DMARC Policies for Email Deliverability
If you send email from an address associated with your domain name you can use a DMARC record to help improve the trustworthiness of your email communications among your recipients. WP Engine does not host DNS or email, however it’s still important to understand what can be done to improve email deliverability if you’re having issues.
About DMARC
DMARC stands for Domain-based Message Authentication Reporting and Conformance. It exists to improve reporting on email trustworthiness, and therefore encourage successful email delivery. DMARC uses the SPF and DKIM records to define protocols in 3 primary ways:
- Adding
From:
fields - Setting policies for how to handle rejection and delivery failures
- Adding regular reporting from recipients to domain owners
After an email passes standard validation tests (checking whether the sender’s IP was blocklisted, etc), the recipient’s mail server validates the DKIM and SPF records and applies the DMARC policy.
Then, a report of how the email server handles the email message (accept, quarantine for extra checks, or reject) is generated and sent on a regular basis to the domain owner.
You can find great documentation as to how DMARC works on their Overview page (external link).
Configure DMARC
DMARC policies are set with your DNS host as a TXT record. The values you set in the TXT record make up the DMARC policy. DMARC TXT records adhere to a tag=value;tag=value
format. There are a number of DMARC tags that can be used when configuring your DMARC records. See DMARC documentation for more information.
The DMARC documentation gives the following example TXT record for “sender.dmarcdomain.com”:
v=DMARC1;p=reject;pct=100;rua=mailto:[email protected]
Let’s dissect the pieces of this record a bit further to understand what they mean.
v=DMARC1
is the type of TXT record, or protocol version. We are using DMARC1 as the value in this scenario.p=reject
is the action that should be taken by recipients if a message they received does not align with SPF and DKIM records. In this case the record says to reject any messages that do not align with the policy.
pct=100
is the percentage of emails that are subject to filtering by recipients. In this example, 100% of emails should be filtered.rua=mailto:[email protected]
says to send the aggregate reports generated to the [email protected] email address.
NOTE
DMARC is configured with your DNS provider, therefore WP Engine Support cannot assist with configuring or troubleshooting these records.
Best Practices for Email Records with WP Engine
It is always recommended to use a third party email host, rather than sending from WP Engine’s default mail services. This allows more control for your team over the sending policies and logging.
However, if you must send regular WordPress® email (password resets, etc) through WP Engine you may need to ensure our mail relay services are allowlisted in your email records.1
Both record types below will be configured with your DNS host.
SPF (Sender Policy Framework) Records
WP Engine servers use the email relay service MailChannels to deliver emails sent from WordPress. As such, we highly recommend allowlisting email sent through MailChannels with an SPF record configured at your DNS host.
An SPF record is set as a TXT record similarly to DMARC, like so:
v=spf1 include:relay.mailchannels.net ~all
If you already have an SPF record, simply add the MailChannels relay to the existing record rather than adding a separate record. For example: v=spf1 include:sendgrid.net include:mailgun.org include:relay.mailchannels.net ~all
This SPF record should be set at your DNS host, where DNS is managed for the sending domain. WP Engine does not host DNS and cannot configure SPF records on your behalf.
DKIM (Domain Keys Identified Mail) Records
This record authenticates an email message and notes if it was truly sent from your domain. Setting up DKIM involves determining which domains are approved to send mail for you, and then generating a public/private key pair.
Your public key will be added as a TXT record created at your DNS host, while your private key will be saved with your mail relay service. As WP Engine does not host your email records, our Support team cannot assist you in finding the proper value for this record or in storing the private key for mail relay services. Please reach out to your email provider to generate the necessary values for DKIM records.