How to setup DMARC?

Question

DMARC setup requires SPF and DKIM to be configured first, then adding a DMARC policy DNS record.

**Prerequisites:**
Ensure SPF and DKIM are working correctly using IntoDNS.ai before setting up DMARC.

**Step 1: Start with monitoring (p=none)**
Create a DMARC record that collects reports without affecting delivery:
`v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com`

**Step 2: Add DNS TXT record**
- Name/Host: `_dmarc`
- Type: TXT
- Value: Your DMARC policy
- TTL: 3600

The full DNS name will be `_dmarc.yourdomain.com`

**Step 3: Monitor reports (2-4 weeks)**
Analyze aggregate reports sent to your rua email address:
- Identify legitimate senders failing authentication
- Fix SPF/DKIM configuration for all authorized senders
- Ensure DMARC alignment (domain match)

**Step 4: Enforce quarantine**
Move to `p=quarantine` with gradual rollout:
`v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com`

Increase `pct` to 100% over time.

**Step 5: Maximum protection**
Once confident all legitimate email passes:
`v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com`

**DMARC record breakdown:**
- `v=DMARC1` - Version (required)
- `p=none|quarantine|reject` - Policy for domain
- `sp=none|quarantine|reject` - Policy for subdomains (optional)
- `rua=mailto:reports@domain.com` - Aggregate reports email
- `ruf=mailto:forensics@domain.com` - Forensic reports (optional)
- `pct=25` - Percentage of emails to apply policy to (default 100)
- `adkim=r|s` - DKIM alignment mode (relaxed|strict)
- `aspf=r|s` - SPF alignment mode (relaxed|strict)

**Common mistakes:**
- Setting p=reject too early (breaks legitimate email)
- Not monitoring reports before enforcement
- Forgetting subdomain policy (sp=)
- Missing rua email address (no feedback loop)

Verify your DMARC setup with IntoDNS.ai after configuration.

IntoDNS.AI · Accepted Answer

DMARC setup requires SPF and DKIM to be configured first, then adding a DMARC policy DNS record.

**Prerequisites:**
Ensure SPF and DKIM are working correctly using IntoDNS.ai before setting up DMARC.

**Step 1: Start with monitoring (p=none)**
Create a DMARC record that collects reports without affecting delivery:
`v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com`

**Step 2: Add DNS TXT record**
- Name/Host: `_dmarc`
- Type: TXT
- Value: Your DMARC policy
- TTL: 3600

The full DNS name will be `_dmarc.yourdomain.com`

**Step 3: Monitor reports (2-4 weeks)**
Analyze aggregate reports sent to your rua email address:
- Identify legitimate senders failing authentication
- Fix SPF/DKIM configuration for all authorized senders
- Ensure DMARC alignment (domain match)

**Step 4: Enforce quarantine**
Move to `p=quarantine` with gradual rollout:
`v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com`

Increase `pct` to 100% over time.

**Step 5: Maximum protection**
Once confident all legitimate email passes:
`v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensics@yourdomain.com`

**DMARC record breakdown:**
- `v=DMARC1` - Version (required)
- `p=none|quarantine|reject` - Policy for domain
- `sp=none|quarantine|reject` - Policy for subdomains (optional)
- `rua=mailto:reports@domain.com` - Aggregate reports email
- `ruf=mailto:forensics@domain.com` - Forensic reports (optional)
- `pct=25` - Percentage of emails to apply policy to (default 100)
- `adkim=r|s` - DKIM alignment mode (relaxed|strict)
- `aspf=r|s` - SPF alignment mode (relaxed|strict)

**Common mistakes:**
- Setting p=reject too early (breaks legitimate email)
- Not monitoring reports before enforcement
- Forgetting subdomain policy (sp=)
- Missing rua email address (no feedback loop)

Verify your DMARC setup with IntoDNS.ai after configuration.

How to setup DMARC?

Detailed Answer

Check your domain now

Related Questions

What is SPF, DKIM, and DMARC?

How to setup an SPF record?

Why do my emails go to spam?