SPFWise
dmarc

How to Set Up DMARC

DMARC turns SPF and DKIM into a real defense and shows you who sends as your domain. Here is how to set it up from scratch and advance it safely.

Jul 3, 20265 min read

DMARC is the record that turns SPF and DKIM into a real defense against spoofing. It tells receivers what to do with mail that fails your checks, and it gives you reports on who is sending as your domain. Here is how to set it up from scratch.

Step 1: make sure SPF and DKIM are live

DMARC builds on the other two. Publish SPF and DKIM first, or DMARC has nothing to enforce.

Step 2: publish a monitoring record

Start in monitoring mode so you can watch before you enforce. Add a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

  • p=none means take no action yet, just report.
  • rua= is the address that receives the daily aggregate reports. This is where your visibility comes from.

Step 3: read the reports

Mailbox providers send XML reports to your rua address showing every source sending as your domain, and whether it passed SPF, DKIM and alignment. Use them to confirm your legitimate senders all pass before you tighten the policy.

Step 4: advance the policy

Once your real senders pass cleanly, move from p=none to p=quarantine and finally p=reject. Do it in stages. See moving from p=none to reject safely.

Step 5: verify

Scan your domain to confirm the record parses, has a policy, and includes a rua address for reporting.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

How to Set Up DMARC: A Step-by-Step Guide | SPFWise