- Journey Optimizer documentation
- What’s new?
- Get started
- Journeys
- Campaigns
- Conflict management & prioritization
- Test & approve
- Communication channels
- Get started with communication channels
- Email channel
- In-app channel
- Push notification channel
- SMS / MMS channel
- Direct mail
- Web channel
- Code-based experience
- Content cards
- Landing pages
- Content management
- AI Assistant for content generation
- Work with Multilingual content
- Work with Content experiment
- Personalization
- Content templates
- Reusable content fragments
- Dynamic content
- Audiences, profiles & identity
- Integrations
- Track & monitor
- Live report
- All time report
- Journey reports
- Deliverability
- Alerts
- Exclusion reasons
- Decision capabilities
- Get started with decision capabilities
- Decisioning
- Get started with Decisioning
- Decisioning guardrails & limitations
- API reference
- Manage decision items
- Configure item selection
- Create selection strategies
- Create decision policies
- Report on Decisioning
- Decisioning use case
- Decision management
- Get started with Decision management
- Create components
- Create rankings
- Create & manage offers
- Create & manage decisions
- Use batch decisioning
- Collect event data
- Leverage context data
- Create Decision Management reports
- Export your offer catalog
- API Reference
- Getting started
- Create & manage offers using APIs
- Deliver offers using APIs
- Data management
- Channel configuration
- Journey configuration
- Connect your systems and environments
- Access control
- Privacy
DMARC record
What is DMARC?
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication method that allows domain owners to protect their domain from unauthorized use. By offering a clear policy to email providers and Internet service providers (ISPs), it helps prevent malicious actors from sending emails claiming to be from your domain. Implementing DMARC reduces the risk of legitimate emails being marked as spam or rejected, and improve your email deliverability.
DMARC also offers reporting on messages that fail authentication, along with control over the handling of emails that do not pass DMARC validation. Depending on the implemented DMARC policy, these emails can be monitored, quarantined, or rejected. These capabilities empower you to take actions to mitigate and address potential errors.
To help you prevent deliverability issues while gaining control over mail that fail authentication, Journey Optimizer is now supporting the DMARC technology directly in its administration interface. Learn more
How does DMARC work?
SPF and DKIM are both used to associate an email with a domain and work together to authenticate email. DMARC takes this one step further and helps to prevent spoofing by matching the domain checked by DKIM and SPF.
In Journey Optimizer, SPF and DKIM are configured for you.
To pass DMARC, a message must pass SPF or DKIM:
- SPF (Sender Policy Framework) helps verify that the email message comes from an authorized source by checking the sending server’s IP address against a list of authorized IP addresses for the domain.
- DKIM (DomainKeys Identified Mail) adds a digital signature to email messages, allowing the recipient to verify the message’s integrity and authenticity.
If both or either of these fail authentication, DMARC will fail, and the email will be delivered according to your selected DMARC policy.
DMARC policies
If an email fails DMARC authentication, you can decide which action will be applied to that message. DMARC has three policy options:
- Monitor (p=none): Instructs the mailbox provider/ISP to do whatever they would normally do to the message.
- Quarantine (p=quarantine): Instructs the mailbox provider/ISP to deliver mail that does not pass DMARC to the recipient’s spam or junk folder.
- Reject (p=reject): Instructs the mailbox provider/ISP to block mail that does not pass DMARC resulting in a bounce.
Learn how to set the DMARC policy with Journey Optimizer in this section.
DMARC requirement update
As part of their enforcing industry best practices, Google and Yahoo! are both requiring that you have a DMARC record for any domain you use to send email to them. This new requirement applies starting February 1st, 2024.
Failing to comply with this new requirement from Gmail and Yahoo! is expected to result in emails landing into the spam folder or getting blocked.
Consequently, Adobe strongly recommends you take the following actions:
-
Make sure to have DMARC record set up for all the subdomains that you have already delegated to Adobe in Journey Optimizer. Learn how
-
When delegating any new subdomain to Adobe, you can set up DMARC directly in the Journey Optimizer administration interface. Learn how
Implement DMARC in Journey Optimizer
The Journey Optimizer administration interface allows you to set up DMARC record for all the subdomains that you have already delegated or are delegating to Adobe. The detailed steps are described below.
Check your existing subdomains for DMARC
To make sure that you have DMARC record set up for all the subdomains that you have delegated in Journey Optimizer, follow the steps below.
-
Access the Administration > Channels > Email settings > Subdomains menu, then click Set up subdomain.
-
For each delegated subdomain, check the DMARC Record column. If no record was found for a given subdomain, an alert is diplayed.
CAUTIONTo comply with the new requirement from Gmail and Yahoo!, and avoid deliverability issues with top ISPs, it is recommended to set up DMARC record for all delegated subdomains. Learn more
-
Select a subdomain with no DMARC record associated and fill in the DMARC record section according to your organization’s needs. The steps to populate the DMARC record fields are detailed in this section.
NOTEDepending whether a DMARC record is found with the parent domain or not, you can choose to use the values from the parent domain or to have Adobe manage the DMARC record. Learn more
-
If you are editing a subdomain:
-
Fully delegated to Adobe, no further action is required.
-
Set up with CNAME, you must copy the DNS record for DMARC into your hosting solution to generate the matching DNS records.
Make sure that the DNS record has been generated into your domain hosting solution and check the box “I confirm…”.
-
-
Save your changes.
Set up DMARC for new subdomains
When delegating new subdomains to Adobe in Journey Optimizer, a DMARC record will be created in DNS for your domain. Follow the steps below to implement DMARC.
To comply with the new requirement from Gmail and Yahoo!, and avoid deliverability issues with top ISPs, it is recommended to set up DMARC record for all delegated subdomains. Learn more
-
Set up a new subdomain. Learn how
-
Go to the DMARC record section.
-
If a DMARC record is available on the parent domain associated with your subdomain, two options display:
-
Manage with Adobe: You can have Adobe manage the DMARC record for your subdomain. Follow the steps detailed in this section.
-
Manage on your own: This option enables you to manage the DMARC record outside of Journey Optimizer, using the values from your parent domain. These values display in the interface, but you cannot edit them.
-
-
If no DMARC record is found on the parent domain, only the Manage with Adobe option is available. Follow the steps below to set up DMARC record for your subdomain.
Manage DMARC record with Adobe
To let Adobe manage the DMARC record for you, select the Manage with Adobe option and follow the steps below.
If fetched by Journey Optimizer, you can use the same values as highlighted in the interface, or change them as needed.
If you do not add any values, the pre-filled default values will be used.
-
Define the action that the recipient server will perform if DMARC fails. Depending on the DMARC policy you want to apply, select one of the three options:
- None (default value): Tells the receiver to perform no actions against messages that fail DMARC authentication, but still send email reports to the sender.
- Quarantine: Tells the receiving email server to quarantine email that fails DMARC authentication - this generally means placing those messages in the recipient’s spam or junk folder.
- Reject: Tells the receiver to completely deny (bounce) any email for the domain that fails authentication. With this policy enabled, only email that is verified as 100% authenticated by your domain will even have a chance at inbox placement.
NOTEAs a best practice, it is recommended to slowly roll out DMARC implementation by escalating your DMARC policy from None, to Quarantine, to Reject as you gain understanding of DMARC’s potential impact.
-
Optionally, add one or more email addresses of your choice to indicate where DMARC reports on emails that fail authentication should go within your organization. You can add up to five addresses for each report.
NOTEMake sure you have a genuine inbox (not Adobe) in your control where you can receive those reports.
There are two different reports generated by ISPs that senders can receive through the RUA/RUF tags in their DMARC policy:
- Aggregate reports (RUA): They do not contain any PII (Personally Identifiable Information) that could be GDPR-sensitive.
- Forensic failure reports (RUF): They contain GDPR-sensitive email addresses. Before using, check internally how to deal with information that needs to be GDPR-compliant.
NOTEThese highly technical reports provide an overview of emails that are attempted spoofing. They are best digested through a third-party tool.
-
Select the applicable percentage of emails for DMARC.
This percentage depends on your confidence in your email infrastructure and the tolerance for false positives (legitimate emails being marked as fraudulent). It is common for organizations to start with DMARC policy set to None, gradually increase the DMARC policy percentage, and closely monitor the impact on legitimate email delivery.
NOTEWork with your email administrators and IT team to gradually increase the percentage as you gain confidence in your email authentication practices.
As a best practice, aim for a high DMARC compliance rate, ideally close to 100%, to maximize the security benefits while minimizing the risk of false positives.
-
Select a reporting interval between 24 and 168 hours. It allows domain owners to receive regular updates on email authentication results and take necessary actions to improve email security.
