What you'll learn
- • What DMARC is and why it's essential for email security
- • How to create your first DMARC record
- • Step-by-step DNS configuration instructions
- • How to verify your DMARC setup is working
- • Best practices for DMARC policy progression
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that protects your domain from being used in email spoofing, phishing scams, and other cybercrimes.
Think of DMARC as a security policy for your domain that tells email providers (like Gmail, Outlook, etc.) what to do when they receive an email claiming to be from your domain that doesn't pass authentication checks.
Prerequisites
Before setting up DMARC, you need:
- SPF record - Specifies which servers can send email for your domain
- DKIM record - Adds a digital signature to your emails
- DNS access - Ability to add TXT records to your domain's DNS
Step 1: Create Your DMARC Record
A DMARC record is a TXT record added to your DNS. Here's the basic format:
v=DMARC1; p=none; rua=mailto:[email protected]Breaking it down:
- •
v=DMARC1- Version identifier (required) - •
p=none- Policy: monitoring only, no action taken - •
rua=mailto:[email protected]- Where to send aggregate reports
Recommended Starting Configuration
For your first DMARC record, use this configuration:
v=DMARC1; p=none; rua=mailto:[email protected]; pct=100; adkim=r; aspf=rThis configuration:
- Monitors all email (pct=100) without taking action
- Sends daily aggregate reports to your specified email
- Uses relaxed alignment (adkim=r, aspf=r) for easier initial setup
- Lets you identify all sources sending email on your behalf
Step 2: Add DMARC Record to DNS
Add your DMARC record as a TXT record at the hostname:
DNS Provider Instructions
The exact steps vary by provider, but generally:
- Log in to your DNS provider (GoDaddy, Cloudflare, Route53, etc.)
- Navigate to your domain's DNS settings
- Add a new TXT record
- Enter
_dmarcas the hostname/name - Paste your DMARC record as the value
- Save the changes
DNS Propagation Time
DNS changes can take up to 48 hours to propagate globally, though most providers update within 15-30 minutes.
Step 3: Verify Your DMARC Record
After adding your DMARC record, verify it's working correctly:
Step 4: Policy Progression
After monitoring for 2-4 weeks and fixing any issues, gradually strengthen your policy:
p=none (Week 1-4)
Monitor mode - collect data, no action taken on failed emails
p=quarantine (Week 5-8)
Failed emails go to spam folder - still deliverable but marked suspicious
p=reject (Week 9+)
Failed emails are completely rejected - strongest protection
Common DMARC Tags
| Tag | Purpose | Example |
|---|---|---|
v | Protocol version | v=DMARC1 |
p | Policy for domain | p=reject |
rua | Aggregate reports email | rua=mailto:[email protected] |
pct | Percentage of emails to filter | pct=25 |
Troubleshooting
DMARC Record Not Found
- Wait 15-30 minutes for DNS propagation
- Verify the hostname is exactly
_dmarc.yourdomain.com - Check that it's a TXT record, not another type
- Ensure there are no typos in the record
Not Receiving Reports
- Verify the email address in
ruais correct - Check spam folder for DMARC reports
- Reports are sent daily - wait 24-48 hours
- Ensure your email can receive large attachments