DMARC Setup Step-by-Step

DMARC is the policy layer that tells receiving mail servers what to do when SPF or DKIM fails — and it is the only step that actually stops scammers from sending mail that looks like it came from you. This guide is a focused, step-by-step rollout from no DMARC at all to a enforced p=reject policy, without the deliverability surprises that come from skipping the monitoring phase.

Before you publish DMARC

DMARC does not work in isolation. SPF must list every server allowed to send for your domain, and DKIM must be signing outbound mail with a public key in DNS. If either is missing, DMARC reports will show failures that are your configuration gaps, not attacks. Fix SPF and DKIM first, then add DMARC on top.

1. 1Publish a complete SPF TXT record ending in -all once every legitimate sender is included.
2. 2Enable DKIM in your mail provider and add the selector records to DNS.
3. 3Confirm test mail passes SPF and DKIM alignment for your From domain.

Step 1: Create the reporting address

DMARC sends aggregate reports to the address in rua. Create [email protected] (or a dedicated inbox) before publishing the record — otherwise reports bounce and you fly blind.

Step 2: Publish monitor-only DMARC

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100; adkim=s; aspf=s

p=none means receivers take no action on failures — they only report. adkim=s and aspf=s require strict alignment, which is what you want before tightening policy. Leave this in place for two to four weeks while you read reports.

Step 3: Read the aggregate reports

Reports arrive as XML attachments summarising which sources sent mail for your domain and whether SPF and DKIM passed. Look for unexpected sending IPs — they are either services you forgot to authorise or impersonation attempts. Every legitimate source must pass before you move to quarantine or reject.

Step 4: Tighten the policy

1. 1When reports are clean, change `p=quarantine` for a week to send failures to spam.
2. 2If deliverability stays stable, move to `p=reject` to block impersonation outright.
3. 3Keep rua in place permanently so new senders surface in reports before they break mail.

A DNS health scan checks whether your DMARC record exists, parses correctly and uses a sensible policy — alongside SPF and DKIM in one pass. For the full picture of all three records, see our SPF, DKIM and DMARC guide.

DMARC is not a single DNS edit; it is a staged commitment. Monitor with p=none, read the reports, fix alignment gaps, then enforce. Done patiently, your domain becomes dramatically harder to spoof — and your legitimate mail keeps landing in inboxes. Get PatchPings to verify DNS authentication from any device.