DMARC (Domain-based Message Authentication) Setup Guide

Configure DMARC to protect your domain from email spoofing and gain visibility into email authentication failures.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM. It allows domain owners to specify how receiving servers should handle emails that fail authentication checks and provides reporting on email authentication activity.

DMARC provides critical protection against:

  • Email spoofing and phishing attacks using your domain
  • Brand impersonation and fraud
  • Unauthorized use of your domain for spam
  • Loss of customer trust from domain abuse

How DMARC Works

Step 1: Email Received

Receiving server gets an email claiming to be from your domain

Step 2: Authentication Checks

Server performs SPF and DKIM checks on the email

Step 3: Alignment Check

DMARC verifies domain alignment between From header and SPF/DKIM domains

Step 4: Policy Applied

Server follows your DMARC policy (none, quarantine, or reject)

Step 5: Report Sent

Server sends DMARC reports to your specified email addresses

DMARC Alignment

For DMARC to pass, the domain in the From header must align with either the SPF or DKIM domain (or both). There are two types of alignment:

SPF Alignment

The domain in the From header must match the domain that passed SPF (Return-Path domain).

Example: From: sender@example.com must match Return-Path: bounce@example.com

DKIM Alignment

The domain in the From header must match the domain in the DKIM signature (d= tag).

Example: From: sender@example.com must match DKIM d=example.com

DMARC Policies

DMARC policies tell receiving servers what to do with emails that fail authentication:

p=none (Monitor Mode)

No action taken on failed emails. Use this to collect data and identify issues before enforcing. Recommended for initial setup.

p=quarantine (Quarantine Mode)

Failed emails are sent to spam/junk folder. Good middle ground providing protection while minimizing risk of false positives.

p=reject (Reject Mode)

Failed emails are rejected outright. Strongest protection but requires careful testing to avoid blocking legitimate email.

DMARC Record Tags

A DMARC record is a TXT record at _dmarc.yourdomain.com with these tags:

v=DMARC1

Version identifier (required, must be first tag)

p=none|quarantine|reject

Policy for domain (required)

sp=none|quarantine|reject

Policy for subdomains (optional, defaults to p= value)

rua=mailto:dmarc@example.com

Email address for aggregate reports (daily summaries)

ruf=mailto:forensic@example.com

Email address for forensic reports (individual failure details)

pct=100

Percentage of messages to apply policy to (0-100, default 100)

adkim=r|s

DKIM alignment mode: r=relaxed (default), s=strict

aspf=r|s

SPF alignment mode: r=relaxed (default), s=strict

Example DMARC Records

Initial Setup (Monitor Only)

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Start here to collect data without affecting mail flow

Intermediate Protection

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com

Quarantine 50% of failed messages while monitoring

Full Protection

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s

Maximum protection with strict alignment for domain and subdomains

Prerequisites: SPF and DKIM Required

DMARC cannot work without SPF and DKIM. Before implementing DMARC, ensure you have:

  • Valid SPF record published in DNS
  • DKIM signing enabled and working
  • Domain alignment configured properly

Use our authentication checker at /run to verify SPF and DKIM before setting up DMARC.

Step-by-Step DMARC Setup

1. Verify SPF and DKIM

Ensure both SPF and DKIM are properly configured and passing. Send test emails and check authentication results before proceeding.

2. Set Up DMARC Reporting Email

Create a dedicated email address for DMARC reports (e.g., dmarc@yourdomain.com). These reports can be voluminous, especially for large domains.

3. Create Initial DMARC Record

Start with a monitor-only policy:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

4. Add DNS Record

Create a TXT record in your DNS:

  • Host/Name: _dmarc
  • Type: TXT
  • Value: Your DMARC record
  • TTL: 3600

5. Monitor Reports (1-2 Weeks)

Wait for aggregate reports to arrive. Analyze them to identify:

  • All legitimate email sources for your domain
  • Any SPF or DKIM failures from authorized senders
  • Unauthorized use of your domain

6. Fix Any Issues

Based on the reports, update your SPF and DKIM configurations to ensure all legitimate email sources are properly authenticated.

7. Gradually Enforce Policy

Move to enforcement in stages:

  • Start: p=quarantine; pct=10 (quarantine 10%)
  • After 1 week: p=quarantine; pct=50
  • After 2 weeks: p=quarantine; pct=100
  • Final: p=reject (when confident)

8. Ongoing Monitoring

Continue reviewing DMARC reports regularly to identify new email sources or potential security threats.

Common Issues and Solutions

DMARC Failing Despite SPF/DKIM Pass

Check domain alignment. The From header domain must match the domain in SPF (Return-Path) or DKIM (d=) signature. Subdomains may not align in strict mode.

No DMARC Reports Received

Reports can take 24-48 hours to arrive. Verify the rua= email address is correct and can receive mail. Some providers only send reports if there's significant volume.

Forwarded Email Failures

Email forwarding often breaks SPF. Ensure DKIM is properly configured as it survives forwarding. Consider using pct=100 with p=quarantine rather than p=reject.

Mailing List Problems

Mailing lists often modify messages, breaking DKIM. Work with list operators to ensure they support DMARC, or use relaxed alignment mode (adkim=r).

Next Steps

You've completed DMARC setup! Continue improving your email deliverability:

Test Your Setup →Monitor Blocklists →