DMARC stops email spoofing by telling receiving mail servers what to do with messages that fail authentication. But DMARC itself doesn't work without SPF and DKIM already in place. This guide walks through all three in the correct order.
Step 1: Audit Your Email Sending Sources
Before touching DNS, list every service that sends email on your domain's behalf:
- Corporate email — Google Workspace, Microsoft 365, Zoho
- Marketing — Mailchimp, HubSpot, Klaviyo, Campaign Monitor
- Transactional — SendGrid, Postmark, Mailgun, Amazon SES
- CRMs and apps — Salesforce, Zendesk, customer support tools
- Internal servers — on-premise mail servers, monitoring alerts
Every sender on this list must be covered in your SPF record and have DKIM signing enabled before you enforce DMARC. Missing even one will cause legitimate email to fail.
Step 2: Publish an SPF Record
SPF is a TXT record at your domain root (example.com, not a subdomain). You can have only one SPF record — multiple SPF TXT records cause a PermError.
Example for Google Workspace + SendGrid + a custom mail server:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 ~allDNS record details:
- Type: TXT
- Name: @ (or leave blank, meaning the domain root)
- Value: the SPF string above
- TTL: 3600 (1 hour)
The 10-lookup rule: SPF allows a maximum of 10 DNS lookups (each include: counts as one). If you exceed 10, SPF returns a PermError and fails permanently. If you use many services, you may need to flatten your SPF by replacing include: entries with explicit ip4: ranges.
Use ~all (soft fail) while setting up. Switch to -all (hard fail) only after DMARC is enforcing.
→ Verify your SPF record after publishing
Step 3: Enable DKIM on All Sending Services
Each email service generates its own DKIM key pair. You publish the public key in DNS; the service signs emails with the private key. The process is usually:
- Go to the service's admin panel → Email/Domain settings → DKIM or Authentication
- Click "Generate" or "Enable DKIM" — the service generates a key pair
- Copy the TXT record provided (it looks like a long public key string)
- Publish it in your DNS at the specified subdomain, e.g.
google._domainkey.example.com - Return to the admin panel and click "Verify" — the service confirms it can find the record
Example DKIM DNS record:
Name: google._domainkey.example.com
Type: TXT
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...Repeat this for every service on your sender list from Step 1. Each service uses a unique selector (the part before ._domainkey), so records don't conflict.
→ Verify your DKIM records are resolving correctly
Step 4: Publish DMARC in Monitor Mode (p=none)
Create a TXT record at _dmarc.example.com:
Name: _dmarc.example.com
Type: TXT
Value: "v=DMARC1; p=none; rua=mailto:[email protected]"Tag breakdown:
v=DMARC1— required, declares this is a DMARC recordp=none— monitor only, no effect on deliveryrua=mailto:[email protected]— where to send daily aggregate reports
This record does nothing to mail flow — it only enables reporting. You will start receiving XML reports from major mail providers (Gmail, Yahoo, Outlook) within 24–48 hours.
Step 5: Analyze Reports for 2–4 Weeks
The aggregate XML reports are verbose. Use a DMARC report parser (Dmarcian, Postmark's free analyzer, or Google Postmaster Tools) to read them. Look for:
- Pass rate: You want near 100% of legitimate mail passing DMARC. Any failures from real senders need to be fixed before enforcing.
- Unknown senders: IPs you don't recognize sending as your domain — could be shadow IT, old servers, or active spoofing.
- SPF-only pass: Services passing SPF but not DKIM don't have DKIM configured yet. Add DKIM to those services.
Fix every legitimate sender that appears failing before moving to Step 6. Do not rush this phase.
Step 6: Move to p=quarantine
Update your DMARC record to begin enforcement. Start with a low percentage:
"v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]"The pct=25 tag applies the quarantine policy to only 25% of failing messages. Monitor for a week. If no legitimate mail is caught in spam, increase to 50, then 100:
"v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]"Step 7: Enforce with p=reject
Once you are confident all legitimate mail passes DMARC, move to full enforcement:
"v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]"With p=reject, email that fails DMARC alignment is outright rejected by receiving servers — it never reaches the inbox or spam folder. This is the strongest protection against domain spoofing and is what Google, Yahoo, and major providers now require for bulk senders.
Optionally add forensic reporting and subdomain policy:
v=DMARC1; p=reject; sp=reject; pct=100;
rua=mailto:[email protected];
ruf=mailto:[email protected]; fo=1Tags: sp=reject applies the same policy to subdomains. ruf is forensic/failure reporting (individual message reports). fo=1 sends a forensic report if either SPF or DKIM fails (not just when both fail).
Verify your DMARC setup
FAQ
Do I need SPF and DKIM before setting up DMARC? ▸
What is the rua tag in a DMARC record? ▸
rua=mailto:[email protected]. Receiving servers send daily XML reports to this address with authentication statistics. These reports are essential for identifying misconfigured senders before enforcing policy.How long should I stay at p=none before enforcing? ▸
What is the pct tag and should I use it? ▸
p=quarantine; pct=25 only quarantines 25% of failing messages. Start at pct=25, monitor for a week, then increase to 50, then 100. This is the safe way to roll out enforcement without risking legitimate mail.What if I use multiple email providers — do I need multiple DMARC records? ▸
_dmarc.yourdomain.com covers all senders. Multiple providers are handled in your SPF record (include: each) and in DKIM (each provider gets its own selector). Publishing two DMARC records would cause a PermError.