How to Set Up DMARC Step-by-Step

Setting up DMARC requires adding a DNS TXT record at _dmarc.yourdomain.com. Start with a monitoring-only policy (p=none), analyze your DMARC reports for 2–4 weeks, then progressively tighten to quarantine and reject. The DNS record takes minutes to create, but reaching full enforcement typically takes 4–8 weeks.

This guide walks you through every stage of a DMARC deployment — from creating your first record to achieving full enforcement. Whether you use Google Workspace, Microsoft 365, or any other email platform, the steps are the same because DMARC is a DNS-level protocol that works independently of your mail provider.

Prerequisites

Before you create a DMARC record, two other email authentication protocols must already be in place. DMARC builds on top of SPF and DKIM — without them, DMARC has nothing to enforce.

• Verify SPF is configured. Your domain needs a valid SPF record that lists every server authorized to send email on its behalf. Use our free SPF checker to confirm your record is published and syntactically correct.
• Verify DKIM is configured. At least one DKIM signing key should be published in DNS for your domain. Check yours with our free DKIM checker. If you use a third-party email service, they usually provide the DKIM keys for you to add to DNS.
• Know your email sending services.Make a list of every service that sends email using your domain — marketing platforms (Mailchimp, HubSpot), transactional services (SendGrid, Amazon SES), help desks (Zendesk, Freshdesk), CRM systems (Salesforce), and your primary mail provider (Google Workspace, Microsoft 365). You will need this list in Step 4.

Step 1: Create Your DMARC Record

A DMARC record is a DNS TXT record published at a specific subdomain. The simplest way to begin is with a monitoring-only policy that collects reports without affecting mail delivery:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Here is what each tag means:

• v=DMARC1— Identifies this as a DMARC record. This must always be the first tag.
• p=none — The policy for your domain. nonemeans “monitor only” — receiving servers will still deliver failing messages but will send you reports. Other options are quarantine (send to spam) and reject (block entirely).
• rua=mailto:dmarc-reports@yourdomain.com— The address where aggregate reports are sent. These XML reports arrive daily and show you which servers are sending email using your domain, along with their SPF and DKIM results.

You can also add optional tags for more control. For example, ruf=mailto:... specifies where forensic (failure) reports are sent, pct= controls the percentage of messages the policy applies to, and adkim= / aspf= set alignment strictness for DKIM and SPF respectively.

Where to add it: This record goes at the subdomain _dmarc.yourdomain.com as a TXT record. In most DNS providers, you enter _dmarc as the host/name and the full DMARC string as the value.

Step 2: Add the Record to Your DNS

The exact steps vary by DNS provider, but the process is the same everywhere: add a TXT record with the host set to _dmarc and the value set to your DMARC record string. Here are instructions for the most popular providers:

Google Domains / Squarespace

Navigate to your domain's DNS settings in Google Domains (now managed by Squarespace). Click “Manage custom records,” then add a new record with type TXT, host _dmarc, and paste your DMARC value. Changes typically propagate within minutes.

Cloudflare

Go to your domain in the Cloudflare dashboard, select DNS from the sidebar, and click “Add record.” Choose type TXT, enter _dmarc as the name, paste your DMARC value in the Content field, and click Save. Cloudflare DNS updates are nearly instant.

GoDaddy

Log in to your GoDaddy account, go to My Products, find your domain, and click DNS. Click “Add” under the Records section, select TXT as the type, enter _dmarc in the Name field, and paste your DMARC value. GoDaddy may take up to 48 hours to propagate, though it is usually faster.

AWS Route 53

Open the Route 53 console, select your hosted zone, and click “Create record.” Set the record name to _dmarc, type to TXT, and paste your DMARC value wrapped in double quotes. Set the TTL to 3600 (1 hour) and click Create.

After adding the record, verify it is live using our free DMARC checker. Enter your domain and confirm that the record is detected with the correct policy.

Step 3: Monitor Your Reports (2–4 Weeks)

Once your DMARC record is published with p=none, receiving mail servers will start sending you aggregate reports. These reports are XML files that arrive daily (or more frequently for high-volume domains) at the email address specified in your rua tag.

What aggregate reports contain:Each report includes the sending server's IP address, the number of messages sent, whether SPF and DKIM passed or failed, and whether the identifiers aligned with your domain. In other words, you get a complete picture of who is sending email as your domain and whether those messages are properly authenticated.

What to look for:Sort the senders into two categories. Authorized senders are services you recognize — your mail provider, marketing platform, CRM, and transactional email service. Unauthorized senders are IP addresses you do not recognize, which could be spammers or phishers spoofing your domain. Focus on ensuring every authorized sender shows SPF pass, DKIM pass, and proper alignment.

Why monitoring is critical before enforcement: If you move to p=quarantine or p=reject before all your legitimate senders are authenticated, their emails will be sent to spam or blocked entirely. The monitoring phase gives you time to discover every service sending as your domain and fix authentication issues without any impact on mail delivery.

Step 4: Authenticate All Legitimate Senders

After reviewing your DMARC reports, you should have a clear list of every service sending email as your domain. Now you need to ensure each one passes both SPF and DKIM checks with proper alignment.

Identify third-party senders. Common services include Mailchimp, SendGrid, Amazon SES, HubSpot, Salesforce, Zendesk, Freshdesk, Intercom, and many others. Each report row showing a sending IP should be traceable to one of these services or to your own mail servers.

Add them to SPF. Each third-party sender provides an SPF include mechanism. For example, Mailchimp uses include:servers.mcsv.net, SendGrid uses include:sendgrid.net, and Google Workspace uses include:_spf.google.com. Add each include to your domain's SPF record. Be mindful of the 10-lookup limit — if you have many senders, you may need to flatten your SPF record or consolidate services.

Configure DKIM for each sender.Most third-party email services provide DKIM keys as CNAME records that you add to your DNS. For example, Mailchimp provides two CNAME records (k1._domainkey and k2._domainkey) that point to their DKIM infrastructure. Follow each provider's documentation to add the correct DNS records.

Verify alignment. DMARC requires either SPF alignment or DKIM alignment to pass. SPF alignment means the domain in the Return-Path (envelope sender) matches your From domain. DKIM alignment means the d= domain in the DKIM signature matches your From domain. After configuring each sender, send test emails and check your DMARC reports to confirm alignment is passing.

Step 5: Move to Enforcement

Once every legitimate sender is authenticated and passing DMARC checks, it is time to move from monitoring to enforcement. This is done in two stages to minimize risk.

Upgrade to p=quarantine

Update your DMARC record to quarantine failing messages. You can use the pct tag to start with a partial rollout:

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-reports@yourdomain.com

This means 50% of messages that fail DMARC will be sent to the recipient's spam folder, while the other 50% are treated as if the policy were still p=none. Monitor your reports closely for 2 weeks. If no legitimate mail is being quarantined, increase pct to 100 or remove it (100 is the default).

Upgrade to p=reject

After a successful quarantine period, move to the strongest policy — reject:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com

With p=reject, receiving mail servers will outright refuse to deliver any message that fails DMARC authentication. This is the final goal of a DMARC deployment. It provides the strongest protection against domain spoofing and phishing, and it signals to mailbox providers that you take email security seriously — which can improve your deliverability.

DMARC Record Examples

Here are common DMARC record configurations for different stages of deployment. Each is a TXT record published at _dmarc.yourdomain.com.

Basic monitoring (start here):

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Quarantine with 50% rollout:

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-reports@yourdomain.com

Full reject (final goal):

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com

Full reject with strict alignment:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc-reports@yourdomain.com

Strict alignment (adkim=s; aspf=s) requires an exact domain match between the From header and the SPF/DKIM domains. The default is relaxed alignment (r), which allows subdomains to align with the parent domain. Strict alignment provides stronger protection but can break mail flows from services that sign with a subdomain, so test carefully before enabling it.

Verify Your DMARC Setup

After publishing or updating your DMARC record, always verify it is live and correctly formatted. Use our DMARC checker to instantly look up your record and validate its syntax. For a comprehensive view of your domain's entire email authentication posture — SPF, DKIM, DMARC, and MX records together — run a full scan with our domain scanner.

Setting up DMARC is a one-time configuration effort, but maintaining compliance is ongoing. Every time you add a new email sending service, change providers, or modify DNS records, your authentication setup can break. Continuous monitoring catches these issues before they affect your email delivery or leave your domain vulnerable to spoofing.

Frequently Asked Questions

How long does it take to set up DMARC?

Creating and publishing a DMARC DNS record takes only a few minutes. However, reaching full enforcement (p=reject) typically takes 4–8 weeks because you need to monitor reports, identify all legitimate senders, and progressively tighten your policy. Rushing to enforcement without proper monitoring risks blocking legitimate email.

Can I go straight to p=reject?

Technically yes, but it is strongly discouraged. Going straight to p=rejectwithout monitoring means you have no visibility into which services are sending email on your behalf. If a legitimate sender — like your CRM, marketing platform, or transactional email service — is not properly authenticated, their emails will be rejected. Always start with p=none, monitor for 2–4 weeks, authenticate all senders, then gradually move to quarantine and reject.

What if my DMARC reports show unknown senders?

Unknown senders in your DMARC reports could be either legitimate services you forgot about or unauthorized parties spoofing your domain. Investigate each unknown sender by checking the sending IP addresses against known services. If a sender is legitimate (for example, a SaaS tool your marketing team uses), add it to your SPF record and configure DKIM. If the sender is unauthorized, your DMARC policy will block them once you move to enforcement.

Do I need a separate DMARC record for subdomains?

Not necessarily. By default, your organizational domain's DMARC policy applies to all subdomains. However, you can set a separate subdomain policy using the sp= tag in your main DMARC record (for example, sp=reject to reject mail from subdomains), or you can publish individual DMARC records on specific subdomains (for example, _dmarc.mail.yourdomain.com) to override the parent policy.

What is the pct tag in DMARC?

The pct (percentage) tag tells receiving mail servers what percentage of failing messages should have the DMARC policy applied. For example, pct=50 with p=quarantine means only 50% of failing messages will be quarantined, while the other 50% will be treated as if the policy were p=none. This allows you to gradually roll out enforcement and catch issues before applying the policy to all messages. Once you are confident, remove the pct tag or set it to pct=100.