USD 
USD 
GBP 
EUR 
INR 
ZAR 
AUD 
CAD 
MYR 
SGD 
THB 
HKD 
BRL 
AED 
Email providers no longer trust a domain just because it appears in the “From” address. Authentication has to back it up and that’s where DMARC comes in. Any domain planning to deploy a Verified Mark Certificate must first run DMARC with an enforcement policy. Mail providers rely on that policy to verify the sender before showing a brand logo in the inbox.
This guide walks through the practical side of it: setting up DMARC and moving the domain toward enforcement, so it’s ready for BIMI and VMC deployment.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication policy published as a TXT record in DNS. It lets receiving mail servers verify whether messages claiming to come from your domain are actually authorized. DMARC works on top of SPF and DKIM, checking that at least one of them passes and aligns with the sending domain.
The record also tells receivers what to do when authentication fails. Three policies exist:
- p=none for monitoring
- p=quarantine to route suspicious mail to spam
- p=reject to block it outright
Beyond enforcement, DMARC produces reports that show which systems are sending mail using your domain and whether those messages pass authentication.
Why DMARC Compliance is Required for a VMC Certificate
A Verified Mark Certificate (VMC) connects a brand’s trademarked logo to the domain sending the email. Inbox providers won’t show that logo unless the sending domain proves it controls who can send mail in its name. That control comes from DMARC enforcement.
When an email arrives, receiving servers run authentication checks in layers:
- SPF checks whether the sending server is authorized for the domain
- DKIM verifies the message signature and confirms it wasn’t altered
- DMARC applies the policy published in DNS and determines how to handle messages that fail authentication
DMARC is the point where the domain owner sets the rule. The policy tells receivers what action to take if authentication fails.
For VMC eligibility, monitoring mode is not enough. The domain must run DMARC with an enforcement policy (quarantine or reject). Mail providers expect the domain to actively filter or block unauthorized senders before they allow brand indicators in the inbox.
This requirement directly affects BIMI deployment. The BIMI record points to the hosted logo and the VMC, but the inbox provider still checks the domain’s DMARC policy before displaying that logo. If DMARC enforcement is missing, the logo is simply not shown.
Step-by-Step DMARC Setup
DMARC deployment is not a single DNS change. It is a sequence: identify senders, authenticate them, observe traffic, then introduce enforcement.
Step 1: Identify All Email Sending Sources
Begin by listing every system that use you domain to send email. Many domains have more email sources than expected.
Typical sources include:
- Web servers generating application or contact-form emails
- Internal or office mail servers
- ISP mail infrastructure
- Third-party services sending mail on your behalf
Missing even one legitimate sender can break authentication once DMARC enforcement starts. The goal here is simple: map every system using your domain in the “From” address.
Step 2: Create and Publish Your SPF Record
Once sending systems are identified, define them in SPF. Sender Policy Framework controls which servers are allowed to send email using your domain.
Basic workflow:
- Gather the sending IP addresses
- Create an SPF TXT record
- Publish the record in DNS
- Verify the record with an SPF checker
Example SPF record:
v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 -all
When a receiving server processes an email, it checks whether the sending IP appears in that list. If not, SPF fails.
Step 3: Configure DKIM for Email Signing
SPF verifies the sending server. DKIM (DomainKeys Identified Mail) handles message integrity.
Setting up DKIM typically involves:
- Choosing a DKIM selector
- Generating a public/private key pair
- Adding public key as a DNS TXT record
Example DKIM record:
v=DKIM1; p=YourPublicKey
Outgoing messages are signed with the private key. Receiving servers use the DNS-published public key to validate the signature and confirm the message wasn’t modified during transit.
Step 4: Create a DMARC Record in Monitoring Mode
With SPF and DKIM active, introduce DMARC in monitoring mode first. This allows you to observe real email traffic before enforcing any filtering rules.
Create a TXT record at:
_dmarc.yourdomain.com
Example record:
v=DMARC1; p=none; rua=mailto:dmarcreports@domain.com
Monitoring mode does not block mail. Instead, it collects reports from receiving servers showing how messages from your domain authenticate.
Understanding DMARC Reports
DMARC reports reveal what’s actually sending email using your domain. Each report contains data such as:
- Sending IP addresses
- Message volumes per source
- SPF authentication results
- DKIM authentication results
- Actions taken under the current DMARC policy
These reports help identify:
- Unknown systems sending email
- Spoofing attempts
- Legitimate senders missing from SPF or DKIM configuration
Reviewing this data before enforcement avoids accidental disruptions.
Step 5: Move From Monitoring to Enforcement
After reviewing reports and correcting authentication issues, move toward enforcement.
The first enforcement stage usually uses quarantine with a small filtering percentage.
Example:
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarcreports@domain.com
Start with a low percentage and gradually increase it. This approach filters a portion of failing messages while still allowing most traffic through.
Over time, increase the percentage until filtering reaches 100%.
Step 6: Implement the Reject Policy
The final stage is reject, the strictest DMARC policy.
Example:
v=DMARC1; p=reject; pct=100; rua=mailto:dmarcreports@domain.com
At this stage, receiving servers block messages that fail authentication instead of delivering them to inboxes or spam folders.
Reject enforcement stops spoofed emails from using your domain and establishes the authentication posture required for VMC eligibility.
Preparing Your Domain for VMC
DMARC enforcement is only one part of the VMC requirement. Inbox providers also check the brand identity and BIMI configuration before displaying a logo.
Key requirements include:
- Trademarked brand logo
The logo must be officially registered with a recognized trademark authority.
- Logo in SVG Tiny 1.2 format
The trademarked logo needs to be converted to SVG Tiny 1.2, the format required for BIMI compatibility. The file must be hosted on an HTTPS-accessible server.
- BIMI DNS record
A BIMI TXT record must be published in DNS pointing to the hosted logo and the certificate file.
- Verified Mark Certificate issued by a trusted CA
A certificate authority validates the organization, domain ownership, and trademark registration before issuing the VMC. The certificate is then referenced in the BIMI record.
With these pieces in place, inbox providers can verify the sending domain and safely display the brand logo for authenticated email streams.
Conclusion
Getting a Verified Mark Certificate starts with proper email authentication. SPF defines authorized senders. DKIM signs the message. DMARC enforcement ties those checks together and blocks unauthorized use of the domain.
Once that foundation is in place, the domain is ready for BIMI configuration and VMC issuance, allowing supported inboxes to display the verified brand logo next to authenticated emails.
DMARC enforcement unlocks BIMI and makes your brand eligible for verified logo display in supported inboxes. Deploy a Verified Mark Certificate to turn authenticated emails into recognizable, trusted brand messages.
Related Posts:
