Setting up DMARC correctly is essential for email security and deliverability. This step-by-step guide walks you through the entire process—from prerequisites to verification—so you can implement DMARC with confidence.
If you're not familiar with what DMARC is, start with our beginner's guide to DMARC first.
Prerequisites Before Setting Up DMARC
DMARC depends on SPF and DKIM. Before implementing DMARC, ensure:
- SPF is configured – You have a valid SPF record listing all authorized senders
- DKIM is enabled – Your email services are signing emails with DKIM
- DNS access – You can add TXT records to your domain's DNS
- Email inventory complete – You know all services sending email for your domain
Important: Google recommends having SPF and DKIM authenticating emails for at least 48 hours before enabling DMARC.
Step 1: Create Your DMARC Record
A DMARC record is a DNS TXT record with specific syntax. Here's the recommended starting record:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Required Tags
| Tag | Description | Example |
|---|---|---|
v |
DMARC version (must be first) | v=DMARC1 |
p |
Policy for domain |
p=none, p=quarantine, p=reject
|
Recommended Optional Tags
| Tag | Description | Example |
|---|---|---|
rua |
Address for aggregate reports | rua=mailto:dmarc@yourdomain.com |
ruf |
Address for forensic reports | ruf=mailto:forensics@yourdomain.com |
pct |
Percentage of emails to apply policy |
pct=100 (default) |
sp |
Policy for subdomains | sp=reject |
adkim |
DKIM alignment mode |
adkim=r (relaxed) or adkim=s (strict) |
aspf |
SPF alignment mode |
aspf=r (relaxed) or aspf=s (strict) |
Example Records by Enforcement Level
Monitor Only (Start Here):
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com
Quarantine (After Monitoring):
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com
Full Enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; sp=reject
Step 2: Add the DNS Record
DMARC records are published at a specific subdomain: _dmarc.yourdomain.com
General Instructions
- Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, etc.)
- Navigate to DNS management for your domain
- Add a new TXT record
- Set the host/name to
_dmarc - Set the value to your DMARC record string
- Set TTL to 3600 (1 hour) or your provider's default
- Save the record
Provider-Specific Notes
Cloudflare: Use _dmarc as the name (Cloudflare adds domain automatically)
GoDaddy: Use _dmarc as the host
Google Domains: Use _dmarc as the host name
Namecheap: Use _dmarc as the host
Step 3: Verify Your DMARC Record
After adding the record, verify it's published correctly:
Using Command Line
dig TXT _dmarc.yourdomain.com
or
nslookup -type=TXT _dmarc.yourdomain.com
Using Online Tools
Free DMARC lookup tools can verify your record:
- MxToolbox DMARC Lookup
- EasyDMARC DMARC Checker
- dmarcian DMARC Inspector
Note: DNS propagation can take up to 48 hours, though it's usually faster.
Step 4: Set Up Report Processing
DMARC reports are sent as XML files and can be difficult to read directly. Options for processing:
Free Tools
- Postmark DMARC – Free weekly DMARC digest emails
- dmarcian – Free tier available for basic monitoring
- DMARC Analyzer – Free tier for small volumes
Paid Services
For larger volumes or advanced features:
- Valimail
- Agari
- EasyDMARC
- Red Sift OnDMARC
Self-Hosted
Open-source options exist for parsing DMARC reports yourself, but require technical setup.
Step 5: Monitor and Analyze Reports
With p=none, you'll receive reports without affecting email delivery. Monitor for:
Aggregate Reports (RUA)
- Which IPs are sending email for your domain
- Pass/fail rates for SPF and DKIM
- Alignment pass/fail rates
- Unknown senders that might be legitimate services you forgot
What to Look For
- Legitimate senders failing – Need SPF/DKIM configuration fixes
- Unknown IPs sending – Could be unauthorized senders or forgotten services
- High failure rates – Indicates authentication problems to fix before enforcement
Step 6: Fix Authentication Issues
Common issues revealed by DMARC reports:
SPF Failures
- Sending service not included in SPF record
- SPF record exceeds 10 DNS lookup limit
- Email forwarding breaking SPF
DKIM Failures
- DKIM not enabled for a sending service
- Incorrect DKIM DNS record
- Message modification breaking signatures
Alignment Failures
- Sending service using their domain instead of yours
- Need to configure custom domain authentication in the service
Step 7: Gradually Increase Enforcement
Once legitimate senders consistently pass, increase enforcement:
Progression Path
-
p=none (2-4 weeks minimum)
- Monitor reports
- Identify and fix all issues
- Confirm legitimate senders pass
-
p=quarantine with pct=10 (1-2 weeks)
- Only 10% of failing emails go to spam
- Monitor for delivery complaints
- Increase pct gradually (25%, 50%, 100%)
-
p=quarantine with pct=100 (1-2 weeks)
- All failing emails go to spam
- Verify no legitimate email is affected
-
p=reject (final stage)
- Failing emails are blocked entirely
- Maximum protection achieved
Common Mistakes to Avoid
Starting with p=reject
Never start with a reject policy. You risk blocking legitimate email before identifying all your sending sources.
Ignoring Subdomains
Without the sp= tag, subdomains inherit the main domain's policy. Attackers often target subdomains. Consider sp=reject for unused subdomains.
Wrong DNS Location
The record must be at _dmarc.yourdomain.com, not just yourdomain.com.
Multiple DMARC Records
Like SPF, you can only have one DMARC record. Multiple records cause failures.
Not Monitoring Reports
Reports are the only way to understand what's happening. Set up processing and review regularly.
Testing Your Setup
After setup, test by sending emails and checking:
- Send a test email to Gmail or another provider
- View the email headers (in Gmail: three dots → "Show original")
- Look for
Authentication-Resultsheader - Verify you see
dmarc=pass
You should see something like:
Authentication-Results: mx.google.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yourdomain.com;
spf=pass ...;
dkim=pass ...
DMARC Record Examples
Basic Monitoring
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Quarantine with Reports
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com; pct=100
Full Enforcement with Subdomain Protection
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s
Next Steps
After implementing DMARC:
- Continue monitoring reports weekly
- Progress through enforcement levels as confidence grows
- Consider BIMI (Brand Indicators for Message Identification) once at p=quarantine or p=reject
- Review and update as you add new email sending services
For more information on email authentication, see our Complete Email Authentication Guide.
0 comments