How to Set Up DMARC: Step-by-Step Configuration Guide
DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy layer that ties SPF and DKIM together. It tells receiving mail servers what to do when an email claiming to be from your domain fails authentication checks, and it gives you visibility into who is sending email on your behalf. In 2026, major mailbox providers including Google and Yahoo require a DMARC record for bulk senders, making it a non-negotiable part of email security.
Check your current DMARC setup
Use our free DMARC Checker to see whether your domain already has a DMARC record and whether it is configured correctly.
Step 1: Ensure SPF and DKIM Are in Place
DMARC builds on SPF and DKIM. Before publishing a DMARC record, confirm both protocols are configured for your domain. Use the SPF Checker and DKIM Checker to validate them. At minimum, one of the two must pass with domain alignment for DMARC to succeed.
Step 2: Build Your DMARC Record
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. It consists of tag-value pairs separated by semicolons. Here is a breakdown of every tag:
v=DMARC1— Required. Identifies the record as DMARC version 1.p=none|quarantine|reject— Required. The policy to apply when a message fails DMARC.nonemonitors only,quarantinesends failures to spam, andrejectblocks them entirely.rua=mailto:reports@yourdomain.com— The address where aggregate reports are sent. These XML reports show which IPs are sending mail as your domain and whether they pass or fail.ruf=mailto:forensics@yourdomain.com— The address for forensic (failure) reports. These contain details about individual failed messages. Not all providers send them.pct=100— The percentage of failing messages the policy applies to. Defaults to 100. Useful for gradual rollout.adkim=r|s— DKIM alignment mode.r(relaxed) allows subdomains;s(strict) requires an exact match.aspf=r|s— SPF alignment mode. Same as above for SPF.
Step 3: Start with Monitoring (p=none)
Never jump straight to p=reject. Begin with a monitoring policy so you can collect data without affecting mail delivery:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;Publish this as a TXT record with the host _dmarc. Over the next two to four weeks, review the aggregate reports to identify all legitimate sending sources. If any are missing from your SPF or DKIM configuration, add them before moving on.
Step 4: Move to Quarantine, Then Reject
Once aggregate reports confirm all legitimate mail passes, tighten the policy. First, move to quarantine with a partial rollout:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com;Gradually increase pct to 100, then switch to the strictest policy:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; adkim=s; aspf=s;Step 5: Verify Your DMARC Record
After every change, run the DMARC Checker to confirm the record is syntactically valid, the policy is what you intended, and the reporting addresses are reachable. Check the DMARC glossary entry if you need a refresher on any tag.
Frequently Asked Questions
Do I need SPF and DKIM before setting up DMARC?
Yes. DMARC relies on SPF and DKIM for authentication. At least one of them must pass and be aligned with the From domain for DMARC to pass. Ideally, set up both SPF and DKIM before publishing a DMARC record.
What does p=none actually do?
The p=none policy tells receiving servers to take no action on messages that fail DMARC. It is a monitoring-only mode that lets you collect aggregate reports and identify all legitimate senders before enforcing a stricter policy.
How long should I stay on p=none before moving to p=reject?
Most organizations stay on p=none for two to four weeks while reviewing aggregate reports. Once you are confident that all legitimate mail passes DMARC, move to p=quarantine for another one to two weeks, then advance to p=reject.