How to set up DMARC, step by step (without breaking your email)
DMARC is the DNS record that stops other people from sending email as your domain — and the one Gmail and Yahoo now require from bulk senders. Publishing it takes five minutes. Doing it in the wrong order can send your own invoices to spam, so the sequence below matters more than the syntax.
Updated July 13, 2026
Before DMARC: SPF and DKIM
DMARC works by checking SPF and DKIM results against your From domain, so both need to exist first. Check where you stand with the SPF checker and DKIM checker — and if either is missing, our per-provider setup guides have the exact records for Google Workspace, Microsoft 365, and every major sending service.
Step 1 — publish the monitoring record
Add one TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=none; rua=mailto:reports@your-analyzer.examplep=none means receivers change nothing — they just start sending aggregate reports to the rua= address. Use our DMARC generator to build the record, or sign up free and we generate it with a report address that feeds your dashboard directly.
Step 2 — watch the reports, fix your senders
Over 2–4 weeks the reports reveal every service sending as your domain — including the ones you forgot. For each legitimate source that isn't passing with alignment, turn on its custom-domain authentication (DKIM with d=yourdomain). This is the actual work of DMARC deployment; the guide on alignment explains the failures you'll see.
Step 3 — quarantine, then reject
v=DMARC1; p=quarantine; pct=25; rua=mailto:... ← failing mail: 25% to spam
v=DMARC1; p=quarantine; rua=mailto:... ← all failing mail to spam
v=DMARC1; p=reject; rua=mailto:... ← failing mail refusedMove one rung when the reports show your legitimate mail passing aligned at (near) 100%, and wait a couple of quiet weeks between rungs. Keep rua= forever — reporting is how you'll notice the next forgotten sender before it matters.
Don't forget parked domains
Domains that never send email are the easiest spoofing targets — nobody's watching them. Lock each one with v=spf1 -all (SPF), v=DMARC1; p=reject (DMARC), and an empty DKIM policy if you want to be thorough. Two records, permanent protection.