Domain security is more critical than ever. Cyber threats are constantly evolving, and businesses must remain vigilant in protecting their online presence. As a leading domain registrar and web hosting company, GoDaddy is committed to helping our customers safeguard their domains against phishing and email spoofing threats.
We are excited to announce our latest initiative: implementing Domain-based Message Authentication, Reporting, and Conformance (DMARC) for all new domains on our platform.
Understanding DMARC: the basics
DMARC is an email authentication protocol designed to protect domain owners' domains from unauthorized use, commonly known as email spoofing. It builds on existing authentication protocols such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a robust mechanism for email validation.
How does DMARC work?
There are 3 key parts to DMARC:
- Policy definition: Domain owners publish a DMARC policy in their DNS records, specifying how they want receiving email servers to handle messages that fail authentication checks. Policies can range from monitoring only (p=none), to quarantining suspicious emails (p=quarantine), to outright rejecting them (p=reject).
- Authentication: When an email is received, the receiving server checks for a DMARC policy and verifies that the message passes either SPF or DKIM authentication while ensuring proper domain alignment.
- Reporting: DMARC provides feedback to domain owners through aggregate and forensic reports, allowing them to monitor email authentication results and adjust their policies as needed.
DMARC prerequisites
For DMARC to function effectively, domains need properly configured SPF and/or DKIM records. With GoDaddy email products, we will ensure that domains have the necessary DNS records in place to support DMARC authentication from day one.
If using third-party email providers, customers should ensure proper SPF and DKIM configuration is completed during product onboarding and setup. Many third-party email providers can automate this configuration using technologies like Domain Connect.
GoDaddy's DMARC initiative
Securing domains from day 1
Starting April 2025, all new domains purchased or transferred into GoDaddy are secured with a default DMARC record in the DNS Zone with quarantine as the initial policy.
Following M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group) best practices, this policy instructs receiving email servers to quarantine messages that fail DMARC authentication, typically directing them to spam or junk folders for closer scrutiny, providing security against spoofing threats from day one.
For our existing customers, we're exploring ways to extend these protections to current domains. Stay tuned for more information in the coming months.
Customer choice and education
While DMARC is an important component of domain security, customers retain full control over their DMARC records. Domain owners can modify policies, adjust reporting preferences, or integrate with their preferred monitoring services as their needs evolve.
GoDaddy will continue to improve our resources, including setup guides, best practices documentation, and monitoring tools to help customers understand and optimize their DMARC implementation.
The broader impact: securing the internet
At the start of this effort, analyzing our existing domains under management, we found that DMARC adoption remains limited. Where DMARC records do exist, the majority use a monitoring-only policy, leaving significant opportunity to improve email security through broader implementation of stronger policies.
With millions of domains under management, GoDaddy's DMARC initiative has the potential to make a meaningful contribution to internet-wide email security.
By implementing DMARC across our platform, we are taking a proactive stance against email-based cyber threats and contributing to a safer online environment for everyone.
Conclusion
As cyber threats become more sophisticated, robust security measures like DMARC are essential. At GoDaddy, we're committed to simplifying email authentication, making enterprise-grade security accessible to all domain owners, and protecting domains from malicious activity.
