DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that protects your domain against spoofing and phishing. In this guide, we’ll walk through how to set it up properly.

Why DMARC Is Essential

Without DMARC, anyone can send emails pretending to be your domain. The consequences are serious:

  • Phishing: malicious actors can impersonate your brand
  • Damaged reputation: ISPs may penalize your domain
  • Lost trust: your recipients can no longer tell which emails are legitimate

According to the FBI, business email compromise (BEC) scams, many of which exploit missing DMARC, caused over $2.7 billion in losses in 2022 alone.

Understanding DMARC Syntax

A DMARC record is a DNS TXT record placed at _dmarc.yourdomain.com. Here’s an example:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100; adkim=s; aspf=s

Key Parameters

ParameterDescription
v=DMARC1Protocol version (required)
p=Policy: none, quarantine or reject
rua=Address for aggregate reports
ruf=Address for forensic reports
pct=Percentage of messages subject to the policy
adkim=DKIM alignment: s (strict) or r (relaxed)
aspf=SPF alignment: s (strict) or r (relaxed)

How Authentication Alignment Works

DMARC doesn’t just check whether SPF or DKIM pass, it also verifies alignment. This means the domain in the From: header must match the domain used by SPF (the Return-Path) or DKIM (the d= tag).

  • Strict alignment (s): exact domain match required, mail.example.comexample.com
  • Relaxed alignment (r): organizational domain match is enough, mail.example.comexample.com

This is why an email can pass SPF and DKIM but still fail DMARC, because the domains don’t align.

Step-by-Step Setup

1. Start with p=none

Deploy DMARC in monitoring mode first to collect reports without impacting delivery:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

You can use Sender Audit as your RUA destination, we’ll parse and visualize your DMARC reports automatically.

Need help? Use our free DMARC Generator to build your record in a few clicks.

2. Analyze RUA Reports

Aggregate reports (RUA) show you who is sending emails using your domain. Check your DMARC reports dashboard to see:

  • Which IPs send on your behalf
  • Whether they pass SPF and DKIM
  • The volume of aligned vs. unaligned messages

You can also verify your current DMARC record instantly with our free DMARC Checker.

3. Gradually Move to quarantine then reject

Once you’ve identified and authenticated all legitimate sources:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=50

Then, when you’re confident:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100

Common Mistakes to Avoid

  1. Jumping straight to p=reject without a monitoring period, you risk blocking your own emails
  2. Forgetting the rua tag, without reports, you’re flying blind
  3. Not aligning SPF and DKIM, DMARC depends on domain alignment, not just validation
  4. Ignoring subdomains, add sp=reject to also protect *.yourdomain.com
  5. Using only SPF, SPF alone breaks with forwarding; always pair it with DKIM

DMARC and Your Other Records

DMARC works alongside two other protocols:

  • SPF, defines which servers are allowed to send for your domain
  • DKIM, adds a cryptographic signature to prove the email hasn’t been tampered with

All three are needed for maximum protection. You can check your full setup with a free domain audit.

Verify Your Configuration

Head to Sender Audit to run a free audit of your domain. You’ll get a detailed score for your DMARC, SPF, DKIM and more. You can also use our specialized tools:

Have questions? Join us on Matrix to discuss.