How to Set Up DMARC? DMARC Setup and Configuration Guide

Blog

Learn how setting up DMARC can protect your business from email threats like phishing and spoofing. Improve security and protect your brand reputation.

by Maitham Al Lawati

Reading Time: 9 min
How to Set Up DMARC? DMARC Setup and Configuration Guide
Table Of Contents

“`html
A proper DMARC setup protects your organization from email spoofing, phishing, and other email-based cyberattacks, safeguarding your domain’s reputation. By configuring the DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocol, you create a robust layer of security for your emails, ensuring they are authenticated and compliant with modern standards. It works by providing instructions to mail receiving servers on how to handle emails claiming to be from your domain. This setup process involves creating a DNS record in your domain’s DNS zone file and working with your hosting provider to publish it, making email security more accessible and manageable.

Key Takeaways

  1. DMARC setup, relying on SPF/DKIM, protects against email spoofing, phishing, and safeguards domain reputation.
  2. A DMARC record in DNS defines handling policies (`none`, `quarantine`, `reject`) for unauthorized emails.
  3. Correct DMARC record format (e.g., mandatory `v=DMARC1`, `p=policy` tags) is crucial for effective operation and avoiding delivery issues.
  4. Enabling DMARC reporting (`rua`, `ruf`) provides valuable insights into email flows and authentication results for monitoring.
  5. Regular verification using tools ensures correct configuration, while `p=reject` offers maximum protection.

Prerequisites for Setting Up DMARC

Before we jump to the DMARC setup process, ensure you have the following in place:

  1. Access to your DNS management console: This is essential for creating and publishing DNS records.
  2. List of Authorized Email Senders: Identify all the services and servers that send emails on your behalf to avoid unintentional blocking.
  3. Existing SPF and/or DKIM record in your DNS: At least one of these records should already be configured in your DNS, as DMARC relies on them for email authentication. SPF (Sender Policy Framework) tells the receiving server what domain it should expect the email to come from, while DKIM (DomainKeys Identified Mail) is a method of digitally signing your emails to verify the authenticity of the sender.

How to Set Up DMARC Step-by-Step

To kick-start your DMARC DNS setup, follow the setup steps given below:

Step 1: Create the DMARC record

You start by creating a DNS TXT record that defines your policy and establishes the implementation. This record is added to your domain’s DNS zone file.

To create a free record use our DMARC generator tool as shown in the screenshot above. Once you open the tool screen there will be some mandatory criteria that you need to fill in.

Simplify DMARC Setup with PowerDMARC!

Start 15-day trial Book a demo

Step 2: Choose a suitable DMARC policy for your emails

The p= policy tag is a mandatory tag that needs to be configured in your DMARC setup. If you skip this, your record will be invalid. 

DMARC-Record-Generator

To prevent your emails from getting spoofed, you need to configure a DMARC policy. You can choose from three main policies:

  • None (p=none): This policy instructs receiving servers to take no specific action on emails that fail DMARC checks. It’s primarily used for monitoring email flow and gathering reports without impacting email delivery.
  • Quarantine (p=quarantine): Emails failing DMARC checks are treated as suspicious and typically delivered to the recipient’s spam or junk folder. This allows for review before outright rejection.
  • Reject (p=reject): This is the strictest policy. Emails failing DMARC authentication are rejected outright by the receiving server and are not delivered to the recipient’s inbox or spam folder.

You can choose a “none” policy if you wish to monitor your emails before committing to full enforcement (p=quarantine or p=reject).

Step 3: Enable Reporting and Click “Generate” 

Enable-Reporting-and-Click-Generate

The rest of the criteria for a DMARC setup are not mandatory, however, if you want to set up alignment flexibilities for DKIM and SPF or enable DMARC reporting, you can. RUA (aggregate) and RUF (forensic) reports can help you track your mail flow and authentication results to detect inconsistencies quickly. These reports provide valuable insights into your email authentication status and email reputation, helping you understand how your domain is being used and perceived.

Finally, click on the “generate” button to finalize your DMARC settings and finish the process of creating your record.

Step 4: Publish and Validate the Record Setup

Once you are done creating the TXT record, use the “copy” button to directly copy the syntax and then head over to your DNS management console. Create a new TXT record. In the Host/Name field, enter `_dmarc` (or `_dmarc.yourdomain.com`, depending on your DNS provider). In the Value/Data field, paste the DMARC record syntax you generated (e.g., `v=DMARC1; p=none; rua=mailto:[email protected]`). Save the record to publish it on your DNS and finish your DMARC setup.

Publish-and-Validate-the-Record-Setup

Read our detailed guide on how to publish a DMARC record on your DNS to learn more. Keep in mind that DNS changes can take some time to propagate, potentially up to 48 hours, though often much faster (sometimes minutes with providers like Cloudflare).

Verifying Your DMARC Setup

After you have set up DMARC, you must verify your configurations to make sure the protocol is operating as per your needs and so that you don’t run into the very common “No DMARC record found” error. Without proper checks and monitoring in place, authenticating your emails can get very challenging and lead to false positives or failures, impacting your mail delivery performance. The DMARC record format is important; incorrect formatting (like excess spaces, missing semicolons, missing mandatory tags like ‘v’ or ‘p’) can lead to a `permerror` result or even cause DMARC checks to fail entirely.

To verify your setup, you can use PowerDMARC’s DMARC checker tool for free. It’s an instant and effective tool to validate your DNS TXT record that not only shows the status of your record’s validity but also highlights errors and suggests improvements to achieve compliance sooner! Several online tools allow you to check your DMARC records, verifying your settings.

To use it:

  1. Enter your domain name in the destination box (i.e. if your website URL is https://company.com your domain name will be company.com)
  2. Click on the “Lookup” button
  3. See your results displayed on the screen

We would recommend this verification method, as an alternative to manual verification for a quicker, more accurate, and hassle-free experience.

DMARC Setup Example

Here is an example of a typical DMARC setup:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; fo=0;

Note: While beginning your email authentication journey, you can keep your DMARC policy (p) at none instead of reject, to monitor your email flow and resolve issues before shifting to a strict policy.

DMARC Record Syntax

The syntax of your DMARC setup is the most important part of your implementation as it determines how your emails will be authenticated and the action that will be taken post-verification. Let’s explore some primary mechanisms:

  1. The “v” field determines the protocol version of DMARC, which must be `DMARC1`. This tag is mandatory and must come first.
  2. The “p” field is the mandatory DMARC policy field that specifies the action receivers should take for emails failing DMARC checks. It can be set to `none`, `reject`, or `quarantine`.
  3. The “rua” aggregate feedback and “ruf” forensic reports fields are optional DMARC reporting options that help receiving ESPs provide feedback on emails sent to your recipients. Reports are sent to the specified email address(es) (using the `mailto:` prefix).
  4. The “adkim” and “aspf” tags (optional) specify the alignment mode for DKIM and SPF, respectively. They can be set to ‘r’ (relaxed) or ‘s’ (strict). Relaxed alignment allows messages where the organizational domains match, while strict requires an exact domain match.
  5. The “pct” tag (optional) indicates the percentage of messages subjected to the DMARC policy. If omitted, the default value is 100, meaning 100% of failing emails will have the policy applied.

These are just a few to mention, you can explore more in our detailed blog on DMARC tags. Ensure tags are separated by semicolons and there are no excess spaces to maintain correct formatting.

Why You Should Configure DMARC

90% of phishing attacks use email as a vector, making email authentication indispensable. The FBI’s Internet Crime Complaint Center of 2020 (FBI IC3 Report 2020) reported that 28,500 complaints were received in the US on email-based attacks. Email phishing statistics like these instantly brings DMARC to the forefront. It’s important to note that DMARC doesn’t provide direct defense against these types of attacks itself, but rather it helps your email provider identify unauthorized use of your domain and allows you to instruct them on how to handle such messages, thus protecting your reputation and recipients.

Did You Know?

  • 75% of organizational domains from all around the world were spoofed in 2020 to send phishing emails to victims
  • 74% of those phishing campaigns were successful
  • The frequency of BEC has increased by 15% since last year
  • IBM reported that one in every 5 companies in the last year has experienced data breaches caused by malicious emails

Check your domain right now to see how protected you are against email fraud!

Benefits and Uses of a DMARC Setup

A DMARC setup can be useful in the following situations:

  • To ensure only authorized senders are allowed to send emails on your email domain’s behalf
  • To prevent email phishing and direct-domain spoofing attacks
  • To view the IP addresses or sources sending emails on your behalf via reports
  • To prevent spammy messages from reaching your recipients
  • To improve the email deliverability and trustworthiness of legitimate email traffic
  • To protect your brand’s reputation from damage caused by impersonation.

DMARC Setup FAQ

1. Can You Set Up DMARC without DKIM or SPF?

No. DMARC relies on the results of either SPF or DKIM authentication checks (or both). You need to configure at least one of these protocols (SPF or DKIM) for your domain before implementing DMARC to ensure your legitimate emails are properly authenticated. Setting up both SPF and DKIM is the recommended approach for maximum security and deliverability, however, that is completely optional as only one is required for DMARC alignment.

We have covered both approaches in depth in our knowledge base.

2. What are the Best DMARC Settings?

The best DMARC setting, if you want maximum protection against email-based attacks, is p=reject (where p is the mechanism used to specify your record policy). A suitable DMARC setting depends on the amount of enforcement you desire (how stringently you want receivers to handle emails that fail DMARC) and your confidence in your SPF/DKIM configurations.

For monitoring only, you should start with a “none” policy (`p=none`). This allows you to receive DMARC reports and analyze your email streams without affecting deliverability. Once you are confident that your legitimate sources are properly aligned, you can move to `p=quarantine` (sending failing emails to spam) and finally to `p=reject` (blocking failing emails completely).

Note that if you want to configure DMARC to stop your domain from being Spoofed and keep phishing and BEC attacks at bay, we recommend you ultimately select the following criterion while generating your DMARC record:

Set your DMARC policy to p=reject

What does this mean?

When you configure DMARC enforcement at your organization by choosing “reject” DMARC settings, this means that whenever an email message sent from your domain fails DMARC authentication (meaning it fails both SPF and DKIM checks and alignment), the malicious email is instantly rejected by the receiving email server, instead of being delivered to your email receiver’s inbox.

3. How to Turn Off DMARC?

It’s important to bear in mind that turning off email authentication for your domains is not recommended or encouraged as it leaves your domains vulnerable to a wide range of cyber-attacks and provides open access to cybercriminals to impersonate your domain. Having considered that, if you still want to disable the protocol you can follow the steps given below:

  1. Access your DNS registrar’s management console
  2. Navigate to the advanced DNS editor to edit your DNS settings
  3. Locate the domain for which you want to disable DMARC
  4. Delete the DMARC TXT record (the one starting with `_dmarc.`)
  5. Save changes and wait for some time (up to 48 hours) for the changes to propagate across the internet

You can alternatively contact your domain registrar to help you delete the record in case you don’t have access to the console. 

Deleting the DNS entry for DMARC will automatically disable the protocol for the particular domain. However, if you have multiple domains with DMARC enabled, you need to manually delete DNS entries for the said domains to disable them for your organization.

Setup DMARC Easily with PowerDMARC

When you create an account on PowerDMARC, we handle protocol implementation and setup for you. Automated solutions like PowerDMARC can simplify the entire process, from creating SPF, DKIM, and DMARC records to helping you reach enforcement and achieve full compliance. We also manage and monitor the health of your domain and emails, parse your aggregate reports into human-readable formats, and organize your authentication results on a dedicated dashboard, troubleshooting complex errors along the way. This helps protect your domain, prevent unauthorized use, ensure authenticated message delivery, and improve overall email deliverability rates by increasing trust.

If you don’t want to go through the hassle of a manual setup, you can automate the process by taking a free 15-day trial with us. To enjoy the benefits of email authentication, and set up DMARC in a way that would effectively protect your domain, sign up with PowerDMARC today!

“`

Latest posts by Maitham Al Lawati (see all)
PowerDMARC in 2024: A Year in ReviewPowerDMARC-in-2024--A-Year-in-Review-dmarc policy not enabledHow do I fix “DMARC Policy is Not Enabled” in 2025?