DMARC Setup Guide
Complete guide to setting up DMARC for your domain, from initial deployment to full enforcement.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM. It allows domain owners to specify how receivers should handle emails that fail authentication checks.
DMARC Record Syntax
A DMARC record is a TXT record published at _dmarc.yourdomain.com. Here's an example of a complete DMARC record:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@rua.ddmarc.com; ruf=mailto:dmarc@ruf.ddmarc.com; fo=1; adkim=s; aspf=s; pct=100| Tag | Required | Description | Example |
|---|---|---|---|
| v | Required | Version (always DMARC1) | v=DMARC1 |
| p | Required | Policy for domain | p=reject |
| sp | Optional | Subdomain policy | sp=quarantine |
| rua | Optional | Aggregate report URI | rua=mailto:dmarc@example.com |
| ruf | Optional | Forensic report URI | ruf=mailto:forensic@example.com |
| pct | Optional | Percentage of messages to apply policy | pct=100 |
| adkim | Optional | DKIM alignment mode (r=relaxed, s=strict) | adkim=r |
| aspf | Optional | SPF alignment mode (r=relaxed, s=strict) | aspf=r |
| fo | Optional | Failure reporting options | fo=1 |
| rf | Optional | Report format | rf=afrf |
| ri | Optional | Report interval in seconds | ri=86400 |
DMARC Policies
The policy tag (p=) tells receivers what to do with emails that fail DMARC:
p=none—Monitor OnlyTake no action, just collect reports. Use this to start monitoring without affecting delivery.
p=quarantine—QuarantineMark failing emails as suspicious (usually sent to spam folder). Intermediate step before full enforcement.
p=reject—RejectReject failing emails outright. Maximum protection - unauthorized emails won't be delivered.
Recommended Deployment Path
We recommend a phased approach to DMARC deployment. This minimizes risk while you identify and configure all your legitimate email sources.
Monitor
2-4 weeks
p=noneDeploy DMARC in monitoring mode to collect data without affecting email delivery.
Checklist:
- Publish DMARC record with p=none
- Configure report collection in DDMARC
- Identify all legitimate sending sources
- Document third-party email services
Analyze & Fix
2-4 weeks
p=noneReview reports, configure SPF/DKIM for all senders, and fix alignment issues.
Checklist:
- Review aggregate reports in DDMARC
- Add SPF records for all legitimate senders
- Enable DKIM signing on all email sources
- Fix any alignment issues found in reports
Quarantine
2-4 weeks
p=quarantineStart filtering suspicious emails while monitoring for false positives.
Checklist:
- Update policy to p=quarantine
- Start with pct=10 and gradually increase
- Monitor quarantine rates and investigate failures
- Review forensic reports for issues
Enforce
Ongoing
p=rejectFull enforcement. Unauthorized emails are rejected completely.
Checklist:
- Upgrade to p=reject
- Remove pct tag (defaults to 100%)
- Configure MTA-STS for transport security
- Enable BIMI for brand recognition
Common Issues
- Third-party senders: Marketing platforms, CRMs, and other services need SPF/DKIM configured
- Email forwarding: Forwarded emails may break SPF - use ARC to preserve authentication
- Subdomain policy: Don't forget to set
sp=for subdomains