Implementing DMARC is straightforward — you can go from zero to monitoring in about 5 minutes. The real work is in the weeks that follow, as you review reports, fix authentication issues, and gradually move toward full enforcement.
The DMARC Implementation Timeline
Step 1: Audit Your Email Sources
Before you set up DMARC, you need to know who sends email on behalf of your domain. Common sources include:
Google Workspace, Microsoft 365, Zoho, etc.
Mailchimp, SendGrid, HubSpot, Constant Contact
Amazon SES, Postmark, Mandrill, SendGrid
Zendesk, Freshdesk, Intercom, Help Scout
Xero, QuickBooks, Stripe, PayPal
Web forms, cron notifications, WordPress
Make a list. You’ll need every service that sends email as @yourdomain.com. If you’re not sure, don’t worry — DMARC reports will reveal them once you start monitoring.
Step 2: Set Up SPF
If you don’t already have an SPF record, create one that lists all your authorised sending servers:
v=spf1 include:_spf.google.com include:sendgrid.net -all
If you already have an SPF record, use our Domain Checker to validate it. Watch out for the 10 DNS lookup limit.
Step 3: Set Up DKIM
Enable DKIM for each email service. This is usually done in the service’s admin panel — they’ll give you a DNS record to publish. Check our DKIM setup guide for provider-specific instructions.
Step 4: Publish Your DMARC Record
This is the main event. Use our DMARC Record Generator to create your record. For your initial deployment, use:
v=DMARC1; p=none; rua=mailto:your-selector@dmarccloud.com
Add this as a TXT record in your DNS at _dmarc.yourdomain.com.
p=none. This enables monitoring and reporting without affecting any email delivery. It’s completely safe to deploy immediately.
Step 5: Monitor Your Reports
Within 24-48 hours of publishing your DMARC record, you’ll start receiving aggregate reports. These XML reports show:
- Every IP address that sent email claiming to be your domain
- Whether each source passed or failed SPF and DKIM
- Whether alignment succeeded
- How many emails were sent from each source
This is where a service like DMARC Cloud helps — we parse these XML reports into readable dashboards so you can quickly see:
Legitimate senders passing
Legitimate senders failing
Unauthorised senders
Step 6: Fix Authentication Issues
For any legitimate senders that are failing:
- Add their IP or include to your SPF record
- Enable DKIM signing in their admin panel
- Verify alignment — make sure they’re sending as your domain, not theirs
Common fixes:
- Third-party service fails SPF → Add their
include:to your SPF record - Service fails DKIM → Enable DKIM in their settings and publish the DNS record they provide
- Alignment failure → Configure the service to send as your domain (not theirs) in the From: header
Step 7: Move to Enforcement
Once your reports show that all legitimate senders are passing, it’s time to enforce. Do this gradually:
p=quarantine; pct=10
Only 10% of failing emails go to spam. Monitor for a week.
p=quarantine; pct=50
Then 100%. Confirm no legitimate email is being affected.
p=reject
Full protection. Failing emails are blocked entirely.
Quick-Start Checklist
- ☐ List all services that send email as your domain
- ☐ Verify your SPF record includes all senders
- ☐ Enable DKIM for each email service
- ☐ Generate your DMARC record with
p=none - ☐ Add the TXT record to your DNS at
_dmarc.yourdomain.com - ☐ Wait 24-48 hours for reports to arrive
- ☐ Review reports — identify and fix failing legitimate senders
- ☐ Move to
p=quarantine(start atpct=10) - ☐ Gradually increase to
p=reject - ☐ Keep monitoring — new services or changes can break authentication
Ready to start?
Generate your DMARC record and start monitoring your domain in under 5 minutes.