DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on two earlier standards: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Where SPF verifies the sending server and DKIM verifies the message integrity, DMARC ties them together by letting domain owners publish a DNS record that instructs receiving mail servers what to do when a message fails one or both checks. DMARC also introduces a reporting mechanism, sending XML reports back to domain owners so they can monitor unauthorized use of their domain in email headers.

Email remains the primary channel for sharing publication links, delivering lead notifications, and sending transactional messages. Without DMARC, attackers can forge your domain name in the "From" field of phishing emails, making fraudulent messages appear to come from your organization. This damages brand trust and puts your contacts at risk. A properly configured DMARC policy tells receiving servers to quarantine or reject unauthenticated messages, blocking spoofed emails before they reach inboxes. For publishers who distribute flipbook links via email, DMARC also improves deliverability — mailbox providers like Gmail and Outlook give preferential treatment to domains with valid DMARC records.

FlipLink's email infrastructure is designed to pass DMARC validation out of the box. When FlipLink sends lead notifications, publication share links, or messages through [email templates](/features/email-templates), those emails align with both SPF and DKIM requirements. If you use a custom sending domain, you publish a DMARC record in your DNS that defines your policy and a reporting address. FlipLink's sending practices comply with your DMARC policy, so legitimate emails pass validation while fraudulent ones are caught by receiving servers. This means your flipbook share emails, lead alerts, and automated notifications reach recipients reliably without being flagged as spam or rejected.

A DMARC record is a TXT entry in your domain's DNS. The key tags include: `v=DMARC1` (version), `p=` (policy: none, quarantine, or reject), `rua=` (aggregate report address), `ruf=` (forensic report address), `pct=` (percentage of messages the policy applies to), and `adkim=`/`aspf=` (alignment mode, strict or relaxed). Alignment is the critical concept — DMARC checks whether the domain in the "From" header matches the domain authenticated by SPF (the envelope sender) and DKIM (the signing domain). Relaxed alignment allows subdomains to match the organizational domain, while strict alignment requires an exact match. Most publishers start with relaxed alignment to avoid blocking legitimate email from subdomains or third-party senders like FlipLink.

1. **Verify SPF first** — confirm you have a valid SPF record that includes all authorized sending servers (your mail provider, FlipLink, any marketing tools). 2. **Set up DKIM signing** — configure DKIM keys in your DNS and ensure your email provider signs outgoing messages. 3. **Start with p=none** — publish a DMARC record with `p=none` to begin collecting reports without affecting mail delivery: `v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com` 4. **Analyze reports for two to four weeks** — use the aggregate reports to identify all legitimate senders and any unauthorized use of your domain. 5. **Move to p=quarantine** — once you are confident all legitimate senders pass authentication, change the policy to quarantine to route failing messages to spam. 6. **Advance to p=reject** — after confirming no legitimate mail is being quarantined, set the policy to reject for maximum protection. 7. **Monitor ongoing** — continue reviewing DMARC reports periodically to catch new senders or configuration drift.

**Can I set up DMARC without SPF and DKIM?** Technically you can publish a DMARC record without them, but it will have no practical effect. DMARC relies on SPF and DKIM results to make its pass/fail determination. Without at least one of these in place, every message will fail DMARC checks. **Will DMARC break my email delivery?** Not if you follow the graduated approach. Starting with `p=none` lets you observe which emails pass and fail without blocking anything. Only move to quarantine or reject after you have confirmed that all legitimate email sources are properly authenticated. **How long does it take for DMARC to take effect?** DNS changes typically propagate within a few hours, though some providers can take up to 48 hours. Once propagated, receiving servers will start applying your policy immediately and aggregate reports will begin arriving within 24 hours.

DMARC completes the email authentication stack by giving domain owners control over what happens when SPF or DKIM checks fail — protecting your brand from spoofing, improving email deliverability, and providing visibility into who sends email on your behalf.