Prerequisites
Before setting up DMARC, make sure you have:
- SPF already configured (Article 92)
- DKIM already configured (Article 91)
- DNS access for your domain
Step 1: Create a DMARC Record
A DMARC record is a TXT record at _dmarc.yourdomain.com.
Basic DMARC policy (monitor only – recommended to start):
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.comPolicy options:
- p=none – Monitor only (no action)
- p=quarantine – Mark suspicious email as spam
- p=reject – Reject unauthenticated email (strict)
Step 2: Advanced DMARC Record Example
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; adkim=s; aspf=sParameters explained:
- pct=100 – Apply to 100% of emails
- rua – Aggregate report URI
- ruf – Forensic report URI
- adkim=s – Strict DKIM alignment
- aspf=s – Strict SPF alignment
Step 3: Add DMARC Record to DNS
Create a TXT record with:
- Name: _dmarc.example.com
- Value: v=DMARC1; p=none; rua=mailto:reports@example.com
- TTL: 3600
Step 4: Verify DMARC Record
dig txt _dmarc.example.com +shortStep 5: Monitor DMARC Reports
After a few days, you will receive XML reports at the specified rua email address. Use a DMARC report analyzer (e.g., dmarcian, Postmark DMARC tool) to interpret them.
Step 6: Gradually Enforce DMARC
Recommended progression:
- Start with
p=nonefor 2-4 weeks - Review reports to identify legitimate senders
- Move to
p=quarantinefor another 2 weeks - Finally set
p=reject
✅ DMARC configured. Your domain now has email authentication policies.