---
title: "How to Set Up DMARC: The Complete Step-by-Step Guide (2026) | DMARC Report"
description: "Set up DMARC in 5 minutes with this step-by-step guide. Configure SPF and DKIM first, publish your DMARC record at dmarc.yourdomain.com, start monitoring reports, and gradually enforce from p=none to p=reject."
image: "https://dmarcreport.com/og/blog/how-to-set-up-dmarc-complete-guide-2026.png"
canonical: "https://dmarcreport.com/blog/how-to-set-up-dmarc-complete-guide-2026/"
---

Quick Answer

Setting up DMARC takes 5 minutes: verify SPF and DKIM are configured, publish a TXT record at dmarc.yourdomain.com with v=DMARC1; p=none; rua=mailto:your-reports@domain.com, wait 24-48 hours for reports to start flowing, analyze them in DMARC Report

Related: [Free DMARC Checker](/tools/dmarc-checker/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fhow-to-set-up-dmarc-complete-guide-2026%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20to%20Set%20Up%20DMARC%3A%20The%20Complete%20Step-by-Step%20Guide%20%282026%29&url=undefined%2Fblog%2Fhow-to-set-up-dmarc-complete-guide-2026%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fhow-to-set-up-dmarc-complete-guide-2026%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fhow-to-set-up-dmarc-complete-guide-2026%2F&title=How%20to%20Set%20Up%20DMARC%3A%20The%20Complete%20Step-by-Step%20Guide%20%282026%29 "Share on Reddit") [ ](mailto:?subject=How%20to%20Set%20Up%20DMARC%3A%20The%20Complete%20Step-by-Step%20Guide%20%282026%29&body=Check out this article: undefined%2Fblog%2Fhow-to-set-up-dmarc-complete-guide-2026%2F "Share via Email") 

![How to Set Up DMARC: The Complete Step-by-Step Guide (2026)](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg) 

## Try Our Free DMARC Checker

Validate your DMARC policy, check alignment settings, and verify reporting configuration.

[ Check DMARC Record → ](/tools/dmarc-checker/) 

\*\*Setting up DMARC takes 5 minutes: publish a DNS TXT record at `_dmarc.yourdomain.com` with your chosen policy and reporting address, and aggregate reports start arriving within 24-48 hours. DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) builds on SPF and DKIM to tell receiving mail servers what to do when authentication fails - without it, failed authentication has no consequence.

Since Google’s and Yahoo’s February 2024 bulk sender requirements, DMARC is mandatory for any domain sending 5,000+ messages per day. Microsoft followed with enforcement from May 2025\. This is no longer optional.

## What Do You Need Before Setting Up DMARC?

DMARC requires at least one of these to be configured first:

As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.

- **SPF** \- a TXT record listing which IPs can send from your domain ([check yours →](/tools/spf-checker/))
- **DKIM** \- cryptographic signatures on outgoing messages ([check yours →](/tools/dkim-lookup/))

You need at least one, but both is strongly recommended. DMARC passes if EITHER SPF or DKIM passes AND aligns with the `From` domain.

## Step 1: Verify Your SPF and DKIM

Before touching DMARC, verify both protocols are working:

1. Run the [free SPF checker](/tools/spf-checker/) \- confirm your record exists and is under the SPF 10-lookup limit ([RFC 7208 - Sender Policy Framework (SPF)](https://datatracker.ietf.org/doc/html/rfc7208))
2. Run the [DKIM inspector](/tools/dkim-lookup/) \- confirm selectors are published for your email providers

If either is missing or broken, fix it first. DMARC without SPF and DKIM is a monitoring-only shell.

## Step 2: Generate Your DMARC Record

Use the [free DMARC Record Generator](/tools/dmarc-record-generator/) or build it manually:

\*\*Minimal record (monitoring only):

```
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
```

\*\*Recommended record (monitoring with forensics):

```
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; fo=1
```

The `fo=1` tells receivers to send a forensic report for ANY authentication failure (not just when both SPF and DKIM fail).

## Step 3: Publish the Record in DNS

1. Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, AWS Route 53, etc.)
2. Create a new \*\*TXT record 3\. **Host/Name:** `_dmarc` (your provider appends your domain automatically)
3. **Value:** paste the DMARC record string from Step 2
4. **TTL:** 3600 (1 hour) or your provider’s default
5. Save

## Step 4: Verify the Record

Use the [free DMARC checker](/tools/dmarc-checker/) to confirm:

- The record is published at `_dmarc.yourdomain.com`
- The syntax is valid
- The policy, alignment, and reporting tags are parsed correctly

## Step 5: Monitor and Analyze Reports

Within 24-48 hours, receiving servers will start sending aggregate XML reports to your `rua=` address. **These reports are unreadable in raw form** \- they’re XML files with hundreds or thousands of lines.

**[DMARC Report](/) parses these automatically**, showing:

- Every IP address sending email from your domain
- Whether each source passes SPF, DKIM, and DMARC
- Which sources are legitimate vs. unauthorized
- Trend analysis over time

## Step 6: Fix Authentication Failures

Review your reports for legitimate senders that fail DMARC:

- **SPF failures:** add the sender’s include mechanism to your SPF record
- **DKIM failures:** configure DKIM signing in the sender’s admin console
- **Alignment failures:** set up a custom return-path domain so SPF aligns with From

## Step 7: Enforce - Move from none to reject

Once all legitimate senders pass consistently:

1. **Move to `p=quarantine`** with `pct=10` (apply to 10% of failing mail)
2. Monitor for at least 90 days - check for legitimate mail going to spam
3. Increase to `pct=50`, then `pct=100`
4. **Move to `p=reject`** with `pct=10`, then ramp to 100%

This gradual approach prevents accidentally blocking legitimate mail during enforcement.

> The biggest mistake organizations make is jumping straight to p=reject without monitoring first, says Brad Slavin, General Manager of DuoCircle. We’ve seen enterprises block their own CFO’s email because a legacy CRM was sending through an unauthed server nobody knew about. Start at p=none, analyze your reports in DMARC Report for at least a full quarter - you need to catch monthly reports, quarterly statements, W-2 season, and other periodic senders before enforcing. Rushing to p=reject in 2 weeks is how you accidentally block your CFO’s email.

## How Long Does DMARC Take to Set Up?

| Step                          | Time                            |
| ----------------------------- | ------------------------------- |
| Verify SPF/DKIM               | 5 minutes                       |
| Generate DMARC record         | 2 minutes                       |
| Publish to DNS                | 5 minutes                       |
| Wait for propagation          | 5-60 minutes                    |
| Wait for first reports        | 24-48 hours                     |
| Monitor at p=none             | 90+ days (full quarter minimum) |
| Move to p=quarantine          | 90 days                         |
| Move to p=reject              | 90 days                         |
| **Total to full enforcement** | **9-18 months**                 |

The record itself takes 5 minutes. Full enforcement takes 9-18 months because you need to identify and fix every legitimate sender before blocking unauthorized ones.

[Generate your DMARC record now →](/tools/dmarc-record-generator/) [Check your current DMARC record →](/tools/dmarc-checker/) [Start analyzing reports with DMARC Report →](https://app.dmarcreport.com/)

## Sources

- [RFC 7208 - Sender Policy Framework (SPF)](https://datatracker.ietf.org/doc/html/rfc7208)
- [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489)

## Topics

[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/) 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Foundational 8m  10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective  Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[  Foundational 12m  10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast  Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[  Foundational 12m  10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection  Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[  Foundational 12m  10 Reasons SPF Filtering Is Critical For Email Security  Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"How to Set Up DMARC: The Complete Step-by-Step Guide (2026)","description":"Set up DMARC in 5 minutes with this step-by-step guide. Configure SPF and DKIM first, publish your DMARC record at dmarc.yourdomain.com, start monitoring reports, and gradually enforce from p=none to p=reject.","url":"https://dmarcreport.com/blog/how-to-set-up-dmarc-complete-guide-2026/","datePublished":"2026-03-27T00:00:00.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-03-27T00:00:00.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/how-to-set-up-dmarc-complete-guide-2026/"},"articleSection":"foundational","keywords":"DMARC, email security","wordCount":2500,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg","caption":"How to Set Up DMARC: The Complete Step-by-Step Guide (2026)","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"How to Set Up DMARC: The Complete Step-by-Step Guide (2026)","item":"https://dmarcreport.com/blog/how-to-set-up-dmarc-complete-guide-2026/"}]}
```