DMARC is the record that finally stops other people from sending email as your domain — but it's also the one most likely to block your own mail if you rush it. The safe way is a staged rollout: start in monitoring mode, read the reports, fix what's failing, then tighten the policy one step at a time. This guide walks through the whole process.

What a DMARC record looks like

DMARC is a single TXT record published at the special hostname _dmarc.yourdomain.com. A starter record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

The key tags:

• v=DMARC1 — the version. Always first, always this value.
• p= — the policy: none, quarantine, or reject. This is the dial you'll turn up over time.
• rua= — the address that receives aggregate reports (daily XML summaries of who sent mail as you).
• pct= — optional; the percentage of failing mail the policy applies to, used to roll out gradually.
• sp= — optional; a separate policy for subdomains.

Step 1: Publish a monitoring policy (p=none)

Start by publishing the starter record above with p=none. This changes nothing about how your mail is delivered — it simply asks receivers to start sending you reports. Add it as a TXT record at _dmarc.yourdomain.com in your DNS, using the address where you want reports delivered.

Our DMARC checker generates a correct record for you and shows the exact steps for your DNS provider.

Step 2: Read your aggregate reports

Within a day or two, reports start arriving as XML attachments. Raw XML is hard to read, so most people feed rua into a free or paid DMARC report viewer. You're looking for one thing: every legitimate source of your mail, and whether it passes SPF and DKIM with alignment.

Expect surprises here — newsletter platforms, your CRM, invoicing tools, and helpdesk software all send "as you" and are easy to forget. Make a list of every legitimate sender the reports reveal.

Step 3: Fix the legitimate sources that fail

For each legitimate sender that isn't passing:

• Add it to your SPF record (usually an include: the provider documents), and
• Enable DKIM signing for it where the provider supports it (preferred, because DKIM survives forwarding).

Keep iterating until your reports show all of your real mail passing and aligned. Don't move on until this is true — this step is the whole point of monitoring mode.

Step 4: Move to quarantine

Once legitimate mail passes cleanly, tighten to quarantine. Failing mail now goes to the spam folder rather than the inbox:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

If you want to be cautious, apply it to a fraction of mail first with pct, then raise it:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

Watch reports for a week or two. If nothing legitimate is being caught, raise pct to 100 (or just remove it).

Step 5: Move to reject

The goal is p=reject, where mail that fails authentication is refused outright and never reaches the recipient — the strongest protection against spoofing:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Only make this jump after quarantine has run cleanly with no legitimate mail caught. At reject, impersonation of your domain stops working.

How long does the whole thing take?

For a simple domain with one mail provider, you can reach p=reject in a couple of weeks. For an organisation with many sending tools, give it four to eight weeks of monitoring so every legitimate source surfaces in the reports before you enforce.

Generate and verify your record

Use the DMARC checker to build the right record for each stage and confirm it's live, and the full domain check to confirm SPF and DKIM are solid before you enforce. New to the concepts? Read SPF, DKIM & DMARC explained first.