Set up DMARC by adding a TXT record to _dmarc.yourdomain.com with the value: v=DMARC1; p=none; rua=mailto:[email protected]. Start with p=none to monitor without blocking any email. Review aggregate reports for 2-4 weeks to identify all legitimate senders. Authorize them via SPF and DKIM. Then advance to p=quarantine, then p=reject. The full process takes 6-12 weeks.
How to Set Up DMARC: Step-by-Step Guide from None to Reject
Step 1: Publish a DMARC Record at p=none
Add this TXT record to your DNS:
Host: _dmarc.yourdomain.com
Value: v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
This tells receiving servers:
- You have a DMARC policy
- Don't take action on failures yet (p=none)
- Send aggregate reports to your email address
For an overview of all three protocols, see the email authentication guide. Make sure SPF and DKIM are configured before starting DMARC.
Use a dedicated email for reports. You'll receive daily XML files from every server that processes your email. For high-volume senders, this can be hundreds of reports per day.
Step 2: Monitor Aggregate Reports (2-4 Weeks)
Aggregate reports (RUA) tell you:
- Every IP address sending email "from" your domain
- Whether each IP passes or fails SPF
- Whether each IP passes or fails DKIM
- The volume from each sender
What to Look For
Authorized senders passing authentication: Your ESP, Google Workspace, CRM — these should show SPF pass and DKIM pass. If they're failing, fix the configuration.
Authorized senders failing authentication: A service you use but forgot to add to SPF, or DKIM isn't configured. Authorize them.
Unknown senders: IPs you don't recognize sending as your domain. These could be:
- A forgotten third-party service (check your IT/marketing stack)
- Forwarded email (legitimate but breaks SPF)
- Spoofing attempts (what DMARC is designed to stop)
Report Parsing Tools
Don't read raw XML. Use:
- dmarcian (free tier available) — best visualization
- Postmark DMARC (free weekly digest) — simplest setup
- EasyDMARC — good for beginners
- DMARC Analyzer — enterprise features
Step 3: Fix Authentication Gaps
For every legitimate service you find in reports that's failing authentication:
- Add to SPF if their IP isn't included
- Configure DKIM if they support custom DKIM signing
- Verify alignment — the sending domain must align with From: domain
Common services people forget to authorize:
- Helpdesk systems (Zendesk, Freshdesk)
- Billing/invoicing (Stripe, QuickBooks)
- Booking systems (Calendly, Acuity)
- Form processors (Typeform, Jotform)
- Project management tools that send notifications
- GoHighLevel or other CRM/automation platforms
Step 4: Advance to p=quarantine
Once all legitimate senders pass authentication (2-4 weeks of clean reports), update your DMARC record:
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
The pct=25 means only 25% of failing messages get quarantined. This is a safety net.
Week 1-2: Monitor at pct=25. Any legitimate email getting quarantined? Fix it. Week 3: Increase to pct=50. Week 4: Increase to pct=100.
Step 5: Advance to p=reject
After 2-4 weeks at p=quarantine with pct=100 and no legitimate email issues:
v=DMARC1; p=reject; rua=mailto:[email protected]
You're now fully protected. Unauthorized email using your domain will be rejected entirely.
The Timeline
| Week | Action | DMARC Policy |
|---|---|---|
| 1-4 | Monitor, identify all senders, fix auth gaps | p=none |
| 5-6 | Quarantine 25% of failures | p=quarantine; pct=25 |
| 7-8 | Quarantine 50%, then 100% | p=quarantine; pct=50-100 |
| 9+ | Reject all unauthorized email | p=reject |
Practitioner note: The most dangerous moment is moving to p=quarantine. That's when you discover the invoice system nobody told you about, or the booking tool the sales team installed six months ago. Check your reports thoroughly before advancing.
Practitioner note: Forensic reports (ruf=) are almost useless in practice. Very few providers send them. Don't worry about setting up ruf — focus on rua aggregate reports.
If you'd rather have DMARC configured correctly the first time without the risk of breaking legitimate email, schedule a consultation — I handle DMARC advancement for businesses that can't afford email disruptions.
Sources
- RFC 7489: Domain-based Message Authentication (DMARC)
- Google: DMARC Setup
- dmarcian: DMARC Guide
v1.0 · March 2026
Frequently Asked Questions
What DMARC record should I start with?
Start with: v=DMARC1; p=none; rua=mailto:[email protected] — This monitors all authentication results without taking any action on failures. Never start with p=reject.
How do I read DMARC aggregate reports?
Raw DMARC reports are XML files sent daily by receiving servers. Use a parser like dmarcian (free tier), Postmark's free DMARC monitoring, or DMARC Analyzer. They show which IPs and services send email for your domain and whether authentication passes or fails.
How long should I stay at p=none?
Minimum 2 weeks, ideally 4 weeks. You need enough data to identify every service that sends email for your domain. Common surprise senders: CRM, billing system, helpdesk, website forms, third-party booking tools.
What's the difference between p=quarantine and p=reject?
p=quarantine tells receiving servers to send authentication failures to spam. Recipients can still find the email. p=reject tells receiving servers to reject the message entirely — it never arrives. Use quarantine as a middle step to catch any remaining issues before reject.
Do I need DMARC for subdomains?
By default, your DMARC record applies to all subdomains via the sp= tag (or inherits from the parent). If a subdomain sends email (e.g., marketing.yourdomain.com), ensure it has proper SPF and DKIM. You can set a different subdomain policy with sp=none, sp=quarantine, or sp=reject.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.