How to Set Up a DMARC Record — Complete Guide with Examples

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the final layer of email authentication. It builds on SPF and DKIM by adding a policy that tells receiving mail servers what to do when an email fails those checks — and sends you reports so you can see who's sending email on behalf of your domain.

Why You Need DMARC

• Stops phishing attacks: Criminals often forge your domain to trick your customers or employees. DMARC with a reject policy blocks these messages before delivery
• Required by Gmail and Yahoo (2024+): Domains sending more than 5,000 emails per day must have a DMARC record or mail gets rejected
• Gives you visibility: DMARC reports tell you every server sending email in your domain's name — so you can detect unauthorized senders
• Improves deliverability: Authenticated domains are trusted more by spam filters

Prerequisites: Set Up SPF and DKIM First

DMARC only works when at least one of SPF or DKIM passes and aligns with the From domain. Before setting up DMARC:

• Verify your SPF record is correct at mxtoolbox.com/spf.aspx
• Verify DKIM is signing at mxtoolbox.com/dkim.aspx
• Confirm both pass for emails you send by checking Gmail's "Show original" header

Understanding the DMARC Record Syntax

A DMARC record is a DNS TXT record added at _dmarc.yourdomain.com. Here's a breakdown of the key tags:

Step-by-Step: Creating Your DMARC Record

Step 1 — Start with Monitoring Mode (p=none)

Never jump straight to a blocking policy. Start with p=none — this monitors and reports but doesn't block any email:

v=DMARC1; p=none; rua=mailto:[email protected]

Step 2 — Publish the Record in DNS

1. Log into your DNS provider (Cloudflare, GoDaddy, cPanel, Namecheap, etc.)
2. Add a new TXT record:
   • Name/Host: _dmarc (this creates _dmarc.yourdomain.com)
   • Type: TXT
   • Value: v=DMARC1; p=none; rua=mailto:[email protected]
   • TTL: 3600 or default
3. Save and wait 30–60 minutes for propagation

Step 3 — Verify Your DMARC Record

Check the record is live at mxtoolbox.com/dmarc.aspx. Also verify at dmarcanalyzer.com which gives more detailed feedback.

Step 4 — Analyse Your DMARC Reports

DMARC aggregate reports (sent to your rua address) arrive as XML files — difficult to read raw. Use a free tool to parse them:

• dmarcanalyzer.com (free tier available)
• postmarkapp.com/dmarc (free weekly digest)
• Google Postmaster Tools (for Gmail deliverability data)

Review these reports for 2–4 weeks. Look for legitimate senders whose email is failing DMARC — these need their SPF or DKIM fixed before you tighten the policy.

Step 5 — Move to Quarantine Policy

Once you're confident all legitimate senders are passing DMARC, move to p=quarantine. This sends failing emails to spam instead of blocking them — a safer intermediate step:

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

Start with pct=25 (25% of mail) and increase gradually over a few weeks while monitoring reports.

Step 6 — Enforce Reject Policy

When reports show no legitimate senders failing DMARC, move to the strongest policy:

v=DMARC1; p=reject; rua=mailto:[email protected]

With p=reject, any email that fails SPF and DKIM alignment is rejected outright — protecting your domain from spoofing completely.

Common DMARC Mistakes to Avoid

• Jumping straight to p=reject before verifying all legitimate senders — this can break your own email flow
• Not setting up a rua address — without reports, you're flying blind
• Forgetting third-party senders (Mailchimp, CRM platforms) — they must be authorised in SPF or sign with DKIM before you enforce
• Wrong record location — the record must be at _dmarc.yourdomain.com exactly, not at yourdomain.com

The Complete Email Authentication Stack