DMARC Setup Guide: How to Configure DMARC in 2025 (Without Breaking Email)
by
Reading Time: 8 min
Only 53.8% of companies around the world have a DMARC setup on their domain, leaving the rest vulnerable to email-based threats.
Email authentication is your first line of defense. DMARC, SPF, and DKIM are email authentication protocols that help prevent spoofing and phishing attacks. SPF ensures only authorized IPs can send on your behalf, DKIM adds a digital signature to verify message integrity, and DMARC builds on both to instruct receiving servers how to handle emails that fail these checks. Without DMARC, even domains with SPF and DKIM can still be spoofed.
Skip the hassle, set up DMARC in a few minutes using PowerDMARC and protect your domain today!
Key Takeaways
- DMARC setup, relying on SPF/DKIM, protects against email spoofing, phishing, and safeguards domain reputation.
- A DMARC record in DNS defines handling policies (`none`, `quarantine`, `reject`) for unauthorized emails.
- Correct DMARC record format (e.g., mandatory `v=DMARC1`, `p=policy` tags) is crucial for effective operation and avoiding delivery issues.
- Enabling DMARC reporting (`rua`, `ruf`) provides valuable insights into email flows and authentication results for monitoring.
- Regular verification using tools ensures correct configuration, while `p=reject` offers maximum protection.
Prerequisites for DMARC Setup
Before we jump to the DMARC setup process, ensure you have the following in place:
- Access to your DNS management console: This is essential for creating and publishing DNS records.
- List of Authorized Email Senders: Identify all the services and servers that send emails on your behalf to avoid unintentional blocking.
- Existing SPF and/or DKIM record in your DNS: At least one of these records should already be configured in your DNS, as DMARC relies on them for email authentication. SPF (Sender Policy Framework) tells the receiving server what domain it should expect the email to come from, while DKIM (DomainKeys Identified Mail) is a method of digitally signing your emails to verify the authenticity of the sender.
Warning: If you are skipping SPF/DKIM, DMARC won’t work. Make sure you have properly configured either or preferably both before moving on to the next steps.
Step-by-Step DMARC Setup
To kick-start your DMARC DNS setup, follow the setup steps given below:
Step 1: Create the DMARC record
You start by creating a DNS TXT record that defines your policy and establishes the implementation. This record is added to your domain’s DNS zone file.
To create a free record, use our DMARC generator tool as shown in the screenshot above. Once you open the tool screen, there will be some mandatory criteria that you need to fill in.
Simplify DMARC Setup with PowerDMARC!
Step 2: Choose a suitable DMARC policy for your emails
The p= policy tag is a mandatory tag that needs to be configured in your DMARC setup. If you skip this, your record will be invalid.
Step 3: Enable Reporting and Click “Generate”
To monitor your mailflow and authentication results, configure DMARC aggregate reports (rua) by defining an email address where you wish to receive your reports. Finally, hit the “Generate” button.
Step 4: Publish and Validate the Record Setup
Once you are done creating the TXT record, use the “copy” button to directly copy the syntax and then head over to your DNS management console.
- Create a new TXT record.
- In the Host/Name field, enter `_dmarc` (or `_dmarc.yourdomain.com`, depending on your DNS provider).
- In the Value/Data field, paste the DMARC record syntax you generated.
- Save the record to publish it on your DNS and finish your DMARC setup.
Read our detailed guide on how to publish a DMARC record on your DNS to learn more. DNS changes can take up to 48 hours to propagate, depending on your provider.
Verifying Your DMARC Setup
After you have set up DMARC, you must verify your configurations to make sure you don’t run into the very common “No DMARC record found” error.
To verify your setup, you can use PowerDMARC’s DMARC checker tool for free. To use it:
- Enter your domain name in the destination box (i.e. if your website URL is https://company.com your domain name will be company.com)
- Click on the “Lookup” button
- See your results displayed on the screen
We would recommend this verification method as an alternative to manual verification for a quicker, more accurate, and hassle-free experience.
Advanced DAMRC Configuration Tips
Once you’ve completed your basic setup, here are some advanced tips to improve your implementation:
DMARC Policies Explained (Which to Choose?)
To prevent your emails from getting spoofed, you need to configure a DMARC policy. You can choose from three main policies:
- None (p=none): No action is taken on emails that fail DMARC authentication. This is ideal for monitoring email traffic during initial setup.
- Quarantine (p=quarantine): Failed emails are marked as suspicious and sent to the spam/junk folders.
- Reject (p=reject): Failed emails are blocked and not delivered at all.
Note: Choose a “none” policy to monitor your emails before committing to full enforcement (p=quarantine or p=reject).
Alignment Modes (Strict Vs Relaxed)
- Relaxed Alignment
SPF Relaxed Alignment: Passes if the domain in the Return-Path (SPF-authenticated domain) shares the same organizational domain as the domain in the From address.
Example:
aspf=r;
From: [email protected]
Return-Path: [email protected]
Passes relaxed SPF alignment because both share the organizational domain example.com.
DKIM Relaxed Alignment: Passes if the d= domain in the DKIM signature shares the same organizational domain as the domain in the From address.
Example:
adkim=r;
From: [email protected]
DKIM-Signature: d=alerts.example.com
Passes relaxed DKIM alignment (same organizational domain: example.com).
- Strict Alignment
SPF Relaxed Alignment: Passes if the domain in the Return-Path (SPF-authenticated domain) is an exact match to the domain in the From address (not just an organizational match).
Example:
aspf=s;
From: [email protected]
Return-Path: [email protected]
Passes strict SPF alignment because both share the domain example.com. If Return-Path was bounce.mail.example.com, strict alignment would fail.
DKIM Relaxed Alignment: Passes if the d= domain in the DKIM signature is an exact match to the domain in the From address.
Example:
adkim=s;
From: [email protected]
DKIM-Signature: d=alerts.example.com
Passes strict DKIM alignment (same domain: example.com). If d=domain was bounce.mail.example.com, strict alignment would fail.
DMARC Setup Example
Here is an example of a simple DMARC setup:
v=DMARC1; p=reject; rua=mailto:[email protected];
Note: While beginning your email authentication journey, you can keep your DMARC policy (p) at none instead of reject, to monitor your email flow and resolve issues before shifting to a strict policy.
DMARC Record Syntax & Optional Tags
The syntax of your DMARC setup determines how your emails will be authenticated and the actions to be taken post-verification. Let’s explore some primary mechanisms:
- v (mandatory): Specifies the DMARC version. Must be DMARC1 and appear first in the record.
- p (mandatory): Defines the policy for DMARC failures (none, quarantine, or reject).
- rua (optional): Specifies email address(es) to receive aggregate reports using mailto: format.
- ruf (optional): Specifies email address(es) to receive forensic failure reports using mailto: format.
- adkim (optional): Sets DKIM alignment mode to r (relaxed) or s (strict). Default mode is relaxed, if not defined.
- aspf (optional): Sets SPF alignment mode to r (relaxed) or s (strict). Default mode is relaxed, if not defined.
- pct (optional): Defines the percentage of failing emails subject to the DMARC policy (default is 100).
- fo (optional): Controls when forensic reports are sent. Options include 0, 1, d, and s.
You can explore more in our detailed blog on DMARC tags. Ensure tags are separated by semicolons and there are no excess spaces to maintain correct formatting.
Post DMARC Setup: What to Do Next?
Following a successful DMARC setup, it’s important to continuously monitor your reports, gradually transition to enforcement and troubleshoot errors along the way.
How to Read DMARC Reports?
Given above is a small snippet from a DMARC RUA report. To analyze it manually:
- Examine the <domain> and <source_ip> fields to verify your sending sources
- Check the <adkim> and <aspf> fields to confirm the alignment mode configured for your domain.
- Check your DMARC policy in the <p> field
- Check your email authentication results (pass/fail) by checking the <policy_evaluated> sections of the report.
Use a DMARC Report Analyzer
To view and analyze your DMARC reports easily without the hassle of reading complex XML files, sign up with PowerDMARC. Our DMARC report analyzer helps you visualize reports in a human readable format for granular visibility.
Transitioning to p=reject Safely
When setting up DMARC, it’s important to safely transition to a p=reject policy to prevent deliverability issues. To do so:
- Start with p=none and enable DMARC reporting to monitor email traffic.
- After a few weeks, move to p=quarantine, enforcing it for 50% of your email volume (using pct=50 tag).
- Slowly enforce it for 100% of your mail volume by configuring pct=100 (or leave default).
- Only once confident with your setup, move to p=reject for 50% of your mail volume (pct=50).
- Once satisfied with your configuration, enforce p=reject for 100% of your mail volume (pct=100).
Pro tip: Use our Hosted DMARC solution to safely move to enforced policies along with expert supoort.
Troubleshooting Common Issues in DMARC configurations
| Problems | Causes | Fixes |
|---|---|---|
| Emails Failing DMARC | - SPF/DKIM misalignment - Email forwarding - Spoofing attempts - Syntax errors | - Use managed DMARC solutions - Configure both SPF and DKIM with your DMARC setup - Check your DNS records using DNS record checker tools - Monitor your reports |
| No Reports Received | - Invalid RUA email - Receipient email provider doesn’t support RUF reporting | - Make sure your RUA mail is valid and active |
| SPF Permerror | - Exceeding the 10 DNS lookup limit - Exceeding SPF record the character length limit - SPF syntax & other configuration errors | - Used Hosted SPF solutions - Use SPF optimization services like flattening or preferably Macros. |
How PowerDMARC Simplifies Setting up DMARC
| Feature | PowerDMARC | DIY Setup |
|---|---|---|
| Automated Reports | ✅ Yes | ❌ Manual parsing |
| MTA-STS Monitoring | ✅ Included | ❌ Extra setup |
| Hosted SPF, DKIM, and DMARC | ✅ Fully hosted | ❌ Self-managed |
| DNS Configuration Help | ✅ Built-in wizard | ❌ Manual configuration |
| Aggregate Report Viewer | ✅ Visual dashboard | ❌ Raw XML reports |
| Forensic Report Handling | ✅ PGP Encryption | ❌ Needs custom parser |
| Alerts | ✅ Real-time alerts | ❌ No native alerting |
| BIMI Support | ✅ Available | ❌ Complex manual setup |
| Domain Grouping | ✅ Easy grouping | ❌ Not supported |
| User Access Management | ✅ Role-based control | ❌ Manual coordination |
Case Study: How The Fatty Liver Foundation Simplified Enterprise DMARC Setup with PowerDMARC
“The toolset offered by PowerDMARC was user-friendly and took over the configuration tasks for functions like DMARC and DKIM in a very intuitive way.” – Wayne Eskridge, CEO, Fatty Liver Foundation
To read the full story of how this US-based non-profit enterprise simplified DMARC setup and management, view our case study.
DMARC Setup FAQs
- Can I setup DMARC without DKIM or SPF?
No. DMARC relies on the results of either SPF or DKIM authentication checks (or both). You need to configure at least one of these protocols (SPF or DKIM) for your domain before implementing DMARC.
- How often should I check DMARC reports?
The frequency of your monitoring depends on several factors:
- If you are a large enterprise, an MSSP managing email security for your clients, are in the initial phases of rollout, or have recently enforced your DMARC policy, we recommend that you check your reports regularly.
- Once things are stable, you can resort to reviewing reports weekly paying special attention when new sending sources are added.
Cybersecurity Expert, CEO at PowerDMARC
Maitham is a tech entrepreneur, cybersecurity expert, CEO and Founder of PowerDMARC with 15+ years of industry experience. Maitham holds a Global MBA from the University of Manchester and various professional certifications including CISSP, CISM, CRISC, and ISC2 CCSP.
Latest posts by Maitham Al Lawati (see all)
- How to Create and Publish a DMARC Record - March 3, 2025
- How to Fix “No SPF record found” in 2025 - January 21, 2025
- How to Read a DMARC Report - January 19, 2025
