SpoofSentrySpoofSentry
Start Free Trial

Email Authentication Guide

How to Set Up DMARC: Complete Guide

Protect your domain from email spoofing with this comprehensive DMARC implementation guide.

1. What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect your domain from unauthorized use, commonly known as email spoofing.

DMARC works by building on two existing email authentication mechanisms: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). It adds a crucial layer by specifying what should happen when emails fail these checks.

Key benefit: DMARC allows you to receive reports about emails sent using your domain, giving you visibility into both legitimate and fraudulent email activity.

2. Prerequisites: SPF and DKIM

Before implementing DMARC, you need to have SPF and DKIM configured for your domain:

SPF (Sender Policy Framework)

Specifies which mail servers are authorized to send email on behalf of your domain.

Check your SPF record →

DKIM (DomainKeys Identified Mail)

Adds a digital signature to emails, allowing receivers to verify the message hasn't been altered.

Check your DKIM record →

3. Creating Your DMARC Record

A DMARC record is a TXT record published in your DNS. Here's a basic example:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Let's break down each component:

  • v=DMARC1 - Protocol version (required)
  • p=none - Policy for your domain (none, quarantine, or reject)
  • rua= - Address to receive aggregate reports
  • ruf= - Address to receive forensic reports
  • fo=1 - Generate reports if either SPF or DKIM fails

4. Understanding DMARC Policies

p=none (Monitoring Only)

No action is taken on failing emails. Use this to collect data before enforcing.

p=quarantine (Soft Enforcement)

Failing emails are sent to spam/junk folder. Good intermediate step.

p=reject (Full Enforcement)

Failing emails are rejected entirely. Maximum protection against spoofing.

5. Monitoring DMARC Reports

DMARC generates two types of reports that help you understand your email ecosystem:

  • Aggregate Reports (RUA): Daily summaries of authentication results
  • Forensic Reports (RUF): Detailed reports for individual failures

Challenge: Raw DMARC reports are XML files that are difficult to read. Consider using a DMARC monitoring service to parse and visualize this data.

6. Moving to Enforcement

We recommend a gradual approach to DMARC enforcement:

  1. Start with p=none and monitor for 2-4 weeks
  2. Review reports to identify all legitimate email sources
  3. Ensure all legitimate sources pass SPF and/or DKIM
  4. Move to p=quarantine with a low percentage (e.g., pct=10)
  5. Gradually increase percentage while monitoring for issues
  6. Finally, move to p=reject for full protection

Ready to Implement DMARC?

SpoofSentry makes DMARC monitoring easy. Get started with our free DMARC checker or sign up for automated monitoring.

Check Your DMARCStart Free Trial
How to Set Up DMARC: Complete Guide for 2026 | SpoofSentry | SpoofSentry