How to set up DMARC, step by step (without breaking your email)

DMARC is the DNS record that stops other people from sending email as your domain — and the one Gmail and Yahoo now require from bulk senders. Publishing it takes five minutes. Doing it in the wrong order can send your own invoices to spam, so the sequence below matters more than the syntax.

Updated July 13, 2026

Before DMARC: SPF and DKIM

DMARC works by checking SPF and DKIM results against your From domain, so both need to exist first. Check where you stand with the SPF checker and DKIM checker — and if either is missing, our per-provider setup guides have the exact records for Google Workspace, Microsoft 365, and every major sending service.

Step 1 — publish the monitoring record

Add one TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:reports@your-analyzer.example
Starting record — changes nothing about delivery

p=none means receivers change nothing — they just start sending aggregate reports to the rua= address. Use our DMARC generator to build the record, or sign up free and we generate it with a report address that feeds your dashboard directly.

Step 2 — watch the reports, fix your senders

Over 2–4 weeks the reports reveal every service sending as your domain — including the ones you forgot. For each legitimate source that isn't passing with alignment, turn on its custom-domain authentication (DKIM with d=yourdomain). This is the actual work of DMARC deployment; the guide on alignment explains the failures you'll see.

Step 3 — quarantine, then reject

v=DMARC1; p=quarantine; pct=25; rua=mailto:...   ← failing mail: 25% to spam
v=DMARC1; p=quarantine; rua=mailto:...           ← all failing mail to spam
v=DMARC1; p=reject; rua=mailto:...               ← failing mail refused
The enforcement ladder

Move one rung when the reports show your legitimate mail passing aligned at (near) 100%, and wait a couple of quiet weeks between rungs. Keep rua= forever — reporting is how you'll notice the next forgotten sender before it matters.

Don't forget parked domains

Domains that never send email are the easiest spoofing targets — nobody's watching them. Lock each one with v=spf1 -all (SPF), v=DMARC1; p=reject (DMARC), and an empty DKIM policy if you want to be thorough. Two records, permanent protection.

Common questions

Can I just publish p=reject on day one?+

Only for a domain that sends no email at all (then it's exactly right). For a sending domain, day-one reject means any sender with broken alignment — often one you forgot exists — starts silently bouncing. The none → quarantine → reject ladder exists because everyone has a forgotten sender.

Does DMARC cover my subdomains?+

Yes — the record at _dmarc.yourdomain.com applies to every subdomain that doesn't publish its own, and the sp= tag can set a separate subdomain policy. Attackers who find yourdomain.com locked often try random.yourdomain.com next, so this coverage matters.

Do I need DMARC if I only send a few emails a day?+

The Gmail/Yahoo requirements technically bind bulk senders, but spoofing doesn't check your volume first — small domains get impersonated for invoice fraud constantly, precisely because they're less likely to be protected. One TXT record at p=none costs nothing; start there.