--- title: "DMARC Setup Complete Guide: From Zero to Full Protection | DMARC Report" description: "The definitive guide to setting up DMARC from scratch. Covers DNS record creation, SPF and DKIM prerequisites, policy progression from p=none to p=reject, and ongoing monitoring with DMARC Report." image: "https://dmarcreport.com/og/blog/dmarc-setup-complete-guide.png" canonical: "https://dmarcreport.com/blog/dmarc-setup-complete-guide/" --- Quick Answer Setting up DMARC requires three steps: configure SPF and DKIM for your domain, publish a DMARC TXT record at \_dmarc.yourdomain.com with v=DMARC1; p=none; rua=mailto:reports@yourdomain.com, and monitor aggregate reports for at least 90 days before moving to enforcement. DMARC ties SPF and DKIM together by checking that the domain in the visible From header aligns with the domain authenticated by SPF or DKIM. Without DMARC, failed authentication has no consequence and attackers can freely spoof your domain. Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc-setup-complete-guide%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=DMARC%20Setup%20Complete%20Guide%3A%20From%20Zero%20to%20Full%20Protection&url=undefined%2Fblog%2Fdmarc-setup-complete-guide%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc-setup-complete-guide%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc-setup-complete-guide%2F&title=DMARC%20Setup%20Complete%20Guide%3A%20From%20Zero%20to%20Full%20Protection "Share on Reddit") [ ](mailto:?subject=DMARC%20Setup%20Complete%20Guide%3A%20From%20Zero%20to%20Full%20Protection&body=Check out this article: undefined%2Fblog%2Fdmarc-setup-complete-guide%2F "Share via Email") ![DMARC Setup Complete Guide: From Zero to Full Protection](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg) ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) **Setting up DMARC requires three steps: configure SPF and DKIM for your domain, publish a DMARC TXT record at `_dmarc.yourdomain.com`, and monitor aggregate reports before moving to enforcement.** DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by checking that the domain in the visible `From` header aligns with the domain authenticated by SPF or DKIM. Without DMARC, failed authentication has no consequence and attackers can freely spoof your domain. This guide walks you through the entire process, from understanding what DMARC does to publishing your first record, reading your first reports, and progressing through policy enforcement. Whether you are configuring DMARC for a single domain or rolling it out across hundreds, the fundamentals are the same. > The most common mistake we see during DMARC setup is jumping straight to p=reject without monitoring first, says Vasile Diaconu, Operations Lead at DuoCircle. Start at p=none, analyze your reports for at least a full quarter. You need to catch monthly, quarterly, and annual email senders that only fire periodically. Then fix any legitimate senders that fail before enforcing. ## Why DMARC Is No Longer Optional As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. If you have not started, the time is now. Every day without DMARC is a day your domain can be spoofed without consequence. ## Understanding What DMARC Does DMARC solves a specific problem: email spoofing. Without DMARC, anyone can send email that appears to come from your domain. SPF and DKIM existed before DMARC, but they lacked a critical piece: a way for domain owners to tell receiving servers what to do when authentication fails and a way to receive reports about it. DMARC adds two things: 1. **A policy** that tells receivers how to handle messages that fail authentication (none, quarantine, or reject) 2. **A reporting mechanism** that sends you data about every message claiming to be from your domain A DMARC check passes when EITHER SPF or DKIM passes AND the authenticated domain aligns with the `From` header domain. This alignment requirement is what makes DMARC effective against spoofing. For a deeper look at what makes up a DMARC record, see our guide on [the basic components required to create a DMARC record](/blog/how-to-create-dmarc-record-stop-email-spoofing-domain/). ## Prerequisites: SPF and DKIM DMARC requires at least one of SPF or DKIM to be configured. Both is strongly recommended. ### Setting Up SPF SPF (Sender Policy Framework, [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208)) is a DNS TXT record that lists which IP addresses and servers are authorized to send email for your domain. A basic SPF record looks like this: ``` yourdomain.com. IN TXT "v=spf1 include:spf.google.com include:sendgrid.net -all" ``` Key constraints to keep in mind: - **10 DNS lookup limit.** Each `include`, `a`, `mx`, and `redirect` mechanism counts as a lookup. Exceeding 10 causes a permanent error (permerror), which means SPF fails for every message. - **Use `-all` (hard fail)** rather than `~all` (soft fail) once you are confident in your sending sources. Soft fail provides limited protection. - **Only one SPF record per domain.** Multiple SPF records cause both to fail. Use our [SPF checker tool](/tools/spf-checker/) to validate your record. For platform-specific SPF instructions, see our guides on [configuring SPF records for Gmail](/blog/how-to-configure-spf-record-gmail-prevent-email-spoofing/) and [SPF records for Office 365](/blog/how-to-configure-microsoft-365-spf-records-for-secure-email/). ### Setting Up DKIM DKIM (DomainKeys Identified Mail, [RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) adds a cryptographic signature to outgoing messages. The receiving server checks this signature against a public key published in your DNS. If the signature verifies, DKIM passes. DKIM setup varies by email provider: - **Google Workspace:** Generate a DKIM key in the Admin console under Apps > Gmail > Authenticate email. See our [complete DKIM setup guide for Google Workspace](/blog/how-to-set-up-dkim-in-google-workspace-a-guide/). - **Microsoft 365:** Enable DKIM signing in the Microsoft 365 Defender admin center. See our [DKIM for Microsoft 365 guide](/blog/setting-dkim-for-microsoft-365-domain/). - **Postfix/self-hosted:** Configure OpenDKIM with your MTA. See our [complete guide to configuring DKIM with OpenDKIM and Postfix](/blog/complete-dmarcreport-guide-configuring-dkim-opendkim-postfix-mail-server-secure/). Validate your DKIM configuration with our [DKIM lookup tool](/tools/dkim-lookup/). ## Step 1: Decide Where to Publish Your DMARC Record Your DMARC record is a DNS TXT record published at `_dmarc.yourdomain.com`. The underscore prefix is mandatory. If your domain is `example.com`, the record goes at `_dmarc.example.com`. For guidance on choosing the right DNS location, including subdomains and multi-domain setups, read our guide on [where to publish your DMARC record](/blog/where-should-i-publish-my-dmarc-record-in-my-domains-dns/). If you use a managed DNS provider, we have platform-specific guides: - [How to add a DMARC record in Cloudflare](/blog/how-to-add-dmarc-record-cloudflare-dns-setup-guide/) - [Create a DMARC record in GoDaddy](/blog/create-dmarc-record-godaddy-enhanced-email-security/) - [Which DNS providers make it easiest to add a DMARC record](/blog/which-dns-providers-make-it-easiest-to-add-a-dmarc-record/) ## Step 2: Create Your DMARC Record A minimal DMARC record contains three tags: ``` v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com ``` Here is what each tag means: | Tag | Value | Purpose | | --- | --------------------------- | -------------------------------------------- | | v | DMARC1 | Version identifier (required, must be first) | | p | none, quarantine, or reject | Policy for messages that fail DMARC | | rua | mailto:address | Where to send aggregate reports | **Always start with `p=none`.** This enables monitoring without affecting email delivery. You will change this later after analyzing reports. Additional tags you may want: | Tag | Example | Purpose | | ----- | ------------------------------ | --------------------------------------------- | | ruf | mailto:forensic@yourdomain.com | Forensic (failure) report address | | pct | 25 | Percentage of failing mail to apply policy to | | adkim | r or s | DKIM alignment mode (relaxed or strict) | | aspf | r or s | SPF alignment mode (relaxed or strict) | | sp | none, quarantine, reject | Subdomain policy | | fo | 0, 1, d, s | Forensic report options | For a step-by-step walkthrough of record creation, see our [guide to creating a DMARC record without breaking email delivery](/blog/how-to-create-dmarc-record-stop-email-spoofing-domain/). If you prefer a tool-assisted approach, our [DMARC record generator](/tools/dmarc-record-generator/) creates properly formatted records for Gmail and Office 365 environments. ## Step 3: Publish the Record in DNS Add the DMARC record as a TXT record in your DNS provider: - **Host/Name:** `_dmarc` - **Type:** TXT - **Value:** Your DMARC record string - **TTL:** 3600 (1 hour) is a reasonable starting point After publishing, verify the record is resolving correctly: ``` dig TXT _dmarc.yourdomain.com +short ``` Or use our [DMARC checker tool](/tools/dmarc-checker/) to validate the record syntax and confirm it is publicly accessible. DNS propagation typically takes 15 minutes to 48 hours depending on your provider and TTL settings. For details on propagation timing, see our guide on [how long after DMARC DNS record setup it affects email delivery](/blog/how-long-after-dmarc-dns-record-setup-affects-email-delivery/). ## Step 4: Verify Your Setup Before moving on, confirm all three authentication layers are working: 1. **Check SPF:** [SPF checker](/tools/spf-checker/) \- verify your record is valid and within the 10-lookup limit 2. **Check DKIM:** [DKIM lookup](/tools/dkim-lookup/) \- confirm your public key is published and signatures verify 3. **Check DMARC:** [DMARC checker](/tools/dmarc-checker/) \- validate your record syntax and reporting addresses You can also verify from the command line. Our guide on [checking DMARC records with dig and nslookup](/blog/how-to-check-dmarc-record-command-line-dig-nslookup/) covers the manual approach. If your setup has issues, check our troubleshooting guide on [common signs your domain lacks a published DMARC record](/blog/common-signs-your-domain-lacks-a-published-dmarc-record/) or [how to fix the “no DMARC record found” error](/blog/no-dmarc-record-found-how-to-fix-domain-email-security/). ## Step 5: Monitor Your Aggregate Reports Within 24-48 hours of publishing your DMARC record, aggregate reports (RUA) will start arriving from receiving mail servers. These XML reports contain data about every message that claims to come from your domain, including which ones passed and failed SPF, DKIM, and DMARC. Raw XML reports are difficult to read. DMARC Report parses them automatically and presents the data in a visual dashboard showing: - Which IPs are sending email as your domain - Which messages pass and fail authentication - Which sending sources are aligned and which are not - Volume trends over time For a detailed explanation of what aggregate reports contain and how to interpret them, see our [complete guide to DMARC aggregate reports](/blog/common-dmarc-aggregate-report-issues-and-how-to-prioritize-them/). If you want to understand the raw XML format, our guide on [reading DMARC reports](/blog/how-to-read-dmarc-reports-guide-2026/) breaks down every field. ### What to Look For in Your First Reports During the initial monitoring period, focus on three things: 1. **Legitimate senders that fail.** These are the services you authorized but that are not properly authenticated. Common culprits include marketing platforms, CRM systems, ticketing tools, and transactional email providers. 2. **Unknown senders that pass.** These might be services you forgot about, or they might indicate a configuration problem. 3. **Spoofing attempts.** Messages from IPs you do not recognize, using your domain in the `From` header. This is the threat DMARC is designed to stop. Fix every legitimate sender that fails before moving to enforcement. This might mean updating SPF records to include new services, enabling DKIM signing on third-party platforms, or fixing alignment issues. Our guide on [how to interpret DMARC reports to find email authentication issues](/blog/how-to-read-dmarc-reports-guide-2026/) walks through this analysis step by step. ## Step 6: Progress Through Policy Enforcement DMARC enforcement is a journey with three stages. Rushing through them risks blocking legitimate email. ### Stage 1: p=none (Minimum 90 Days) Monitor only. No impact on email delivery. Use this time to identify all legitimate sending sources and fix authentication failures. Read our guide on [when to use the DMARC p=none policy](/blog/dmarc-enforcement-timeline-none-to-reject-roadmap/) for detailed guidance on this phase. ### Stage 2: p=quarantine (Minimum 90 Days) Failing messages are routed to spam instead of the inbox. Start with `pct=25` to apply the policy to only 25% of failing mail, then gradually increase to 100%. This phased approach catches problems before they affect all your email. For details on when and how to use quarantine, see our guide on [when your DMARC policy should use p=quarantine](/blog/dmarc-enforcement-timeline-none-to-reject-roadmap/). ### Stage 3: p=reject Full enforcement. Failing messages are rejected outright. The receiving server returns a bounce to the sender. This is the ultimate protection against domain spoofing. Our guide on [the DMARC reject policy](/blog/dmarc-enforcement-timeline-none-to-reject-roadmap/) covers the details, and our [enforcement timeline roadmap](/blog/dmarc-enforcement-timeline-none-to-reject-roadmap/) provides realistic timelines for each phase. For the complete picture of choosing the right policy for your situation, see our [DMARC policy guide: from none to reject](/blog/dmarc-policy-none-quarantine-reject-guide/). ## Platform-Specific Setup Guides DMARC setup varies by email platform. We have dedicated guides for the most common environments: ### Google Workspace / Gmail - [DMARC for Google Workspace: Complete Setup Guide](/blog/dmarc-google-workspace-gmail-setup-2026/) - [How to implement DMARC policy for Gmail and Google Workspace](/blog/dmarc-google-workspace-gmail-setup-2026/) - [Set up DMARC for Google Workspace without breaking email delivery](/blog/dmarc-google-workspace-gmail-setup-2026/) - [Setup DMARC to meet Google’s new requirements for bulk senders](/blog/setup-dmarc-meet-googles-new-requirements-for-bulk-senders/) For the full Google Workspace hub, see our [DMARC for Gmail and Google Workspace guide](/blog/dmarc-gmail-google-workspace-complete-guide/). ### Microsoft 365 / Office 365 - [DMARC for Office 365: Complete Setup Guide](/blog/dmarc-office-365-complete-setup-guide-2026/) - [Configuring DMARC for Microsoft 365](/blog/dmarc-office-365-complete-setup-guide-2026/) - [Recommended DMARC DNS record syntax for Office 365](/blog/dmarc-office-365-complete-setup-guide-2026/) For the full Microsoft 365 hub, see our [DMARC for Office 365 guide](/blog/dmarc-office-365-complete-guide/). ### Other Platforms - [Setting up SPF, DKIM, and DMARC for Exchange Server](/blog/setting-up-spf-dkim-dmarc-records-exchange-server-email-security/) - [How to add SPF, DKIM, and DMARC records in AWS Route 53](/blog/steps-add-spf-dkim-dmarc-records-aws-dns-route53/) - [DreamHost DMARC setup guide](/blog/ultimate-dreamhost-dmarc-setup-guide-by-dmarcreport/) - [Configuring SPF, DKIM, and DMARC for Brevo](/blog/how-to-configure-spf-dkim-and-dmarc-records-for-brevo/) ## Common Setup Mistakes These are the errors we see most frequently in support tickets: **Publishing multiple DMARC records.** Only one DMARC record is allowed per domain. Multiple records cause all of them to fail. See our guide on [whether you can have multiple DMARC records](/blog/can-you-have-multiple-dmarc-records-a-complete-guide-for-domain-configuration/). **Skipping the monitoring phase.** Going directly to p=reject blocks email from services you forgot to authenticate. Always start at p=none. **Forgetting the `_dmarc` prefix.** The record must be at `_dmarc.yourdomain.com`, not `yourdomain.com`. **Not including a `rua` address.** Without a reporting address, you get no visibility into authentication results. You are flying blind. **SPF lookup limit exceeded.** Adding too many `include` mechanisms pushes you past the 10-lookup limit. Every message fails SPF as a result. **DKIM not enabled for custom domains.** Both Google Workspace and Microsoft 365 require manual DKIM enablement for custom domains. The default signatures use the provider’s domain, not yours, which means DKIM alignment fails. See [is your Google Workspace DKIM setup broken?](/blog/how-to-set-up-dkim-in-google-workspace-a-guide/) and [troubleshooting DKIM issues for Google Workspace](/blog/how-to-set-up-dkim-in-google-workspace-a-guide/). ## Subdomains and Multi-Domain Setups If you send email from subdomains (marketing.yourdomain.com, support.yourdomain.com), you have two options: 1. **Use the `sp` tag** in your parent domain’s DMARC record to set a default subdomain policy 2. **Publish separate DMARC records** for each subdomain that needs a different policy Our guide on [the DMARC subdomain policy tag](/blog/dmarc-subdomain-policy-tag-explained-how-it-works/) explains how the `sp` tag works and when to use individual subdomain records instead. For organizations managing many domains, see [how to implement DMARC for multiple domains and subdomains](/blog/how-can-i-implement-dmarc-for-multiple-domains-and-subdomains/). ## What Comes After Setup DMARC is not a set-and-forget configuration. After reaching p=reject, ongoing monitoring is essential: - **New sending services** must be authenticated before they start sending. Add them to SPF or configure DKIM before go-live. - **Third-party changes** can break authentication. Vendors change IP ranges, rotate DKIM keys, or modify envelope senders. - **Report analysis** should continue indefinitely. DMARC Report dashboards flag anomalies so you catch problems before they affect delivery. Consider implementing [BIMI (Brand Indicators for Message Identification)](/blog/bimi-cmc-google-transforming-email-landscape-insights-from-dmarcreport/) once you reach p=reject. BIMI displays your brand logo in supporting email clients, but it requires DMARC enforcement as a prerequisite. ## Quick-Start Checklist Use this checklist to track your DMARC deployment: - SPF record published and validated ([check now](/tools/spf-checker/)) - DKIM enabled and public key published ([check now](/tools/dkim-lookup/)) - DMARC record published at `_dmarc.yourdomain.com` with `p=none` ([check now](/tools/dmarc-checker/)) - Aggregate reports arriving and reviewed in DMARC Report dashboard - All legitimate senders identified and authenticated - Policy moved to `p=quarantine` with `pct=25` - Quarantine percentage gradually increased to 100% - Policy moved to `p=reject` - Ongoing monitoring configured For a preparation-focused walkthrough before you touch DNS, see our [DMARC setup stage 1: preparation guide](/blog/dmarc-setup-stage-1-preparation/). ## Topics [ DMARC ](/tags/dmarc/)[ dmarc record ](/tags/dmarc-record/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)[ dkim ](/tags/dkim/)[ dns ](/tags/dns/)[ email authentication ](/tags/email-authentication/) ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 15m DMARC for Gmail and Google Workspace: The Complete Guide Apr 23, 2026 ](/blog/dmarc-gmail-google-workspace-complete-guide/)[ Foundational 14m DMARC for Office 365: The Complete Guide to Microsoft 365 Email Authentication Apr 23, 2026 ](/blog/dmarc-office-365-complete-guide/)[ Foundational 16m DMARC Policy Guide: The Complete Journey from None to Quarantine to Reject Apr 23, 2026 ](/blog/dmarc-policy-none-quarantine-reject-guide/)[ Foundational 7m 4 sectors that need email authentication the most and why Oct 15, 2024 ](/blog/4-sectors-that-need-email-authentication-the-most-and-why/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"DMARC Setup Complete Guide: From Zero to Full Protection","description":"The definitive guide to setting up DMARC from scratch. Covers DNS record creation, SPF and DKIM prerequisites, policy progression from p=none to p=reject, and ongoing monitoring with DMARC Report.","url":"https://dmarcreport.com/blog/dmarc-setup-complete-guide/","datePublished":"2026-04-23T00:00:00.000Z","dateModified":"2026-04-23T00:00:00.000Z","dateCreated":"2026-04-23T00:00:00.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/dmarc-setup-complete-guide/"},"articleSection":"foundational","keywords":"DMARC, dmarc record, email security, SPF, dkim, dns, email authentication","wordCount":3200,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg","caption":"DMARC Setup Complete Guide: From Zero to Full Protection","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"DMARC Setup Complete Guide: From Zero to Full Protection","item":"https://dmarcreport.com/blog/dmarc-setup-complete-guide/"}]} ```