your business because it’s very challenging to recover your email domain. 

The solution? Properly set up and maintain your DMARC records to avoid these issues from ever occurring in the first place.

How to check DMARC authentication

Correctly setting up your DMARC protocol is crucial, but so is continuously monitoring it to ensure your email domain is authenticated at all times, and there are several ways to do it. 

1. For starters, there are several great free DMARC monitoring tools online that you can use. Free tools such as MxToolbox and Mail-Tester are super convenient—simply type in your email domain or send a random email to their given address, and within seconds you will get a detailed report on the current status of your DMARC setup:

Once analyzed, these reports provide a detailed overview of how your emails are being handled by other email servers, whether your emails pass or fail authentication, and if any unauthorized third parties are sending emails from your domain (more on what all those code-looking terms mean below). Some of them also offer more insights such as broken links, spam triggers, and the effectiveness of your cold emails.

2. Similarly, you can check and monitor your DMARC directly through your email provider such as Google Workspace and Microsoft 365. These are native services that email providers offer their users to generate reports on the performance of all their authentication protocols, including DMARC. 

If you’re a Gmail user, simply access your Google Workspace Admin account, navigate to the ‘admin panel’, and enter your business domain to find out more about your DKIM settings. Regularly reviewing these reports can help you identify potential issues with your authentication in the early stages and make the necessary changes to avoid harming your sender reputation and losing potential opportunities due to deliverability issues. 

3. Last but not least, the leading sales and marketing outreach platforms have added the necessary features to integrate authentication settings into their products. 

For instance, at Reply.io, we made several key additions to our functionality to take away the increasingly challenging and technically-complex issues of email deliverability: 

• we’ve added a dedicated ‘domain healthchecker’ that keeps track of all email authentication protocols in real-time, offering actionable steps to resolve any issues that may arise:

• we’ve integrated our product with Google’s Postmaster to track the spam rates of all your connected inboxes in real-time, to ensure that you will never surpass the new extra strict spam rate threshold of 0.3%: 

With these additional features, among others, Reply.io users can automate their email with AI without ever having to worry about deliverability issues. 

We always recommend all our users try to keep as many automated processes under one roof, opting for more consolidated platforms to focus less on the technical aspects like email authentication monitoring and integrations, and more on making meaningful connections with potential customers. 

With Reply.io, our users enjoy an extensive built-in lead database, AI-powered outreach and response handling, multichannel engagement sequences, AI-powered inbound, and more, while we handle all the authentication and monitoring ourselves. 

There are several other email deliverability tools that can help every business keep track of all their authentications, monitor spam, and ensure that all their emails reach their intended inboxes, in case you’re interested. 

How does DMARC work? 

In a nutshell, DMARC works by verifying that each and every email you send is correctly authenticated with SPF and DKIM, as well as ensuring that the “From” header in your emails is aligned with the published DMARC record in your DNS server. 

I know this may sound complicated (trust me, I get it), so I went ahead and found a very simplified infographic that visualizes what we’re talking about: 

Source: MailerCheck 

As you can see, once you send an email, it transports from your email server to your recipient’s server, which acts as a gateway to determine whether it should let your email through or not. To do so, it checks the DMARC record of your email, and if it’s identical to the DMARC record you published in your DNS server, your email(s) get the green light. 

The way DMARC works can be broken down into three main processes: 

1. Domain alignment → refers to the alignment of the domain in the ‘From’ field of your email with the domain initially authenticated by SPF and/or DKIm. If the domains match—you’re good to go, if not—your email fails the DMARC check and will either be sent to spam or rejected altogether. 
2. SPF and DKIM verification → besides establishing domain alignment, DMARC also verifies that your email has passed the SPF and/or DKIM checks (ideally both). As mentioned above in our infographic, SPF is responsible for showing receiving servers that your email is sent from an authorized IP address, while DKIM ensures the receiving server that your email hasn’t been compromised during transit.
3. DMARC policy enforcement → if the first two steps are all cleared, the receiving email server will let the email go through, no problem. If your email fails DMARC, there are three possible actions that the receiving server may take, depending on their authentication settings:

• None: The email is delivered regardless of DMARC compliance.
• Quarantine: The email is marked as suspicious and sent to the spam folder.
• Reject: The email is blocked from being delivered.

Regular DMARC monitoring provides businesses with detailed reports containing insights into how their emails are ‘seen’ and ‘handled’ by their recipients’ email servers. Doing so empowers businesses or domain owners to not only make necessary changes, should some issues arise, but also monitor unauthorized use of their domain by third parties. 

DMARC record checker tags explained 

If you’re not interested in all the technical aspects of DMARC records, you might as well skip this part. And to be completely honest with you, if you have an IT professional on your team or if your business uses a sales or marketing suite like Reply.io, there’s probably no need to know all this.

If, however, you’d like to know how to properly ‘decode’ your domain’s DMARC records that your email provider or special tools will generate, here’s a quick overview of the key tags used in such reports: 

• v (required): Specifies the DMARC version. The only allowed value is “DMARC1.” If this tag is incorrect, the entire DMARC record will be ignored.
• p (required): Defines the DMARC policy. Allowed values are “none,” “quarantine,” or “reject.” The default is “none,” which takes no action on unauthenticated emails but gathers reports. “Quarantine” flags suspicious emails, while “reject” outright blocks them.
• rua: Indicates where aggregate reports should be sent. The value is an email address formatted as “mailto:”. If omitted, you won’t receive reports on email authentication results.
• ruf: Specifies the recipient of forensic reports, also using a “mailto:” URI. These reports are more detailed but are optional.
• sp: Defines the policy for subdomains. Subdomains will inherit the main domain policy unless you specify otherwise. Like the main “p” tag, allowed values are “none,” “quarantine,” or “reject.”
• adkim: Determines DKIM alignment. Allowed values are “r” for relaxed or “s” for strict. Relaxed allows partial matches, while strict requires a full match between the DKIM domain and the “From” domain.
• aspf: Similar to adkim but for SPF alignment. “R” is relaxed and allows partial matches, while “s” is strict and requires full alignment.
• fo: Specifies forensic reporting options. You can choose to receive reports when SPF and DKIM both fail (“0”), if one of them fails (“1”), or specifically when DKIM (“d”) or SPF (“s”) fail.
• rf: Defines the format for forensic reports. Accepted values are “afrf” and “iodef.”
• pct: Specifies the percentage of failed emails that the policy should apply to. For example, “pct=70” applies the policy to 70% of non-compliant emails and allows the remaining 30% to pass through.
• ri: Determines how frequently reports are sent, with the default set to 86400 seconds (once per day).

It’s definitely not necessary to memorize all of these tags, but you can definitely refer back to it when in need of decoding your DMARC records from time to time. 

At the end of the day, given the huge impact that DMARC, SPF, and DKIM authentication protocols have on email deliverability and the success of your outreach efforts, investing the time in DMARC monitoring and analyzing these tags may one day prevent your business domain from getting severely harmed. 

The growing importance of DMARC in 2024   

Authenticating your emails has always been important, but it’s become absolutely crucial in 2024 once Google announced its new strict policies back in February. Improper authentication is more often than not a common reason for higher spam rates, and with the new 0.3% threshold — businesses simply cannot afford to overlook this aspect of outreach. 

DMARC will also ensure that your business domain remains protected from external attacks via malicious emails, as well as protect your domain from any unauthorized use that, once again, has great potential to harm your sender reputation and skyrocket your spam rates. 

In the context of deliverability, regular DMARC monitoring will help ensure that all the time and effort invested in crafting outreach campaigns doesn’t go to waste, which in most cases, especially in B2B, has a direct correlation with customer acquisition, retention, and revenue. 

So whether it’s with the consistent manual use of free tools mentioned above or with an all-in-one outreach suite like Reply.io that offers automated DMARC monitoring, we strongly encourage all businesses to invest in their domain setup and authentications.