How to Set Up DMARC: A Step-by-Step Guide
How to Set Up DMARC: A Step-by-Step Guide
If you want consistent inbox placement and protection against spoofing, learning how to set up DMARC is essential. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties together your SPF and DKIM records and tells mailbox providers what to do when a message fails authentication. Gmail and Yahoo now expect bulk senders to have it. This guide walks through the whole process, from prerequisites to enforcement, without the jargon.
What DMARC does (in plain terms)
SPF and DKIM each prove a piece of your identity. DMARC adds two things on top:
- Alignment — it checks that the domain a recipient sees (the “From” address) matches the domain that passed SPF or DKIM. This is what stops attackers from spoofing your brand.
- A policy — it tells providers what to do with mail that fails: do nothing, send it to spam, or reject it outright.
- Reporting — it sends you aggregate reports about who is sending mail using your domain.
DMARC only works if SPF and DKIM are already set up. If you haven’t done those yet, read our email authentication guide first.
Before you start: prerequisites
- SPF is published for your sending domain and passes.
- DKIM is published and your email platform signs messages with it.
- You have access to your domain’s DNS (your registrar or DNS host).
- You know every service that sends mail as your domain (your ESP, CRM, helpdesk, invoicing tool, etc.).
That last point matters. DMARC enforcement will block any service that isn’t properly authenticated, so you need a full inventory before you tighten the policy.
Step 1: Decide where reports go
DMARC reports come as XML files. They’re hard to read by hand but invaluable for understanding who’s sending as you. You have two options:
- Send them to a dedicated mailbox you’ll actually check (e.g.
dmarc@yourdomain.com). - Use a DMARC reporting service that parses the XML into a readable dashboard. Many offer a free tier.
Pick a destination before you build the record.
Step 2: Build your DMARC record
A DMARC record is a single TXT entry in DNS. Here’s a safe starting record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100; aspf=r; adkim=r
What each tag means:
- v=DMARC1 — the version. Always first, always this value.
- p=none — the policy.
nonemeans “monitor only, don’t act.” This is where you start. - rua=mailto:… — where aggregate reports are sent.
- pct=100 — apply the policy to 100% of mail (relevant once you move past
none). - aspf=r / adkim=r — relaxed alignment for SPF and DKIM. Relaxed is the right default for most senders.
Start with p=none. It changes nothing about how your mail is delivered — it only turns on reporting so you can see what’s happening.
Step 3: Publish the record in DNS
In your DNS host, create a new TXT record:
- Host / Name:
_dmarc(so the full record is_dmarc.yourdomain.com) - Type:
TXT - Value: the record from Step 2
Save it. DNS changes can take anywhere from a few minutes to a day or so to propagate.
Step 4: Verify it’s live
Use any DMARC record checker (several are free) or query DNS directly:
dig TXT _dmarc.yourdomain.com +short
You should see your record returned. If you get nothing, check that the host is exactly _dmarc and that you didn’t accidentally create it under a subdomain.
Step 5: Read your reports (monitoring phase)
This is the most important — and most skipped — step. Stay in p=none for at least a couple of weeks. Your reports will show every source sending mail using your domain. For each source, check:
- Is it a legitimate service you recognize?
- Is it passing SPF and/or DKIM with alignment?
You’ll usually find a few legitimate services that aren’t authenticated yet (a forgotten invoicing tool, a marketing platform). Fix each one — add it to your SPF record or enable DKIM signing — until all your real senders pass.
You may also see illegitimate sources spoofing your domain. That’s exactly what DMARC enforcement will stop.
Step 6: Move to quarantine
Once all your legitimate mail authenticates cleanly, tighten the policy. Update the record:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100; aspf=r; adkim=r
p=quarantine tells providers to send failing mail to the spam folder. You can ramp gradually using pct — for example pct=25 applies the policy to a quarter of failing mail, letting you watch for problems before going all in.
Step 7: Move to reject (full enforcement)
After quarantine runs cleanly for a while with no surprises in your reports, go to full enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100; aspf=r; adkim=r
p=reject tells providers to refuse failing mail outright. This is the strongest protection against spoofing and the policy that demonstrates the most commitment to authentication. Most mature senders aim to reach p=reject eventually.
Quick checklist
- SPF and DKIM published and passing.
- Reporting destination chosen.
-
_dmarcTXT record published withp=none. - Record verified live in DNS.
- Reports reviewed; all legitimate senders authenticated.
- Moved to
p=quarantine, ramped withpct. - Moved to
p=rejectonce clean.
FAQ
Do I need DMARC if I already have SPF and DKIM? Yes. SPF and DKIM verify identity, but only DMARC enforces alignment with the visible “From” domain and tells providers what to do with failures. It also gives you reporting, which the other two don’t.
Will setting up DMARC break my email?
Not if you do it properly. Starting at p=none changes nothing about delivery — it only enables reporting. You only risk blocking mail at quarantine or reject, which is why you review reports first.
What’s the difference between strict and relaxed alignment?
Relaxed (r) allows subdomains to align with the organizational domain; strict (s) requires an exact match. Relaxed is the practical default for most senders.
How long should I stay in monitoring mode? Long enough to see a full picture of your sending sources and confirm they all authenticate — typically a couple of weeks or more, depending on how many services you use.
Next steps
DMARC is one pillar of a healthy sending setup. Pair it with clean lists and steady volume — and if you’re standing up a new domain, read how to warm up a new IP or domain so your reputation grows alongside your authentication. For the complete deliverability picture, see our email deliverability guide.