You may have noticed this past week that if you didn’t have DMARC configured, your latest bulk email you tried to send out of Zoho CRM was denied. This is because DMARC for Zoho CRM is now mandatory for sending bulk emails. SPF and DKIM are no longer sufficient. Implementing DMARC ensures better email deliverability and security. Below is a quick breakdown of SPF, DKIM, and DMARC along with everything you need to know to resolve this issue within Zoho CRM.
What Are SPF and DKIM?
SPF (Sender Policy Framework): SPF verifies that an email comes from an authorized server. It checks if the sender’s IP is listed in the domain’s SPF record.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to the email header. This signature verifies the message’s integrity and confirms that it hasn’t been tampered with.
While SPF and DKIM validate sender authenticity, they don’t cover reporting or provide actionable policies. This is where DMARC steps in.
Breakdown of DMARC
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is crucial for email security and deliverability. It builds on SPF and DKIM, adding enforcement policies and reporting mechanisms. Here’s a detailed breakdown of the settings and formatting you can choose from when configuring DMARC for Zoho CRM.
1. DMARC Version
- v=DMARC1: This is the mandatory tag that specifies the version of DMARC being used. Always start your DMARC record with this tag.Example:
v=DMARC1
2. Policy (p)
The policy tag dictates how receiving servers should handle emails that fail DMARC checks.
- none: Monitor emails but take no action. Ideal for testing and monitoring.
- quarantine: Mark failing emails as suspicious and send them to the spam/junk folder.
- reject: Block emails that fail DMARC checks.Example:
p=quarantine
3. Subdomain Policy (sp)
This tag allows you to specify a different DMARC policy for subdomains.
- none: No action taken for emails from subdomains.
- quarantine: Mark failing emails from subdomains as suspicious.
- reject: Reject emails from subdomains that fail DMARC checks.Example:
sp=reject
4. Reporting Addresses
DMARC allows you to receive reports on how your domain’s emails are being handled. There are two types of reports: aggregate (rua) and forensic (ruf).
- Aggregate Reports (rua): Provides a summary of email authentication results.
- Format:
rua=mailto:your-email@yourdomain.com
rua=mailto:dmarc-reports@yourdomain.com
- Format:
- Forensic Reports (ruf): Provides detailed reports for each email that fails DMARC.
- Format:
ruf=mailto:your-email@yourdomain.com
ruf=mailto:dmarc-failures@yourdomain.com
- Format:
5. Alignment Mode (adkim and aspf)
This tag defines how strictly DKIM (adkim) and SPF (aspf) identifiers must match.
- Strict (s): The domain in the email’s DKIM/SPF must exactly match the domain in the DMARC record.
- Relaxed (r): The domain in the email’s DKIM/SPF can be a subdomain of the domain in the DMARC record.Example:
adkim=s; aspf=r
6. Percentage of Emails to Apply Policy (pct)
The pct
tag specifies the percentage of emails to which the DMARC policy should be applied.
- Range: 1 to 100 (default is 100)Example:
pct=50
(applies the policy to 50% of emails)
7. Reporting Options for Forensic Data (fo)
This tag controls the generation of forensic reports.
- 0: Generate a report if both SPF and DKIM fail (default).
- 1: Generate a report if either SPF or DKIM fails.
- d: Generate a report if the DKIM check fails.
- s: Generate a report if the SPF check fails.Example:
fo=1
8. TTL (Time To Live)
The TTL value specifies how long the DMARC record should be cached by DNS servers.
- Recommended TTL: 3600 seconds (1 hour)
Full Example:
v=DMARC1; p=quarantine; sp=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; adkim=s; aspf=r; pct=100; fo=1;
The mandatory elements are Version (v) and Policy (p).
How to Add DMARC to Your DNS Settings
- Log in to Your DNS Provider: Access your domain’s DNS management dashboard.
- Create a New TXT Record:
- Host/Name: Enter
_dmarc.yourdomain.com
. - Type: Set this to
TXT
. - Value: Use a format like
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;
.
- Host/Name: Enter
- Set the TTL: Use a TTL of 3600 seconds (1 hour) for flexibility.
- Save the Record: Once saved, the DNS will propagate the changes.
Once completed, give it up to 48 hours, but once configured properly, it should go from red to green.
Setup DMARC for Zoho CRM Today
Still seeing that your DMARC isn’t turned on after completing these steps? It can take up to 48 hours to sync with Zoho CRM. If you are still having errors after that visit Club Zenatta for additional help or drop us a line and learn how Zenatta can help you with your Zoho instance as your Zoho Partner.