How to Implement DMARC

Setting up DMARC is surprisingly quick — you can go from nothing to monitoring in about 5 minutes. The real work happens over the following weeks, as you review reports, sort out any issues, and gradually tighten protection until your domain is fully defended.

💡 You don’t need to change your email provider or install anything. DMARC works entirely through settings in your domain’s public directory (DNS). If your email is already working, you’re ready to start.

The Typical DMARC Journey

Day 1 Publish p=none Week 2-4 Review reports Fix sources Month 2-3 Move to p=quarantine Month 3+ Move to p=reject ✓

Step 1: Work Out Who Sends Email for Your Business

Before you switch on DMARC, take a moment to think about every service and system that sends email using your domain name. You probably have more than you realise:

📧 Primary Email
Google Workspace, Microsoft 365, Zoho, etc.
📣 Marketing
Mailchimp, SendGrid, HubSpot, Constant Contact
🔄 Automated Emails
Amazon SES, Postmark, Mandrill, SendGrid
🎫 Support
Zendesk, Freshdesk, Intercom, Help Scout
💰 Billing
Xero, QuickBooks, Stripe, PayPal
🖥️ Your Website/Server
Contact forms, notifications, WordPress

Make a list. Write down every service that sends email as @yourdomain.com. Don’t worry if you miss some — DMARC reports will show you anything you’ve overlooked once you start monitoring.

Step 2: Set Up Your Authorised Sender List (SPF)

SPF is a list you publish in your domain’s settings (DNS) that tells the world which servers are allowed to send email on your behalf. If you don’t already have one, create an SPF record that includes all your authorised senders:

v=spf1 include:_spf.google.com include:sendgrid.net -all

If you already have an SPF record, use our Domain Checker to make sure it’s correct. Keep an eye on the 10-lookup limit — going over it breaks the whole thing.

Step 3: Set Up Digital Signatures (DKIM)

DKIM adds a digital seal to your emails that proves they haven’t been tampered with and genuinely came from your domain. Enable DKIM for each of your email services — this is usually done in the service’s admin panel. They’ll give you a record to add to your domain’s settings (DNS). See our DKIM setup guide for provider-by-provider instructions.

Step 4: Publish Your DMARC Record

This is the main event. DMARC ties SPF and DKIM together and tells the world what to do when an email fails these checks. Use our DMARC Record Generator to create your record. For your first setup, start with:

v=DMARC1; p=none; rua=mailto:your-selector@dmarccloud.com

Add this as a TXT record in your domain’s settings (DNS) at _dmarc.yourdomain.com.

✅ Key point: Start with p=none — this means “just monitor and report, don’t block anything.” It’s completely safe to deploy right away because it won’t affect your email delivery at all.

Step 5: Review Your Reports

Within a day or two of publishing your DMARC record, you’ll start receiving reports. These reports show you:

  • Every server that sent email claiming to be from your domain
  • Whether each sender passed or failed your SPF and DKIM checks
  • Whether the checks matched up with the “From” address your recipients see (this matching is called “alignment”)
  • How many emails each source sent

The raw reports are in a machine-readable format (XML), which is where DMARC Cloud comes in — we turn them into clear dashboards so you can instantly see:

Legitimate senders that are fine

⚠️

Legitimate senders with problems

Fix these before tightening up
🚫

Unauthorised senders

People trying to fake your email

Step 6: Fix Any Problems

For any legitimate senders that are failing, here’s what to do:

  1. Add the service to your authorised sender list (SPF record)
  2. Turn on digital signatures (DKIM) in the service’s settings
  3. Make sure the “From” address they use matches your domain — this matching is what DMARC actually checks (it’s called “alignment”)

Common fixes:

  • A third-party service fails your sender list check → Add their include: to your SPF record
  • A service fails the digital signature check → Turn on DKIM signing in their settings and publish the record they give you
  • The “From” address doesn’t match → Configure the service to send using your domain name in the “From” field, not theirs

Step 7: Tighten Your Protection

Once your reports show that all your legitimate senders are passing, it’s time to start blocking the fakes. Do this gradually — think of it as turning up a dial, not flipping a switch:

A
Start sending fakes to spam — but only a small percentage
p=quarantine; pct=10

Only 10% of failing emails go to spam. Watch your reports for a week to make sure nothing legitimate is affected.

B
Turn up the percentage
p=quarantine; pct=50

Then 100%. Make sure no real email is ending up in spam folders.

C
Switch to full blocking
p=reject

Full protection. Fake emails are blocked entirely — they never reach your recipients.

⚠️ Don’t skip straight to blocking. If you have legitimate services that aren’t set up properly yet, their emails will be blocked too. Always monitor first, fix problems, then gradually tighten.

Quick-Start Checklist

  • ☐ List all services that send email as your domain
  • ☐ Make sure your authorised sender list (SPF) includes all of them
  • ☐ Turn on digital signatures (DKIM) for each email service
  • Generate your DMARC record with p=none (monitor only)
  • ☐ Add the record to your domain’s settings at _dmarc.yourdomain.com
  • ☐ Wait 1–2 days for reports to start arriving
  • ☐ Review reports — find and fix any legitimate senders that are failing
  • ☐ Move to p=quarantine — start at 10%
  • ☐ Gradually increase to p=reject (full protection)
  • ☐ Keep monitoring — adding new services or changing email settings can break things

Ready to start?

Generate your DMARC record and start monitoring your domain in under 5 minutes.

Generate Your DMARC Record →