How to Set Up DMARC: A Step-by-Step Guide

Setting up DMARC is one of the most impactful things you can do for your domain's email security, and it takes less time than most people expect. This guide walks you through the entire process, from checking your prerequisites to adding the DNS record and receiving your first reports.

If you are not sure what DMARC is or why you need it, start with our guide on what DMARC is and come back here when you are ready to set it up.

Before You Start: The Prerequisites Checklist

DMARC builds on two other email authentication protocols. If they are not in place, your DMARC record will not do much. Before creating your DMARC record, confirm the following:

SPF is published and correct. Your domain needs a valid SPF record that lists every server and service authorized to send email on your behalf. This includes your email provider (Google Workspace, Microsoft 365, etc.), your marketing platform (Mailchimp, HubSpot, etc.), and any transactional email service (SendGrid, Postmark, etc.). If you use Google Workspace, see our DMARC for Google Workspace guide for platform-specific steps. Microsoft 365 users can follow our DMARC for Microsoft 365 walkthrough. If you do not have SPF set up yet, head to spfcreator.com to create one.

DKIM is configured and signing. At least one of your email sending sources should be signing messages with DKIM. Most email providers offer DKIM signing, but you often need to enable it manually and publish the DKIM public key in your DNS. You can generate DKIM records at dkimcreator.com.

If you skip SPF or DKIM setup and go straight to a DMARC enforcement policy, your own legitimate email may start getting rejected. Always verify both are working before moving beyond p=none.

You have access to your DNS. You will need to add a TXT record to your domain's DNS. This is usually done through your domain registrar (GoDaddy, Namecheap, Cloudflare, etc.) or wherever your DNS is hosted. Make sure you have login credentials and know where to find DNS record management.

You have a mailbox for reports. DMARC aggregate reports are sent as XML files to whatever email address you specify. You can use your regular email, a shared inbox, or a dedicated address like dmarc-reports@yourcompany.com. The reports can be high volume for busy domains, so a dedicated address helps keep things organized.

Understanding DMARC Record Syntax

A DMARC record is a DNS TXT record with a specific format. Here is a complete example with the most common tags:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com; ruf=mailto:dmarc-forensic@yourcompany.com; pct=100; adkim=r; aspf=r;

Here is what each tag means:

v=DMARC1 -- The version identifier. This is always DMARC1 and must be the first tag in the record.

p= (policy) -- Tells receiving servers what to do with messages that fail DMARC:

none -- Take no action, just send reports. This is your starting point.
quarantine -- Send failing messages to spam/junk.
reject -- Block failing messages entirely.

rua= (aggregate reports) -- The email address where you want to receive daily aggregate reports. These show you which IP addresses are sending email using your domain and whether those messages are passing or failing SPF, DKIM, and DMARC.

ruf= (forensic reports) -- The email address for forensic (failure) reports. These contain details about individual messages that fail DMARC. Not all mail providers send forensic reports, and they can contain message content, so some organizations skip this tag.

pct= (percentage) -- What percentage of failing messages the policy applies to. Set to 100 when using p=none. When you eventually move to quarantine or reject, you can start with a lower number like 10 or 25 to phase in enforcement gradually.

adkim= and aspf= (alignment mode) -- Controls how strictly DKIM and SPF domains must match the "From" domain. r means relaxed (subdomains count as a match), s means strict (exact match only). Relaxed is the default and works for most setups.

Step by Step: Adding Your DMARC Record

With your prerequisites confirmed and your record ready, here is how to add it to your DNS.

Generate your DMARC record

Use the generator above to build your record, or construct it manually. For your first DMARC record, we recommend starting with: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com; pct=100;. This collects reports without affecting email delivery, giving you time to review what is happening before enforcing anything.

Log in to your DNS provider

Go to wherever your domain's DNS is managed. This might be your domain registrar (GoDaddy, Namecheap, Google Domains) or a DNS service like Cloudflare or Route 53. Navigate to the DNS records section for your domain.

Create a new TXT record

Add a new DNS record with these settings: Type set to TXT, Name/Host set to _dmarc (some providers will want _dmarc.yourcompany.com -- check how your provider handles subdomains), and Value/Content set to your full DMARC record string. Leave the TTL at the default, or set it to 3600 (one hour).

Save and wait for propagation

Save the record. DNS changes can take anywhere from a few minutes to 48 hours to propagate, though most providers update within 15 to 30 minutes. You can check whether your record is live by looking it up at dmarcrecordchecker.com.

Verify your record is valid

Once the record has propagated, verify it is correctly formatted and being returned by DNS. Common mistakes include typos in the record value, using the wrong subdomain name (it must be _dmarc), and accidentally creating two DMARC records for the same domain. Your domain should have exactly one DMARC TXT record.

Setting Up Report Receiving

Once your DMARC record is live with a rua tag, mail servers will start sending you aggregate reports. Here is what to expect and how to handle them.

Reports arrive as XML. Major mail providers like Google, Yahoo, Microsoft, and others send daily aggregate reports as XML files (usually gzip compressed) to the address in your rua tag. Each report covers a 24-hour period and shows every IP address that sent email using your domain, how many messages each sent, and whether those messages passed or failed SPF, DKIM, and DMARC.

Volume depends on your email traffic. A small business might get a handful of reports per day. A domain used for high-volume marketing could receive dozens. This is why a dedicated mailbox is helpful.

Interpreting raw XML is tedious. The reports are machine-readable but not exactly human-friendly. You are looking for two things: first, make sure all your legitimate sending sources (your email provider, marketing tools, etc.) are passing DMARC. Second, watch for unauthorized sources sending email as your domain.

Review reports for at least two weeks

Before moving beyond p=none, collect reports for at least two weeks. This gives you enough data to identify all your legitimate email sources and make sure they are passing authentication. Rushing to enforcement is the most common DMARC mistake.

Choosing Your Policy and Moving Toward Enforcement

Your DMARC journey follows a clear path: start at p=none, move to p=quarantine, and eventually reach p=reject. Here is how to think about each stage.

Start with p=none. This is purely observational. No email gets blocked or quarantined. You are simply collecting data about who is sending email as your domain. Stay here until your reports show that all your legitimate sources are consistently passing DMARC.

Move to p=quarantine with a low percentage. Once you are confident, update your record to p=quarantine; pct=10;. This sends 10% of failing messages to spam. Monitor your reports and gradually increase the percentage. If you notice legitimate email getting quarantined, fix the authentication issue for that source before continuing. For a detailed look at how quarantine and reject differ in practice, see our quarantine vs reject comparison.

Graduate to p=reject. When you are comfortable that everything is properly authenticated, move to p=reject. This is the strongest protection, as it tells receiving servers to outright reject messages that fail DMARC. Start with a lower percentage and ramp up to pct=100.

For a deeper dive into policy options and what each one means in practice, see our guide on DMARC policy levels.

The entire process from p=none to p=reject typically takes four to eight weeks for a small to medium business. Larger organizations with many email sending services may need longer. The key is to not rush. Every time you tighten your policy, verify with reports that nothing legitimate is breaking.

Monitor Your New DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring