How to Set Up DMARC: Step-by-Step Guide for 2025

Setting up DMARC correctly is essential for email security and deliverability. This step-by-step guide walks you through the entire process—from prerequisites to verification—so you can implement DMARC with confidence.

If you're not familiar with what DMARC is, start with our beginner's guide to DMARC first.

Prerequisites Before Setting Up DMARC

DMARC depends on SPF and DKIM. Before implementing DMARC, ensure:

  • SPF is configured – You have a valid SPF record listing all authorized senders
  • DKIM is enabled – Your email services are signing emails with DKIM
  • DNS access – You can add TXT records to your domain's DNS
  • Email inventory complete – You know all services sending email for your domain

Important: Google recommends having SPF and DKIM authenticating emails for at least 48 hours before enabling DMARC.

Step 1: Create Your DMARC Record

A DMARC record is a DNS TXT record with specific syntax. Here's the recommended starting record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Required Tags

Tag Description Example
v DMARC version (must be first) v=DMARC1
p Policy for domain p=none, p=quarantine, p=reject

Recommended Optional Tags

Tag Description Example
rua Address for aggregate reports rua=mailto:dmarc@yourdomain.com
ruf Address for forensic reports ruf=mailto:forensics@yourdomain.com
pct Percentage of emails to apply policy pct=100 (default)
sp Policy for subdomains sp=reject
adkim DKIM alignment mode adkim=r (relaxed) or adkim=s (strict)
aspf SPF alignment mode aspf=r (relaxed) or aspf=s (strict)

Example Records by Enforcement Level

Monitor Only (Start Here):

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com

Quarantine (After Monitoring):

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com

Full Enforcement:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; sp=reject

Step 2: Add the DNS Record

DMARC records are published at a specific subdomain: _dmarc.yourdomain.com

General Instructions

  1. Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, etc.)
  2. Navigate to DNS management for your domain
  3. Add a new TXT record
  4. Set the host/name to _dmarc
  5. Set the value to your DMARC record string
  6. Set TTL to 3600 (1 hour) or your provider's default
  7. Save the record

Provider-Specific Notes

Cloudflare: Use _dmarc as the name (Cloudflare adds domain automatically)

GoDaddy: Use _dmarc as the host

Google Domains: Use _dmarc as the host name

Namecheap: Use _dmarc as the host

Step 3: Verify Your DMARC Record

After adding the record, verify it's published correctly:

Using Command Line

dig TXT _dmarc.yourdomain.com

or

nslookup -type=TXT _dmarc.yourdomain.com

Using Online Tools

Free DMARC lookup tools can verify your record:

  • MxToolbox DMARC Lookup
  • EasyDMARC DMARC Checker
  • dmarcian DMARC Inspector

Note: DNS propagation can take up to 48 hours, though it's usually faster.

Step 4: Set Up Report Processing

DMARC reports are sent as XML files and can be difficult to read directly. Options for processing:

Free Tools

  • Postmark DMARC – Free weekly DMARC digest emails
  • dmarcian – Free tier available for basic monitoring
  • DMARC Analyzer – Free tier for small volumes

Paid Services

For larger volumes or advanced features:

  • Valimail
  • Agari
  • EasyDMARC
  • Red Sift OnDMARC

Self-Hosted

Open-source options exist for parsing DMARC reports yourself, but require technical setup.

Step 5: Monitor and Analyze Reports

With p=none, you'll receive reports without affecting email delivery. Monitor for:

Aggregate Reports (RUA)

  • Which IPs are sending email for your domain
  • Pass/fail rates for SPF and DKIM
  • Alignment pass/fail rates
  • Unknown senders that might be legitimate services you forgot

What to Look For

  • Legitimate senders failing – Need SPF/DKIM configuration fixes
  • Unknown IPs sending – Could be unauthorized senders or forgotten services
  • High failure rates – Indicates authentication problems to fix before enforcement

Step 6: Fix Authentication Issues

Common issues revealed by DMARC reports:

SPF Failures

  • Sending service not included in SPF record
  • SPF record exceeds 10 DNS lookup limit
  • Email forwarding breaking SPF

DKIM Failures

  • DKIM not enabled for a sending service
  • Incorrect DKIM DNS record
  • Message modification breaking signatures

Alignment Failures

  • Sending service using their domain instead of yours
  • Need to configure custom domain authentication in the service

Step 7: Gradually Increase Enforcement

Once legitimate senders consistently pass, increase enforcement:

Progression Path

  1. p=none (2-4 weeks minimum)
    • Monitor reports
    • Identify and fix all issues
    • Confirm legitimate senders pass
  2. p=quarantine with pct=10 (1-2 weeks)
    • Only 10% of failing emails go to spam
    • Monitor for delivery complaints
    • Increase pct gradually (25%, 50%, 100%)
  3. p=quarantine with pct=100 (1-2 weeks)
    • All failing emails go to spam
    • Verify no legitimate email is affected
  4. p=reject (final stage)
    • Failing emails are blocked entirely
    • Maximum protection achieved

Common Mistakes to Avoid

Starting with p=reject

Never start with a reject policy. You risk blocking legitimate email before identifying all your sending sources.

Ignoring Subdomains

Without the sp= tag, subdomains inherit the main domain's policy. Attackers often target subdomains. Consider sp=reject for unused subdomains.

Wrong DNS Location

The record must be at _dmarc.yourdomain.com, not just yourdomain.com.

Multiple DMARC Records

Like SPF, you can only have one DMARC record. Multiple records cause failures.

Not Monitoring Reports

Reports are the only way to understand what's happening. Set up processing and review regularly.

Testing Your Setup

After setup, test by sending emails and checking:

  1. Send a test email to Gmail or another provider
  2. View the email headers (in Gmail: three dots → "Show original")
  3. Look for Authentication-Results header
  4. Verify you see dmarc=pass

You should see something like:

Authentication-Results: mx.google.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yourdomain.com;
       spf=pass ...;
       dkim=pass ...

DMARC Record Examples

Basic Monitoring

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Quarantine with Reports

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com; pct=100

Full Enforcement with Subdomain Protection

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s

Next Steps

After implementing DMARC:

  • Continue monitoring reports weekly
  • Progress through enforcement levels as confidence grows
  • Consider BIMI (Brand Indicators for Message Identification) once at p=quarantine or p=reject
  • Review and update as you add new email sending services

For more information on email authentication, see our Complete Email Authentication Guide.

📋 Need a printable guide? Get our Email Authentication Checklist to track your implementation progress. Download PDF →

0 comments

Leave a comment

Please note, comments need to be approved before they are published.