MailShield
All posts
Guides

How to Set Up DMARC: Step-by-Step for Any Domain

9 min
How to Set Up DMARC: Step-by-Step for Any Domain

Setting up DMARC takes about five minutes of DNS work. Getting it right takes a bit more thought. This guide walks you through the entire process, from prerequisites to your first report, with the exact DNS records you need at each step.

Prerequisites

Before you set up DMARC, make sure you have:

  • Access to your domain's DNS management (your registrar, Cloudflare, Route 53, etc.)
  • An SPF record already published for your domain. DMARC needs SPF or DKIM to work.
  • DKIM signing enabled for at least your primary email provider. DKIM is recommended alongside SPF for better coverage.
Not sure if you have SPF and DKIM? Add your domain to MailShield for a free instant check across all email security protocols.

Step 1: Publish your DMARC record

Create a TXT record in DNS at _dmarc.yourdomain.com with this value:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Breaking this down:

  • v=DMARC1: identifies this as a DMARC record (required, must be first)
  • p=none: the policy. Start with none (monitor only). Do not start with quarantine or reject.
  • rua=mailto:...: where aggregate reports should be sent. This is the most important tag. Without it, you have no visibility.

Step 2: Wait for reports (24-72 hours)

After publishing your record, email providers will start sending aggregate reports to the address you specified. Most providers (Google, Microsoft, Yahoo) send reports daily, covering the previous 24-hour period.

It may take 24-72 hours for the first reports to arrive, depending on when providers pick up your new DNS record and when their reporting cycle runs.

Step 3: Analyze your reports

The reports tell you who's sending email as your domain and whether they pass authentication. You're looking for:

  • Your known senders (Google Workspace, Microsoft 365, marketing tools, etc.) passing SPF and DKIM with alignment
  • Unknown senders that might be unauthorized or forgotten services
  • Authentication failures from legitimate senders that need configuration fixes

This is where most people get stuck. Raw DMARC reports are XML files that are difficult to parse manually. A monitoring tool like MailShield processes them automatically and shows you a clear picture.

Step 4: Fix authentication issues

For each sender that fails DMARC, you need to:

  • Configure DKIM: set up custom DKIM signing with your domain. Most email services support this through CNAME records.
  • Fix SPF: make sure the sender is included in your SPF record. Check that you're under the 10 DNS lookup limit.
  • Fix alignment: the domain authenticated by SPF or DKIM must match your From domain. Some third-party services need custom return-path or DKIM configuration for this.

Step 5: Tighten your policy

Once all legitimate senders pass DMARC consistently (give it 2-4 weeks of clean reports), upgrade your policy:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com

The pct=25 tag applies quarantine to only 25% of failing messages, giving you a safety net. Increase to 50%, then 100%, then move to p=reject when you're confident.

Optional: Add forensic reporting

DMARC also supports forensic reports (ruf tag) that send detailed information about individual failing messages. This is useful for investigating specific authentication failures, but not all providers send forensic reports and they may contain personal data.

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; fo=1

Monitor continuously

DMARC is not a set-and-forget configuration. New email services get added, SPF records change, certificates expire, and your authentication can break without warning. Continuous monitoring catches these issues before they affect your email delivery.

MailShield monitors your DMARC configuration 24/7, processes your reports automatically, and alerts you the moment something changes. Start free with up to 2 domains.

Frequently asked questions

How long does it take for DMARC to start working?

The DNS record typically propagates within minutes to a few hours. However, you won't receive your first DMARC report until about 24 hours after publishing the record, since most providers send reports daily.

Should I start with p=none or p=reject?

Always start with p=none. This monitoring-only mode lets you collect reports and identify all legitimate email sources before enforcing a policy. Move to p=quarantine and then p=reject only after you've confirmed all authorized senders pass authentication.

What is the difference between rua and ruf in DMARC?

The rua tag specifies where aggregate reports are sent (daily XML summaries of all email activity). The ruf tag specifies where forensic/failure reports are sent (individual message details when authentication fails). Most providers only send aggregate reports.

Do I need SPF and DKIM before setting up DMARC?

You need at least one of SPF or DKIM configured before DMARC will work, since DMARC checks alignment against these protocols. In practice, you should set up both SPF and DKIM first for the strongest protection.

Check your domain now

See your email security score in under a minute. Free for up to 2 domains.

Get Started FreeMore articles