How to Set Up DMARC

Set up DMARC the safe way: publish p=none to monitor, read the aggregate reports, fix your senders, then move to quarantine and reject. With the tags explained.

Updated 6 min read By CodingEagles
Free tool DMARC Record Generator Build a _dmarc TXT record with policy and reporting. Open tool

DMARC is the record that makes SPF and DKIM actually protect your domain from spoofing. It ties those checks to the address recipients see, tells receivers what to do when a message fails, and sends you reports on who is mailing as you. You publish it as one TXT record at _dmarc. The DMARC record generator assembles the value; this guide covers the rollout that keeps your real mail flowing.

What DMARC adds

SPF and DKIM each check a domain, but not necessarily the one in the From header. DMARC closes that gap with alignment: it requires that the domain SPF or DKIM passed for matches the From domain a person sees. A message passes DMARC if it passes SPF or DKIM and is aligned.

It also gives you two things SPF and DKIM cannot: a policy that tells receivers what to do with failures, and reporting that reveals every source sending under your name, including the ones spoofing you.

The record and its tags

A DMARC record reads like this:

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
  • p is the policy: none to monitor, quarantine to send failures to spam, reject to block them.
  • rua is the address for daily aggregate reports, the most important tag.
  • sp sets a separate policy for subdomains, if you want one.
  • adkim and aspf set alignment to relaxed (r) or strict (s); relaxed is the safe default.
  • pct applies the policy to a percentage of mail, handy when ramping up enforcement.

Roll it out in three stages

The cardinal rule is to never start at reject. Move through three stages.

  1. Monitor with p=none. Publish the record with p=none and a working rua address. This changes nothing about delivery but starts the reports flowing. Leave it for a few weeks.
  2. Read the reports and fix senders. The aggregate reports list every IP sending as your domain and whether it passed SPF and DKIM. Use them to find legitimate services that are failing, and get each one authenticated. If you have not yet, publish SPF and DKIM for those senders first.
  3. Enforce with quarantine, then reject. Once the reports show only your real, aligned mail passing, move to p=quarantine. Watch for a while, then step up to p=reject. You can ease the transition with pct, applying enforcement to part of your mail at first.

Reading the reports

Aggregate reports arrive as zipped XML, one per receiver per day, which is hard to read by hand. The value is in the pattern: a source you recognize but that fails usually means a missing SPF include or an unsigned DKIM path, both fixable. A source you do not recognize is often someone spoofing you, which is exactly what enforcement will stop.

Where DMARC fits

DMARC is the keystone, but it only works on top of the other two records. How to create an SPF record covers authorizing your senders, and how to set up DKIM covers the signature that survives forwarding. Reaching an enforced DMARC policy is also the prerequisite for a BIMI record, which can show your brand logo in supporting inboxes.

Start now with the DMARC record generator: set p=none, add your reporting address, and publish. The reports will tell you what to fix before you tighten the policy.

Frequently asked questions

Where does the DMARC record go?
It is a TXT record at the host _dmarc on your domain, so the full name is _dmarc.example.com. The value starts with v=DMARC1 and includes your policy and reporting address, for example v=DMARC1; p=none; rua=mailto:[email protected].
Should I start with p=reject?
No. Start with p=none, which only monitors and reports without affecting delivery. Use the reports to find every legitimate sender and get them passing, then move to quarantine and finally reject. Jumping straight to reject risks blocking your own mail.
What is DMARC alignment?
Alignment checks that the domain SPF or DKIM passed for matches your visible From domain. Relaxed alignment accepts a parent domain match, strict requires an exact match. A message must pass SPF or DKIM and be aligned to pass DMARC.

Ready to try it?

Build a _dmarc TXT record with policy and reporting. Free, in-browser, and 100% private — your data never leaves your device.

Open the DMARC Record Generator

Related guides

How to Create an SPF Record An SPF record lists who is allowed to send mail as your domain. Here is how to build one that passes, with the limits that trip people up. How to Set Up DKIM DKIM signs your mail with a private key and publishes the public key in DNS. Here is how to generate, publish and rotate a key without breaking delivery.

More tools

JSON Formatter & ValidatorBeautify, minify, validate JSON with a collapsible tree view.Code Formatter & MinifierPretty-print or minify JS, TS, CSS, HTML, JSON, SQL and more.YAML ⇄ JSON ⇄ TOML ConverterConvert config between YAML, JSON and TOML, both ways.JSON Schema Viewer & ValidatorRender a JSON Schema as a tree and validate data against it.Markdown Editor (Live Preview)Write Markdown with a live, side-by-side HTML preview.Mermaid Live EditorTurn Mermaid text into flowcharts and diagrams, live.

More from the Hivly network

Free sister tools on our other sites.

Color Palette GeneratorShuffle palettes with the spacebar, lock favourites, copy hex codes.Length ConverterMetres, feet, miles, inches, km and more, instantly.Word CounterCount words, characters, sentences and reading time live.