This article is originally posted on help.salesforce.com. We are sharing the article information here, for your convenience.
Note: Salesforce will provide the DMARC DNS records for your domain, but will not install, configure or authenticate DMARC records. If you’d like some help, please contact [email protected]
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to protect and monitor fraudulent use of a domain in email.
DMARC allows domain owners, including ISPs and webmail providers, to publish a “policy” that can have restrictions on where their domain can be utilized.
A DMARC test checks for alignment between:* the “from” domain and the DKIM signing domain
* the return-path domain and the mail-from address
In order to pass an overall DMARC test, only one of the options is required, not both. Pardot passes an overall DMARC test as it meets the first option as Pardot has been set up to sign DKIM with the your email sending domain.
As long as DKIM is configured for the email sending domain, everything will be ok for DMARC. DMARC will fail the SPF check due to the fact that the visible mail-from address and the return-path address domains won’t be aligned on emails sent through Pardot.
If your company requires configuration for aligning the return-path address to the mail-from domain, log a Pardot Support case and we will work with our Deliverability Team to supply the DNS records to add to your domain.
Salesforce does not assist with configuring these records on your DNS.
Note there can only be one return-path header domain setting per account and it is not variable.
Pardot does not capture or report on DMARC failure notifications.
We recommend that you partner with a vendor that provides DMARC monitoring and reporting, such as Proofpoint or Agari.