How to Set Up DMARC: A Step-by-Step Guide for Beginners
Learn how to configure DMARC for your domain. Protect your email from spoofing with a step-by-step guide covering DNS setup, policy selection, and monitoring.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer that ties SPF and DKIM together. It tells receiving mail servers what to do when an email fails authentication, and it provides reporting so you can monitor who is sending email from your domain.
Why DMARC Matters
Without DMARC, even with SPF and DKIM configured, receiving servers do not know whether to quarantine or reject unauthenticated emails. DMARC gives you three key benefits: protection against exact-domain spoofing, visibility into who is sending email from your domain, and control over how failures are handled.
Step 1: Set Up SPF First
Before configuring DMARC, ensure SPF is properly configured. SPF specifies which mail servers are authorized to send email for your domain. Use our free SPF Checker to verify your SPF record.
Step 2: Set Up DKIM
DKIM adds a cryptographic signature to outgoing emails. Most email providers (Google Workspace, Microsoft 365) provide DKIM setup instructions. Use our DKIM Lookup tool to verify your DKIM configuration.
Step 3: Choose Your DMARC Policy
Start with a monitoring-only policy to collect data without affecting delivery: `p=none`. After reviewing reports for a few weeks, move to `p=quarantine` (sends unauthenticated email to spam), and eventually to `p=reject` (blocks unauthenticated email entirely).
Step 4: Create Your DMARC DNS Record
Add a TXT record at `_dmarc.yourdomain.com` with your policy. A basic monitoring record looks like: `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1`
Step 5: Enable Reporting
The `rua` tag specifies where aggregate reports are sent. These XML reports show who is sending email from your domain and whether they pass authentication. Services like DMARCIAN or Postmark offer free DMARC monitoring for small volumes.
Step 6: Monitor and Tighten
Review your DMARC reports weekly. Identify unauthorized senders. Once legitimate email sources are passing authentication consistently, tighten your policy from `none` to `quarantine`, and eventually to `reject`.
Use our free DMARC Checker to verify your configuration at any time.