How to Setup DMARC: Step-by-Step Configuration Guide

Only 53.8% of companies worldwide have DMARC configured on their domain, which means nearly half operate without a critical layer of protection against email-based attacks. Many organizations still search for how to setup DMARC, unaware that the absence of this protocol creates an easy entry point for spoofing and phishing attempts.

Email authentication sits at the core of domain security. SPF, DKIM, and DMARC work together to verify who is allowed to send mail from your domain and how suspicious messages should be handled. SPF authorizes specific sending IPs, DKIM applies a cryptographic signature that proves message integrity, and DMARC uses both to enforce policy and guide receiving servers on what to do if a message fails authentication. Even with SPF and DKIM in place, a domain without DMARC remains exposed because there is no instruction for how failed messages should be treated.

Prerequisites for DMARC Setup

Before we jump to the DMARC setup process, ensure you have the following in place:

1. Access to your DNS management console: This is essential for creating and publishing DNS records.
2. List of Authorized Email Senders: Identify all the services and servers that send emails on your behalf to avoid unintentional blocking.
3. Existing SPF and/or DKIM record in your DNS: At least one of these records should already be configured in your DNS, as DMARC relies on them for email authentication. SPF (Sender Policy Framework) tells the receiving server what domain it should expect the email to come from, while DKIM (DomainKeys Identified Mail) is a method of digitally signing your emails to verify the authenticity of the sender.

Warning: If you are skipping SPF/DKIM, DMARC won’t work. Make sure you have properly configured either or preferably both before moving on to the next steps. 

How to Setup DMARC Step-by-Step

To generate this record for free, use our DMARC generator tool as shown in the screenshot above. Once you open the tool, you’ll see required fields that you need to complete before the record can be created.

To start your DMARC DNS setup, follow the steps outlined below.

Step 1: Create the DMARC record

You begin by creating a DNS TXT record that contains your DMARC policy and activates the protocol on your domain. A DNS TXT record is a simple text entry in your domain’s DNS settings that stores important information for external servers, such as email authentication instructions. When added to your domain’s DNS zone file, it tells receiving mail servers how to handle messages that claim to come from your domain.

To generate this record for free, use our DMARC generator tool as shown in the screenshot above. Once you open the tool, you’ll see required fields that you need to complete before the record can be created.

Read how Jordi Altimira (Head of Technical Implementation & Client Success at Pablo Herreros) achieved a 100% domain security score with PowerDMARC.

Read Case Study Start 15-day trial

Step 2: Choose a suitable DMARC policy for your emails

The p= policy tag is a required part of every DMARC record. It tells receiving mail servers what to do with emails that fail SPF and DKIM checks. If this tag is missing, your DMARC record becomes invalid and won’t be enforced.

Step 3: Enable reporting and click “Generate” 

To track your mail flow and authentication results, enable DMARC aggregate reports (rua) by specifying the email address where you want to receive them. DMARC aggregate reports are daily XML summaries sent by inbox providers that show which servers are sending mail on your behalf, how those messages performed against SPF and DKIM, and whether any unauthorized sources attempted to use your domain. After entering your reporting address, click “Generate” to create your record.

Step 4: Publish and validate the record setup

Once you’ve created the TXT record, click the “copy” button to copy the full syntax, then open your DNS management console.

Create a new TXT record.

-In the Host/Name field, enter _dmarc (or _dmarc.yourdomain.com, depending on your DNS provider).

-In the Value/Data field, paste the DMARC record syntax you generated.

-Save the record to publish it and complete your DMARC setup.

For more details, read our full guide on publishing a DMARC record in DNS. Keep in mind that DNS updates may take up to 48 hours to fully propagate.

Verifying Your DMARC Setup

After you have set up DMARC, you must verify your configurations to make sure you don’t run into the very common “No DMARC record found” error.

To verify your setup, you can use PowerDMARC’s DMARC checker tool for free. To use it:

1. Enter your domain name in the destination box (i.e. if your website URL is https://company.com your domain name will be company.com)
2. Click on the “Lookup” button
3. See your results displayed on the screen

We would recommend this verification method as an alternative to manual verification for a quicker, more accurate, and hassle-free experience.

Advanced DAMRC Configuration Tips

Once you’ve completed your basic setup, here are some advanced tips to improve your implementation:

DMARC Policies Explained (Which to Choose?)

To prevent your emails from getting spoofed, you need to configure a DMARC policy. You can choose from three main policies:

• None (p=none): No action is taken on emails that fail DMARC authentication. This is ideal for monitoring email traffic during initial setup. 
• Quarantine (p=quarantine): Failed emails are marked as suspicious and sent to the spam/junk folders.
• Reject (p=reject): Failed emails are blocked and not delivered at all.

Note: Choose a “none” policy to monitor your emails before committing to full enforcement (p=quarantine or p=reject).

Alignment modes (Strict vs Relaxed)

Relaxed alignment

• SPF relaxed alignment (aspf=r):
  Alignment passes if the domain in the Return-Path (SPF-authenticated domain) shares the same organizational domain as the domain in the From address.
  The organizational domain is typically the base domain (e.g., example.com), not including subdomains.

  Example:
  From: [email protected]
  Return-Path: [email protected]
  ✔ Passes relaxed SPF alignment because both domains share the same organizational domain (example.com).

• DKIM relaxed alignment (adkim=r):
  Alignment passes if the d= domain in the DKIM signature shares the same organizational domain as the domain in the From address.

  Example:
  From: [email protected]
  DKIM-Signature: d=alerts.example.com
  ✔ Passes relaxed DKIM alignment because both share the same organizational domain (example.com).

Strict alignment

• SPF strict alignment (aspf=s):
  Alignment passes only if the Return-Path domain exactly matches the domain in the From address.

  Example:
  From: [email protected]
  Return-Path: [email protected]
  ✔ Passes strict alignment.

  ❌ If Return-Path were [email protected] or bounce.mail.example.com, strict alignment would fail.

• DKIM strict alignment (adkim=s):
  Alignment passes only if the d= domain in the DKIM signature exactly matches the domain in the From address.

  Example:
  From: [email protected]
  DKIM-Signature: d=[email protected]
  ✔ Passes strict alignment.

  ❌ If d=alerts.example.com or bounce.mail.example.com, strict alignment would fail.

DMARC setup example

Here is an example of a simple DMARC setup:

v=DMARC1; p=reject; rua=mailto:[email protected];

Note: While beginning your email authentication journey, you can keep your DMARC policy (p) at none instead of reject, to monitor your email flow and resolve issues before shifting to a strict policy.

DMARC record syntax and optional tags

The syntax of your DMARC setup determines how your emails will be authenticated and the actions to be taken post-verification. Let’s explore some primary mechanisms:

• v (mandatory): Specifies the DMARC version. Must be DMARC1 and appear first in the record.
• p (mandatory): Defines the policy for DMARC failures (none, quarantine, or reject).
• rua (optional): Specifies email address(es) to receive aggregate reports using mailto: format.
• ruf (optional):Specifies email address(es) to receive forensic failure reports using mailto: format.
• adkim (optional): Sets DKIM alignment mode to r (relaxed) or s (strict). Default mode is relaxed, if not defined. 
• aspf (optional): Sets SPF alignment mode to r (relaxed) or s (strict). Default mode is relaxed, if not defined. 
• pct (optional): Defines the percentage of failing emails subject to the DMARC policy (default is 100).
• fo (optional): Controls when forensic reports are sent. Options include 0, 1, d, and s.

You can explore more in our detailed blog on DMARC tags. Ensure tags are separated by semicolons and there are no excess spaces to maintain correct formatting.

Common DMARC Setup Mistakes to Avoid

Misconfigurations in DMARC often come down to alignment issues, syntax errors, or gaps in ongoing monitoring. One frequent problem is misaligned SPF or DKIM. DMARC requires at least one of them to align with the “From” domain. If the domains don’t match, legitimate emails can fail authentication even though the records exist. This is especially common when third-party services send on your behalf without proper configuration.

Another source of trouble is incorrect syntax in DMARC tags. Even a small formatting error, such as a missing semicolon, an unsupported tag, or an invalid value, can make the entire record unusable. Since DMARC records are read by machines, precision matters.

A separate issue occurs when organizations enforce strict policies too early. Jumping straight to p=quarantine or p=reject without first studying your aggregate reports can cause legitimate mail to be blocked. Reports provide a view of all senders using your domain, so reviewing them before tightening enforcement helps avoid accidental disruption.

Additionally, many setups fail because RUA and RUF email addresses are outdated. These reporting addresses must remain active and accessible, or you lose visibility into your authentication results. When the inbox used for reports is disabled or changed without updating the DMARC record, monitoring breaks down and issues go unnoticed.

The Bottom Line

DMARC is essential for keeping your domain, your customers, and your brand reputation safe. With the right setup and regular monitoring, it prevents impersonation, reduces phishing risks, and ensures your emails remain trusted.

And in a landscape where fraud is everywhere, a strong DMARC policy does more than block threats. It sends a clear signal that your domain treats security seriously, that you’re not leaving the door cracked open for attackers to slip through.

If you want a faster, easier, and more accurate way to manage DMARC, explore PowerDMARC. Our platform simplifies setup, delivers clear reporting, and helps you maintain strong protection across all your sending sources. Start your free trial or book a demo to secure your domain today.

Frequently Asked Questions (FAQs)

How long does it take for DMARC to start working after setup?

DMARC begins working as soon as your DNS changes propagate. This can take anywhere from a few minutes to 48 hours, depending on your provider.

Can I set up DMARC without DKIM or SPF?

You need to set up at least one (SPF or DKIM) for DMARC to work. Without either in place, DMARC has nothing to validate your emails against.

What happens if I set a DMARC policy to “reject” too early?

Legitimate emails may be blocked. Moving to a reject policy before reviewing DMARC reports can cause authorized senders to fail authentication.

• About
• Latest Posts

Maitham Al Lawati

Cybersecurity Expert, CEO at PowerDMARC

Maitham is a tech entrepreneur, cybersecurity expert, CEO and Founder of PowerDMARC with 15+ years of industry experience. Maitham holds a Global MBA from the University of Manchester and various professional certifications including CISSP, CISM, CRISC, and ISC2 CCSP.

Latest posts by Maitham Al Lawati (see all)

• Email Phishing and DMARC Statistics: 2026 Email Security Trends - January 6, 2026
• How to Fix “No SPF record found” in 2026 - January 3, 2026
• SPF Permerror: How to Fix Too Many DNS Lookups - December 24, 2025