How to Set Up DMARC: The Complete Step-by-Step Guide (2026)
Quick Answer
Setting up DMARC takes 5 minutes: verify SPF and DKIM are configured, publish a TXT record at dmarc.yourdomain.com with v=DMARC1; p=none; rua=mailto:your-reports@domain.com, wait 24-48 hours for reports to start flowing, analyze them in DMARC Report
Related: Free DMARC Checker
Try Our Free DMARC Checker
Validate your DMARC policy, check alignment settings, and verify reporting configuration.
Check DMARC Record →**Setting up DMARC takes 5 minutes: publish a DNS TXT record at _dmarc.yourdomain.com with your chosen policy and reporting address, and aggregate reports start arriving within 24-48 hours. DMARC (RFC 7489) builds on SPF and DKIM to tell receiving mail servers what to do when authentication fails — without it, failed authentication has no consequence.
Since Google’s and Yahoo’s February 2024 bulk sender requirements, DMARC is mandatory for any domain sending 5,000+ messages per day. Microsoft followed with enforcement from May 2025. This is no longer optional.
What Do You Need Before Setting Up DMARC?
DMARC requires at least one of these to be configured first:
As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.
- SPF — a TXT record listing which IPs can send from your domain (check yours →)
- DKIM — cryptographic signatures on outgoing messages (check yours →)
You need at least one, but both is strongly recommended. DMARC passes if EITHER SPF or DKIM passes AND aligns with the From domain.
Step 1: Verify Your SPF and DKIM
Before touching DMARC, verify both protocols are working:
- Run the free SPF checker — confirm your record exists and is under the SPF 10-lookup limit (RFC 7208 — Sender Policy Framework (SPF))
- Run the DKIM inspector — confirm selectors are published for your email providers
If either is missing or broken, fix it first. DMARC without SPF and DKIM is a monitoring-only shell.
Step 2: Generate Your DMARC Record
Use the free DMARC Record Generator or build it manually:
**Minimal record (monitoring only):
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com**Recommended record (monitoring with forensics):
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; fo=1The fo=1 tells receivers to send a forensic report for ANY authentication failure (not just when both SPF and DKIM fail).
Step 3: Publish the Record in DNS
- Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, AWS Route 53, etc.)
- Create a new **TXT record 3. Host/Name:
_dmarc(your provider appends your domain automatically) - Value: paste the DMARC record string from Step 2
- TTL: 3600 (1 hour) or your provider’s default
- Save
Step 4: Verify the Record
Use the free DMARC checker to confirm:
- The record is published at
_dmarc.yourdomain.com - The syntax is valid
- The policy, alignment, and reporting tags are parsed correctly
Step 5: Monitor and Analyze Reports
Within 24-48 hours, receiving servers will start sending aggregate XML reports to your rua= address. These reports are unreadable in raw form — they’re XML files with hundreds or thousands of lines.
DMARC Report parses these automatically, showing:
- Every IP address sending email from your domain
- Whether each source passes SPF, DKIM, and DMARC
- Which sources are legitimate vs. unauthorized
- Trend analysis over time
Step 6: Fix Authentication Failures
Review your reports for legitimate senders that fail DMARC:
- SPF failures: add the sender’s include mechanism to your SPF record
- DKIM failures: configure DKIM signing in the sender’s admin console
- Alignment failures: set up a custom return-path domain so SPF aligns with From
Step 7: Enforce — Move from none to reject
Once all legitimate senders pass consistently:
- Move to
p=quarantinewithpct=10(apply to 10% of failing mail) - Monitor for at least 90 days — check for legitimate mail going to spam
- Increase to
pct=50, thenpct=100 - Move to
p=rejectwithpct=10, then ramp to 100%
This gradual approach prevents accidentally blocking legitimate mail during enforcement.
The biggest mistake organizations make is jumping straight to p=reject without monitoring first, says Brad Slavin, CEO of DuoCircle. We’ve seen enterprises block their own CFO’s email because a legacy CRM was sending through an unauthed server nobody knew about. Start at p=none, analyze your reports in DMARC Report for at least a full quarter — you need to catch monthly reports, quarterly statements, W-2 season, and other periodic senders before enforcing. Rushing to p=reject in 2 weeks is how you accidentally block your CFO’s email.
How Long Does DMARC Take to Set Up?
| Step | Time |
|---|---|
| Verify SPF/DKIM | 5 minutes |
| Generate DMARC record | 2 minutes |
| Publish to DNS | 5 minutes |
| Wait for propagation | 5-60 minutes |
| Wait for first reports | 24-48 hours |
| Monitor at p=none | 90+ days (full quarter minimum) |
| Move to p=quarantine | 90 days |
| Move to p=reject | 90 days |
| Total to full enforcement | 9-18 months |
The record itself takes 5 minutes. Full enforcement takes 9-18 months because you need to identify and fix every legitimate sender before blocking unauthorized ones.
Generate your DMARC record now → Check your current DMARC record → Start analyzing reports with DMARC Report →
Sources
Topics
CEO
Founder and CEO of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
LinkedIn Profile →Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free — no credit card required.