How to Set Up DMARC: Complete Guide

1. What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect your domain from unauthorized use, commonly known as email spoofing.

DMARC works by building on two existing email authentication mechanisms: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). It adds a crucial layer by specifying what should happen when emails fail these checks.

2. Prerequisites: SPF and DKIM

Before implementing DMARC, you need to have SPF and DKIM configured for your domain:

3. Creating Your DMARC Record

A DMARC record is a TXT record published in your DNS. Here's a basic example:

Let's break down each component:

• v=DMARC1 - Protocol version (required)
• p=none - Policy for your domain (none, quarantine, or reject)
• rua= - Address to receive aggregate reports
• ruf= - Address to receive forensic reports
• fo=1 - Generate reports if either SPF or DKIM fails

4. Understanding DMARC Policies

5. Monitoring DMARC Reports

DMARC generates two types of reports that help you understand your email ecosystem:

• Aggregate Reports (RUA): Daily summaries of authentication results
• Forensic Reports (RUF): Detailed reports for individual failures

6. Moving to Enforcement

We recommend a gradual approach to DMARC enforcement:

1. Start with p=none and monitor for 2-4 weeks
2. Review reports to identify all legitimate email sources
3. Ensure all legitimate sources pass SPF and/or DKIM
4. Move to p=quarantine with a low percentage (e.g., pct=10)
5. Gradually increase percentage while monitoring for issues
6. Finally, move to p=reject for full protection

Modern Enforcement Workflow

The traditional approach of manually reviewing XML reports and incrementing policy percentages works, but modern tooling compresses the timeline and reduces risk significantly. A data-driven enforcement workflow looks like this:

1. Discover and classify senders. Identify every IP and service sending as your domain. Categorize each as authorized, unauthorized, or unknown. This is the foundation — you cannot enforce what you have not mapped.
2. Simulate enforcement impact. Before changing DNS, model what would happen if you moved to quarantine or reject today. Which senders would be affected? How much legitimate mail is at risk?
3. Approve changes through governance. Route policy changes through an approval workflow so no single person can accidentally break email delivery. This is especially important in multi-stakeholder environments.
4. Observe results during a stabilization window. After each policy change, monitor delivery rates, bounce rates, and authentication pass rates for a defined observation period before progressing further.
5. Roll forward or roll back based on data. If metrics hold during observation, advance to the next enforcement stage. If delivery degrades, roll back to the previous policy and investigate.
6. Use score forecasting to set timelines. Weighted regression across your compliance history projects when your domain will reach reject-ready status at 30, 60, and 90 days. Use this to set realistic deadlines with stakeholders instead of guessing.
7. Monitor sender behavior throughout progression. Even after enforcement, watch for behavioral anomalies — volume spikes, timing shifts, authentication degradation — that may indicate account compromise or infrastructure changes requiring attention.