Do I really need to worry about DMARC? I don’t even know what it is.
Yes! DMARC should be your new best friend, at least in terms of your internet friendships. DMARC stands for: Domain-based Message Authentication, Reporting & Conformance. It might be easier to think of DMARC as a gatekeeper for your site’s email recipients – it decides which emails are sent to your inbox and your spam folders or which ones are not delivered at all.
Using DMARC provides a major benefit for the domain owner (Sender) and the email recipient (End User) in “making it easier for [the End User’s] mailbox provider (e.g. AOL, Comcast, Hotmail, GMail, Yahoo) to keep spam and phishing messages from ever reaching their inbox.” (DMARC); which helps build legitimacy and trust between the Sender and the End User.
In a nutshell, DMARC allows you (the Sender) to decide what to do if an email is not validated by the DKIM or SPF validation systems. You can use the DMARC Record that you set up within your DNS to reject, quarantine or do nothing:
None – No action needed. Log affected messages only.
Quarantine – Mark affected messages as spam.
Reject – Cancel the message at the SMTP layer. (Example: p=reject)
Here at WP Engine we aren’t able to help set up your DMARC Record, since this record isn’t set within our own settings but rather at the DNS level. Luckily though, there are a lot of experts in the email phishing world! The main ones are are SendGrid, Mailgun and DMARC.org, and they all offer great information and resources to help you with your DMARC Record.
If you’re sending emails from your WP Engine site we highly recommend that you set your own “[email protected]” email address for the Email From section. This is really important because email providers are updating their DMARC policies to block emails that are sent from mail servers not specified in their DMARC policy.
In plain English, this means that if an email is sent to you through a WP Engine email server and the email address has a “from” address of a major email provider like aol.com, yahoo.com, etc., the email message is not likely to be delivered.
That’s great, but do I actually need DMARC?
In short, it would be in your best interest. More and more email providers are using DKIM and SPF validation systems that domain owners will need to comply with if they want to continue sending emails through them.
The social web and emails are now part of our daily lives and “Email is easy to spoof and criminals have found spoofing to be a proven way… Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users” (DMARC). For a more in-depth read on why you should look into DMARC, visit “Why should a Sender care about DMARC?”
Hopefully that doesn’t scare you too much. Phishing criminals require a certain return on their scams and won’t necessarily take the time to spoof small domains. Their gaze is typically set on larger domains and eCommerce sites. So if this is your case, make sure you’re publishing a DMARC record.
Okay, you’ve got me. How do I publish this DMARC record?
WP Engine and our Support don’t cover or own the process of publishing your DMARC record, since this Record isn’t set through our platform. But here are some resources to help you set up your DMARC:
Also, if you’re using WP Engine’s servers to send emails we recommend that you add include:sendgrid.net and include:mailgun.org to your SPF Record settings. CloudFlare has all the information you need to add SPF records in case you are not familiar with the process.