DMARC Configuration Guide: Protect Your Domain from Phishing
Set up a DMARC policy to control what happens to emails that fail SPF and DKIM checks. Essential protection against spoofing and phishing.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the final layer of your email authentication system. It builds on SPF and DKIM to tell receiving servers what to do with emails that fail authentication — and sends you reports about what's happening.
How DMARC Works
When an email arrives, the receiving server checks:
- Does it pass SPF? (Is it from an authorized server?)
- Does it pass DKIM? (Is the signature valid?)
- Does the "From" domain in the email align with the SPF/DKIM domains?
If both SPF and DKIM fail (or don't align), the DMARC policy kicks in — the server can reject, quarantine, or just report the email depending on your policy.
DMARC Policy Options
| Policy | What Happens | When to Use |
|---|---|---|
p=none | No action — just collect reports | Start here. Monitor before enforcing. |
p=quarantine | Failed emails go to spam/junk | After reviewing none-mode reports |
p=reject | Failed emails are rejected outright | Full protection — use when confident |
Creating Your DMARC Record
DMARC is a TXT record added to your DNS with the host name _dmarc.yourdomain.com.
Start with a monitoring-only policy:
v=DMARC1; p=none; rua=mailto:[email protected]What each part means:
v=DMARC1— identifies this as a DMARC recordp=none— take no action (monitoring only)rua=mailto:[email protected]— send aggregate reports to this address
Step-by-Step: Adding DMARC to Your DNS
- Log in to your DNS management panel.
- Add a new TXT record:
- Host/Name:
_dmarc - Value:
v=DMARC1; p=none; rua=mailto:[email protected] - TTL: 3600
- Host/Name:
- Save and wait for DNS propagation (usually 1–2 hours).
- Check your email for DMARC reports after a few days.
- Once you're confident your legitimate emails all pass, upgrade to
p=quarantinethenp=reject.