DMARC Policies for Email Deliverability
If you send email from an address associated with your domain name you can use a DMARC record to help improve the trustworthiness of your email communications among your recipients. WP Engine does not host DNS or email, however it’s still important to understand what can be done to improve email deliverability if you’re having issues.
DMARC stands for Domain-based Message Authentication Reporting and Conformance. It exists to improve reporting on email trustworthiness, and therefore encourage successful email delivery. DMARC uses the SPF and DKIM protocols in 3 primary ways:
- Setting policies for how to handle rejection and delivery failures
- Adding regular reporting from recipients to domain owners
After an email passes standard validation tests (checking whether the sender’s IP was blocklisted, etc), the recipient’s mail server validates the DKIM and SPF records and applies the DMARC policy.
Then, a report of how the email server handles the email message (accept, quarantine for extra checks, or reject) is generated and sent on a regular basis to the domain owner.
You can find great documentation as to how DMARC works on their Overview page (external link).
DMARC policies are set with your DNS host as a TXT record. The values you set in the TXT record make up the DMARC policy. DMARC TXT records adhere to a
tag=value;tag=value format. There are a number of DMARC tags that can be used when configuring your DMARC records. See DMARC documentation for more information.
The DMARC documentation gives the following example TXT record for “sender.dmarcdomain.com”:
Let’s dissect the pieces of this record a bit further to understand what they mean.
v=DMARC1is the type of TXT record, or protocol version. We are using DMARC1 as the value in this scenario.
p=rejectis the action that should be taken by recipients if a message they received does not align with SPF and DKIM records. In this case the record says to reject any messages that do not align with the policy.
pct=100is the percentage of emails that are subject to filtering by recipients. In this example, 100% of emails should be filtered.
rua=mailto:[email protected]says to send the aggregate reports generated to the [email protected] email address.
NOTE: As DMARC is configured with your DNS provider, WP Engine Support cannot assist with configuring or troubleshooting these records.
Best Practices for Email Records with WP Engine
It is always recommended to use a third party email host, rather than sending from WP Engine’s default mail services. This allows more control for your team over the sending policies and logging.
Both record types below will be configured with your DNS host.
SPF (Sender Policy Framework) Records
WP Engine servers use the email relay service MailChannels to deliver emails sent from WordPress. As such, we highly recommend allowlisting email sent through MailChannels in your SPF records.
v=spf1 include:relay.mailchannels.net ~all
If you already have an SPF record, simply add the MailChannels relay to the existing record rather than adding a separate record. For example:
v=spf1 include:sendgrid.net include:mailgun.org include:relay.mailchannels.net ~all
DKIM (Domain Keys Identified Mail) Records
This record authenticates an email message and notes if it was truly sent from your domain. Setting up DKIM involves determining which domains are approved to send mail for you, and then generating a public/private key pair.
Your public key will be added as a TXT record created at your DNS host, while your private key will be saved with your mail relay service. As WP Engine does not host your email records, our Support team cannot assist you in finding the proper value for this record or in storing the private key for mail relay services.