Who can send emails on behalf of your domain?
Many companies already protect their email domain with SPF and DKIM. These two methods help verify the authenticity of emails and reduce spam and phishing.
Nevertheless, an important question remains: What should happen if an email fails these security checks? That’s exactly what DMARC is for.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance.
This method builds on SPF and DKIM and defines how receiving mail servers should handle emails that cannot be successfully authenticated.
Additionally, reports can be generated. These show which systems send emails on behalf of your domain and whether they successfully pass the security checks.
DMARC helps companies to:
- Reduce phishing attempts
- Make it more difficult to misuse their own domain
- Improve the deliverability of legitimate emails
- Keep an overview of their domain's email traffic
How do SPF, DKIM, and DMARC work together?
The three methods complement each other.
SPF
Defines which mail servers are allowed to send emails on behalf of your domain.
DKIM
Digitally signs emails, thereby confirming that they originate from the authorized sender and have not been altered during transmission.
DMARC
Defines what should happen to emails if SPF and/or DKIM cannot be successfully verified.
Why is DMARC important?
Phishing attacks often use forged sender addresses of well-known companies.
Without DMARC, it can be difficult for receiving mail servers to recognize whether an email actually originates from your company or merely pretends to have been sent by it.
DMARC provides additional security here and is increasingly recommended by major email providers such as Microsoft, Google, and Apple.
Who sets up DMARC?
Setup is performed by your IT department or IT service provider.
Access to your domain’s DNS management is a prerequisite.
As with SPF and DKIM, the HR department typically does not have direct access to these settings and should therefore forward the setup to the responsible party.
How to set up DMARC
DMARC is published as a TXT record in your domain’s DNS zone. The record is always located under: _dmarc.yourdomain.ch
Recommended start
For starters, we recommend a pure monitoring policy:
With this setting, no emails are blocked or rejected yet.
The policy is solely intended to monitor email authentication and detect potential configuration problems early.
Advanced Policies
Once SPF and DKIM have been successfully set up, stricter policies can be used.
Quarantine suspicious messages
Reject suspicious messages
However, these settings should only be activated once it is ensured that all legitimate sending systems are correctly configured.
Example of a DMARC record
A typical entry looks like this:
Host: _dmarc
Type: TXT
Value: v=DMARC1; p=none
Is DMARC mandatory for Ostendis?
No. Sending emails via Ostendis generally works even without DMARC.
However, for the highest possible deliverability, we recommend the combination of:
- SPF
- DKIM
- DMARC
This ensures your emails are technically optimally secured and comply with the current recommendations of major email providers.
Are there risks?
Yes. An incorrectly configured DMARC record can lead to legitimate emails being rejected or placed in the spam folder.
Therefore, we recommend always starting with the policy “p=none” and only introducing stricter policies after successful verification.
Ostendis Recommendation
For sending your applicant communications, we recommend:
- Configure SPF correctly
- Activate DKIM for the domain used
- Set up DMARC with a monitoring policy (p=none)
This creates the technical prerequisites for secure, trustworthy, and as reliable as possible delivery of your emails to applicants.
Wie hilfreich war dieser Beitrag?