DMARC monitoring FAQs

What types of domain authentication are available to me? 

Genesys Cloud supports the following domain authentication mechanisms:

• SPF (Sender Policy Framework) – SPF helps detect spoofing by identifying which mail servers are authorized to send email on behalf of your MAIL FROM domain. Receiving mail systems query the domain’s SPF TXT record to verify that the sending server is permitted to transmit messages for that domain. SPF alone validates only the domain in the MAIL FROM address, which is not visible to recipients.
• DKIM (DomainKeys Identified Mail) – DKIM adds a digital signature to outbound email messages within the message header. The receiving mail server validates this signature using the public key published in DNS to confirm that the message was authorized by the domain and has not been altered in transit. DKIM alone validates only the domain in the DKIM signature, which is also not visible to recipients.
  Unlike SPF, DKIM remains valid when a message is forwarded, because the signature is embedded in the email header. SPF authentication can fail during forwarding since the forwarding server modifies the message envelope, but DKIM continues to function as long as the message content is unchanged.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance) – DMARC builds on SPF and DKIM by enforcing domain alignment. The enforcement happens within your email infrastructure and by receiving mailbox providers, which apply the policy (none, quarantine, or reject) based on the DMARC record published in DNS. It requires that the domain visible in the From address (the address displayed to recipients) aligns with the domain validated by SPF and/or DKIM. DMARC ensures that at least one of these authentication methods aligns with the visible From domain, providing stronger protection against domain spoofing and impersonation.

Does DMARC monitoring block or reject email?

No. Genesys Cloud does not quarantine, reject, or block outbound messages based on DMARC. Monitoring provides visibility only. Enforcement occurs at the receiving email provider when a DMARC policy of quarantine or reject is published.

What happens if no DMARC record exists?

Genesys Cloud displays a Not Present status. Email can still be delivered, but mailbox providers can treat unauthenticated messages as suspicious, which can negatively impact deliverability.

What does “Invalid” DMARC status mean?

The DNS record must follow proper DMARC formatting standards to be recognized as valid. An Invalid status indicates:

• Incorrect record syntax
• Missing required tags
• Formatting errors in the DNS TXT record

Does this process apply to custom SMTP or Microsoft Graph?

Genesys Cloud displays DMARC status for awareness when these channels are used. However, authentication behavior and enforcement outcomes occur within the said email infrastructure, which lies outside the involvement of Genesys Cloud.

Does DMARC monitoring affect inbound email?

No. DMARC monitoring applies only to outbound email domains and does not impact inbound email flows. Genesys Cloud does not act as an SMTP gateway or enforcement point for inbound email authentication.

Does Genesys Cloud create or manage DNS records?

Genesys Cloud reads and reports status. It also provides the TXT record value of the DMARC in the correct format that you can use in the DNS records. You are responsible for creating and maintaining SPF, DKIM, and DMARC records with your DNS provider. 

Why should I use both DKIM and SPF with DMARC?