DMARC Setup Guide

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to give domain owners control over how receiving servers handle emails that fail authentication checks.

How DMARC Works

1. A receiving server checks SPF and DKIM for an incoming email
2. It then checks the DMARC record for the sender's domain
3. DMARC requires alignment — the domain in the From: header must match the SPF or DKIM domain
4. Based on the DMARC policy, the server takes action on failures

The DMARC Record

Published as a TXT record at _dmarc.example.com:

_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"

Policy Tags

Policy Levels

p=none (Monitor Only)

v=DMARC1; p=none; rua=mailto:[email protected]

No action on failures. Use this first to collect data and ensure legitimate senders are properly authenticated.

p=quarantine

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

Failed emails are sent to spam/junk folder.

p=reject

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

Failed emails are rejected entirely. The strictest and most secure policy.

Recommended Rollout

1. Start with p=none — Monitor reports for 2-4 weeks
2. Fix authentication issues — Ensure all legitimate senders pass SPF/DKIM
3. Move to p=quarantine; pct=10 — Apply to 10% of failing emails
4. Gradually increase pct — 25%, 50%, 100%
5. Finally p=reject; pct=100 — Full enforcement

DMARC Reports

Aggregate reports (rua) are XML files sent daily by receiving servers. They show: - How many emails passed/failed SPF and DKIM - Which IP addresses sent email as your domain - Whether alignment passed

Use a DMARC report analyzer (like dmarcian, Postmark, or EasyDMARC) to parse and visualize these reports.

Checking DMARC

# Look up DMARC record
dig +short _dmarc.example.com TXT

# Expected output:
# "v=DMARC1; p=reject; rua=mailto:[email protected]"