DMARC Policies for Email Deliverability

If you send email from an address associated with your domain name you can use a DMARC record to help improve the trustworthiness of your email communications among your recipients. WP Engine does not host DNS or email, however it’s  still important to understand what can be done to improve email deliverability if you’re having issues.


About DMARC

DMARC stands for Domain-based Message Authentication Reporting and Conformance. It exists to improve reporting on email trustworthiness, and therefore encourage successful email delivery. DMARC uses the SPF and DKIM records to define protocols in 3 primary ways:

  1. Adding From: fields
  2. Setting policies for how to handle rejection and delivery failures
  3. Adding regular reporting from recipients to domain owners

After an email passes standard validation tests (checking whether the sender’s IP was blocklisted, etc), the recipient’s mail server validates the DKIM and SPF records and applies the DMARC policy.
Then, a report of how the email server handles the email message (accept, quarantine for extra checks, or reject) is generated and sent on a regular basis to the domain owner.

source: https://dmarc.org/overview/

You can find great documentation as to how DMARC works on their Overview page (external link).


Configure DMARC

DMARC policies are set with your DNS host as a TXT record. The values you set in the TXT record make up the DMARC policy. DMARC TXT records adhere to a tag=value;tag=value format. There are a number of DMARC tags that can be used when configuring your DMARC records. See DMARC documentation for more information.

The DMARC documentation gives the following example TXT record for “sender.dmarcdomain.com”:

v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]

Let’s dissect the pieces of this record a bit further to understand what they mean.

  • v=DMARC1 is the type of TXT record, or protocol version. We are using DMARC1 as the value in this scenario.
  • p=reject is the action that should be taken by recipients if a message they received does not align with SPF and DKIM records. In this case the record says to reject any messages that do not align with the policy.
  • pct=100 is the percentage of emails that are subject to filtering by recipients. In this example, 100% of emails should be filtered.
  • rua=mailto:[email protected] says to send the aggregate reports generated to the [email protected] email address.

NOTE

DMARC is configured with your DNS provider, therefore WP Engine Support cannot assist with configuring or troubleshooting these records.


Best Practices for Email Records with WP Engine

It is always recommended to use a third party email host, rather than sending from WP Engine’s default mail services. This allows more control for your team over the sending policies and logging.

However, if you must send regular WordPress email (password resets, etc) through WP Engine you may need to ensure our mail relay services are allowlisted in your email records.

Both record types below will be configured with your DNS host.

SPF (Sender Policy Framework) Records

WP Engine servers use the email relay service MailChannels to deliver emails sent from WordPress. As such, we highly recommend allowlisting email sent through MailChannels with an SPF record configured at your DNS host.

An SPF record is set as a TXT record similarly to DMARC, like so:

v=spf1 include:relay.mailchannels.net ~all

If you already have an SPF record, simply add the MailChannels relay to the existing record rather than adding a separate record. For example: v=spf1 include:sendgrid.net include:mailgun.org include:relay.mailchannels.net ~all

This SPF record should be set at your DNS host, where DNS is managed for the sending domain. WP Engine does not host DNS and cannot configure SPF records on your behalf.

DKIM (Domain Keys Identified Mail) Records

This record authenticates an email message and notes if it was truly sent from your domain. Setting up DKIM involves determining which domains are approved to send mail for you, and then generating a public/private key pair.

Your public key will be added as a TXT record created at your DNS host, while your private key will be saved with your mail relay service. As WP Engine does not host your email records, our Support team cannot assist you in finding the proper value for this record or in storing the private key for mail relay services. Please reach out to your email provider to generate the necessary values for DKIM records.


NEXT STEP: Learn how to configure a third party email host

Still need help? Contact support.

We offer support 24 hours a day, 7 days a week, 365 days a year. Log in to your account to get expert one-on-one help.

The best in WordPress hosting.

See why more customers prefer WP Engine over the competition.