Back to main menu


Protecting your domain reputation with DMARC

Your domain is only as protected as you make it. Defend your domain reputation from spammers and bad actors by implementing DMARC, it’s the extra layer of protection you need and we’ll tell you why in this post.



As someone who works in this wonderful world of email, I can tell you there are a few things that just make life miserable for everyone: spammers and phishers. The interwebz is still the preferred platform for business and social interactions, so of course, there’s more incentive for bad actors to target users for their own financial gain. Let’s look at the stupid easy ways bad actors can lure us into a trap, and how we can stop getting pwned by spammers.

How DMARC protects your reputation

DMARC is the lesser known authentication. If you’re in the email game, then it’s more likely that you’ve embraced DKIM and SPF. Though it’s very effective – having stopped more than 90 million phishing attacks in the first half of 2022 alone, DMARC is still not widely adopted. With over 90% of cyber attacks beginning with phishing (the very thing DMARC defends against), this is the security protocol you don’t want to sleep on.

DKIM and SPF are great for indicating where messages should be coming from, though not vmany ISPs filter email using these authentications alone. Both DKIM and SPF provide the mechanics to filter out messages that fail their checks, but most providers will still allow message to go through. This is because it’s really hard to tell how many legitimate emails are being sent that don’t authenticate – especially if the sender isn’t getting any feedback. This is where DMARC comes in.

DMARC (Domain-based Message Authentication, Reporting & Conformance) uses both the SPF and DKIM records together to better identify who sent the message. It can tell you if the sender had permissions to send and identify themselves as the domain in the “From” field of your email header.

Sender Policy Framework (SPF) is controlled at the DNS level. It’s where you can say which servers can send on your behalf, and lets you reference whether the originating IP matches the list on your DNS. A matching IP is how the recipient server knows the message is coming from an authorized sender of your domain.

DomainKeys Identified Mail (DKIM) signs your messages to signal that it has been sent from the  server that created the message, and not from an imposter that intercepted the message and inserted something into the message body itself.

To pass DMARC checks, SPF or DKIM must meet the requirements of both alignment and authentication. There must be alignment between the domain in the “from” address, and the domain identified in the return path or “d=” portion of the DKIM signature.

Adding DMARC as a protection to your domain will help reduce the possibility of a bad actor using your domain name to send emails from a random location that you did not designate with SPF.

If you’re looking for more resources on DMARC, the DMARC site provides suggestions for aggregation services that take that return data and display it for you in a nice way that humans can read. Because who doesn’t like a solid feedback loop that helps to improve email deliverability?

What types of attacks can DMARC help block?

We’re big fans of DMARC both in terms of security and deliverability. It’s one thing to talk about the logistics, but what are some examples of the risks that DMARC helps prevent?

You’ve been spoofed

One of the easiest ways for bad actors to infiltrate our lives is to use our trusting – and often lax – attitude towards established senders. Email spoofing tests our trust and exploits it, using it against us to see if we’ll take the bait if it looks like a message is coming from someone we know. You can be on the receiving end and not know the difference because bad actors will mimic email headers to look legitimate.

More sophisticated spoofing attacks will often include company logos, be well written, and have links to websites that also look legitimate, making it really hard for a user to realize that they are being phished until it’s too late. But if you take a closer look at the full details of your email header, you can catch the weird things like IP addresses that you didn’t authorize to send on your behalf. It’s all too easy to replicate an email header and put your domain reputation at risk.

DMARC reduces spoofing attack by preventing spoofers from using fake “From” addresses. It catches imposter emails by invalidating them through robust authentication standards. Learn more here.

You’ve gone deep sea ‘phishing’

An unprotected domain is bad news for your reputation with ISPs. Your own domain users are left vulnerable to phishing attacks where bad actors will trick recipients with personalized messages. These messages can attempt to gain passwords, payment information, or confidential company information that you would not normally share. So, if you can’t function without binge watching Futurama, and Netflix is threatening to cancel your account because of a problem with your billing information…I’d say

  1. You’re all of us, and

  2. You might not question the legitimacy of this email:

Phishing email that appears to be from Netflix

And that’s just the small stuff. These attacks are the Moby Dick of ‘phising’–  just a security disaster waiting to happen because of how far they reach and the size of their impact. They can hit your organization in the form of a message sent from a senior executive or a high-profile contact and are made to look like official correspondence. It’s pretty much a message you would reasonably expect like a legal subpoena, customer complaint, or a message from the CEO. If you’re being asked to provide confidential information or direct payment to an obscure source…flag it immediately.

If your domain has no DMARC record, hackers can more easily spoof an email address that is attached to your domain name. At Mailgun, when adding a domain to your account you are required to add DKIM and SPF records – both of which help to indicate where the domain is allowed to send email from. By enabling DMARC, you have the added benefit of selecting a return address for reports of your domains sending activity to email hosting providers.

Wrapping up

DMARC is by no means a magic wand that will eliminate spoofing of your domain, but it can deter a spammer or phisher from using your domain name while trying to execute one of these attacks. And of course, it can also help protect your domain reputation by validating your identity and separating your sending actions from a spammer who is trying to mimic you.

To protect your own users from spoofing attacks, remember that DMARC is part of the toolset that you will need , but user education is key.. To dive deeper into learning about reputation protection, check out our webinar on all things dedicated IP and learn when to use them for email.

Deliverability is a challenging topic. DMARC is one piece of the authentications that secure your email program, but it’s still only the tip of the iceberg.

Learn about our Deliverability Services

Deliverability Services

Looking to send a high volume of emails? Our email experts can supercharge your email performance. See how we've helped companies like Lyft, Shopify, Github increase their email delivery rates to an average of 97%.

Related readings

Dedicated vs. Shared IPs: Knowing which one to use

“They’re hacking our IP to access the mainframe!” How often have we heard that line in movies as actors punch random keys and scramble to beat the clock...

Read more

What is SMTP and how does it work?

SMTP, though a pillar of email delivery, often gets lost in the jumble of tech terms and acronyms. But if you're ready to send impactful emails, this is one of those acronyms that...

Read more

The basics of SPF records

SPF doesn’t refer to how long you can wait before you have to reapply your sunblock (seriously, go get some). Instead, the term “SPF” refers to a security measure that helps...

Read more

Popular posts

Email inbox.

Build Laravel 10 email authentication with Mailgun and Digital Ocean

When it was first released, Laravel version 5.7 added a new capability to verify user’s emails. If you’ve ever run php artisan make:auth within a Laravel app you’ll know the...

Read more

Mailgun statistics.

Sending email using the Mailgun PHP API

It’s been a while since the Mailgun PHP SDK came around, and we’ve seen lots of changes: new functionalities, new integrations built on top, new API endpoints…yet the core of PHP...

Read more

Statistics on deliverability.

Here’s everything you need to know about DNS blocklists

The word “blocklist” can almost seem like something out of a movie – a little dramatic, silly, and a little unreal. Unfortunately, in the real world, blocklists are definitely something you...

Read more

See what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon