Skip to content

How to Configure DMARC Record

TL;DR:

To set up DMARC: (1) ensure SPF and DKIM already work; (2) add TXT record _dmarc.example.com with value v=DMARC1; p=none; rua=mailto:reports@example.com; (3) after 2-4 weeks of monitoring switch to p=quarantine, then p=reject.

Check your site →

Step-by-step guide

  1. Check SPF and DKIM. DMARC works on top of SPF+DKIM. Without them DMARC is meaningless. Check via: /en/email-check.
  2. Create _dmarc TXT record. In DNS management add: _dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
  3. Start with p=none. Report-only — nothing blocked. Collect data for 2-4 weeks via rua.
  4. Switch to quarantine. When you see all legitimate mail passing SPF+DKIM: p=quarantine — suspicious messages go to spam.
  5. Finally — reject. After 4+ weeks of quarantine without issues: p=reject — DMARC-failing mail is dropped by recipient servers.

Open tool →

Understanding DMARC Policy Options

When configuring DMARC for your domain, understanding the various policy options is crucial. DMARC supports three primary policies: none, quarantine, and reject. Each policy dictates how email receivers should handle messages that fail DMARC validation.

The none policy (p=none) is primarily used for monitoring purposes. It allows you to receive reports regarding authentication failures without impacting email deliverability. This is the recommended starting point when implementing DMARC.

The quarantine policy (p=quarantine) instructs receiving servers to treat emails that fail DMARC checks as suspicious. These emails may be sent to the spam folder, giving you a chance to review them without outright rejecting them.

Finally, the reject policy (p=reject) is the most stringent. It tells receiving servers to reject any email that fails DMARC validation outright. This policy should be implemented only after thorough monitoring and confidence in your SPF and DKIM configurations.

To set a policy, update your DMARC TXT record accordingly. For example, to set the policy to quarantine, you would change your DMARC record to:

v=DMARC1; p=quarantine; rua=mailto:reports@example.com;

Choosing the right policy requires careful consideration of your email practices and potential impacts on legitimate emails. Start with none to gather data, then progressively tighten the policy based on your findings.

Common DMARC Misconfigurations to Avoid

Implementing DMARC can significantly enhance your domain's email security, but misconfigurations can undermine its effectiveness. Here are some common pitfalls to avoid:

  • Neglecting SPF and DKIM: Ensure that both SPF and DKIM are correctly configured before setting up DMARC. DMARC relies on these two protocols for validation.
  • Incorrect TXT Record Syntax: A DMARC record must be formatted correctly. Ensure there are no typos or syntax errors in your TXT record. It should start with v=DMARC1 and include valid policy parameters.
  • Overly Aggressive Policies: Jumping straight to reject can result in legitimate emails being blocked. Start with none to analyze your email flow before tightening the policy.
  • Ignoring Reports: DMARC is designed to provide valuable reports. Ignoring these reports can lead to missed opportunities for improvement. Review your reports regularly to identify issues.
  • Single Domain Focus: If you have multiple subdomains, make sure to implement DMARC for each one. A single DMARC record for the root domain does not automatically cover subdomains unless specified.

By avoiding these common misconfigurations, you can effectively leverage DMARC to enhance your domain's email security and deliverability.

How to Analyze DMARC Reports

Once DMARC is set up, the next crucial step is to analyze the reports it generates. DMARC provides two types of reports: aggregate reports (RUA) and forensic reports (RUF). Understanding how to interpret these reports is essential for maintaining a secure email environment.

Aggregate reports are sent daily and provide a summary of DMARC activity for your domain, including the number of messages that passed or failed DMARC checks. The reports are typically sent in XML format, which can be challenging to read without the right tools.

To analyze aggregate reports, you can use various DMARC report analyzers available online or parse the XML files manually. Key metrics to look for include:

  • Volume of Emails: Understand how many emails are being sent from your domain.
  • Pass/Fail Rates: Identify the percentage of emails passing DKIM and SPF checks.
  • Sources of Failure: Determine which IP addresses are sending emails that fail DMARC checks.

Forensic reports provide more detailed information about individual email failures. These reports contain specific information about the email that failed DMARC validation, such as the sender’s IP address and the reason for failure. Analyzing these reports can help you identify misconfigurations or unauthorized senders.

To set up reporting in your DMARC record, ensure your TXT record includes a valid rua and ruf parameter:

v=DMARC1; p=none; rua=mailto:reports@example.com; ruf=mailto:forensics@example.com;

Regularly reviewing and acting on the insights from these reports will help you refine your email authentication practices and enhance your domain's security posture.

SPF + DKIM + DMARCFull email protection triad check
Antispam StatusBlacklist check
MX ConfigurationCorrect mail server configuration
Email ScoreEmail deliverability score

Why teams trust us

MX
MX record check
SMTP
SMTP verification
SPF
SPF + DKIM + DMARC
Free
no signup

How it works

1

Enter email address

2

Check MX + SMTP

3

Get validity verdict

Why check email settings?

Proper SPF, DKIM, and DMARC configuration directly impacts email deliverability. Without these records, your emails land in spam or are rejected before delivery.

SPF Check

SPF record correctness: syntax, allowed server list, fail mechanism.

DKIM Analysis

Presence and validity of DKIM signature for the specified selector.

DMARC Policy

DMARC record parsing: policy, rua/ruf reports, SPF and DKIM alignment.

Email Score

Numerical delivery readiness score with improvement recommendations.

Who uses this

Email marketers

mailing list verification

Developers

registration validation

Sales

CRM contact check

Sysadmins

mail delivery troubleshooting

Common Mistakes

Missing SPF recordWithout SPF, emails from your domain are treated as potential spoofing.
SPF with ?all instead of -all?all means "neutral" — that's not protection. Use -all.
DMARC without policyp=none only collects reports. Move to p=quarantine or p=reject.
Not reading DMARC reportsDMARC generates reports on all emails. Analyze them to find unauthorized sending.

Best Practices

Deploy SPF → DKIM → DMARC sequentiallySPF first, then DKIM, then DMARC. Each step must work before moving to the next.
Start DMARC with p=noneCollect reports for 2–4 weeks, ensure all legitimate mail passes, then tighten policy.
Add rua report addressrua=mailto:dmarc@yourdomain.com — receive weekly aggregate reports.
Check after changing providerWhen changing hosting or ESP, always update SPF and DKIM keys.

Get more with a free account

Email check history and API keys for service integration.

Sign up free

Learn more

Frequently Asked Questions

Signup required?

No for quick check. For continuous monitoring — free account.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.