What is DMARC? Setup & Best Practices to Protect Your Domain

Learn How to Configure DMARC & Stop Email Spoofing

Domain spoofing, and email impersonation have grown more sophisticated, putting brands, data, and customer trust at serious risk.

Here DMARC (Domain-based Message Authentication, Reporting, and Conformance) comes in as one of the most powerful tools for email authentication. It helps you take control of your domain and block unauthorized senders from misusing it.

IT administrators, marketing managers, and business owners – this article will help you strengthen your domain’s defenses. We will cover the basics of DMARC, its role in enhancing email security, and step-by-step setup.

What is DMARC?

DMARC, short for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication protocol that helps protect your domain from spoofing, phishing, and unauthorized use.

It instructs receiving email servers on how to handle messages that claim to come from your domain but fail authentication checks. DMARC is built on two other mechanisms, which are:

• SPF (Sender Policy Framework)
• DKIM (DomainKeys Identified Mail)

A key part of DMARC is domain alignment, which checks if the “From” address in the email matches the domain that passed SPF or DKIM. If alignment fails, DMARC tells the recipient’s server whether to monitor, quarantine, or reject the message based on your policy.

It is implemented as a DNS TXT record and integrates into your organization’s existing email authentication framework. Once it’s live, it works behind the scenes so that emails sent from a specific domain are legitimate, reducing the risk of phishing attacks.

But DMARC doesn’t stop at just blocking threats. It also gives you visibility through detailed reports that show who’s sending mail on your behalf (legit or not), how your authentication is working, and where improvements are needed. This kind of insight is invaluable for making informed decisions to improve email deliverability and trust.

DMARC is a foundational step toward a secure email ecosystem and a mandatory requirement if your organization wants to display a verified brand logo using a Verified Mark Certificate.

Prerequisites Before Setting Up DMARC

Prior to configuring, you must first check that SPF and DKIM are properly set up for your domain. These must be aligned for successful validation of DMARC’s authentication process.

SPF (Sender Policy Framework)

SPF is a DNS-based email authentication protocol that defines which IP addresses can send emails from your domain. Without an SPF, a recipient’s DNS server might struggle to verify the true sender of an email. These commendable features make SPF a crucial component in preventing email impersonation.

How SPF Works?
SPF designates permitted sending IPs via a DNS TXT record. When a receiving mail server gets an email, it checks the IP address against the SPF record for the domain in the “MAIL FROM” address. If the IP is listed, the message passes the SPF check.

How to Set Up SPF?

To begin, check your current SPF record using tools like Google Admin Toolbox. These tools provide insights into your SPF status or notify you if it isn’t configured yet.

These steps may differ based on your domain host.

1. Create a new TXT record with your SPF information. The format of an SPF record typically starts with the version number “v=spf1” followed by mechanisms and modifiers.

2. Directly specify IP addresses allowed to send emails for your domain using the ip4: (IPv4) or ip6: (IPv6) mechanisms.

   Example:

   v=spf1 ip4:192.0.2.1 ip6:2001:db8:0:1:1:1:1:1

3. Add an include tag for each authorized external organization that sends email on your behalf. For example, to authorize Google Apps, use:

   include:_spf.google.com

4. Specify a default action for unauthorized sources using qualifiers like:
   • -all (hard fail, reject)
   • ~all (soft fail, mark as spam but deliver)
   • +all (allow all sources, not recommended)

After setting up your SPF record, it may be displayed as:

v=spf1 ip4:192.0.2.1 ip6:2001:db8:0:1:1:1:1:1 include:thirdpartydomain.com -all

DKIM (DomainKeys Identified Mail)

DKIM is an email security protocol that makes sure messages are not altered during transmission and truly originate from your domain. This standard enables you to digitally sign outgoing messages, allowing the recipient’s server to verify that the message hasn’t been modified in transit and was genuinely sent from your domain.

How DKIM Works?

DMARC incorporates DKIM, where emails are signed with cryptographic keys. If the recipient’s server verifies the DKIM signature against the public key in DNS, it passes the second authentication layer.

How to Set Up DKIM?

1. To create a DKIM record, generate a public key using your email provider’s admin panel. This may vary depending on the provider (e.g., Google Workspace, Microsoft 365, Zoho, etc.).

   Note: For Google Apps users, DKIM signatures may be deactivated by default. You must explicitly activate DKIM signing in your Google Admin panel.

2. Publish your public key to your DNS as a TXT record. The DNS record will typically follow this format:

   selector._domainkey.yourdomain.com

3. Finally, enable DKIM signing to send messages that include an encrypted signature from your private key.

By combining SPF, DKIM, and DMARC policies, your organization can establish a comprehensive email authentication framework. It safeguards against phishing attacks, ensuring secure and trusted communication.

Tip: Let SPF and DKIM run for at least 48 hours before activating DMARC for proper alignment.

Understanding DMARC Policies

DMARC enforcement policy is essential for organizations implementing Domain-based Message Authentication, Reporting & Conformance, as it guides receiving mail servers on how to handle unauthenticated messages sent from their domain. It differentiates between legitimate and fraudulent emails.

If an email does not originate from an approved domain, the DMARC policy alerts the receiver systems. It handles guiding the appropriate response – monitor, quarantine or reject, thereby isolating potential threats before they reach the inbox.

A DMARC enforcement policy can be set to one of the three modes–

• p=none – Monitor Only

  Best for the early stages of deployment.

  Use this mode to collect data, identify gaps in SPF/DKIM alignment, and monitor unauthorized senders without affecting delivery.

• p=quarantine – Partial Enforcement

  A safe middle ground before going fully restrictive.

  Once you’ve analyzed your DMARC reports and confirmed that legitimate sources are properly authenticated, this mode helps divert suspicious emails to the spam folder.

• p=reject – Full Protection

  The most effective defense against spoofing and impersonation.

  Recommended when all outbound sources are aligned with SPF/DKIM and you’re ready to block forged messages entirely.

At enforcement, only authorized emails from your domain are delivered, while unauthorized ones are either sent to spam or deleted. Internet Service Providers consider your DMARC status in making delivery decisions. Unfortunately, many domains haven’t implemented it yet. Studies show that 75-80% of domains remain at the p=none stage.

How to Set Up DMARC: Step-by-Step Guide

Setting up a DMARC record in your DNS is a crucial step for your email security. Follow these steps to implement DMARC:

STEP 1: DNS Login & TXT Record Addition

Log into your DNS provider’s control panel and navigate to the section where you can manage DNS records.

• Create a new TXT record.

• Set the host name to:your-domain.com”

  (replace “your-domain” with your actual domain)

Use the standard DMARC tags for a basic setup

• v=DMARC1: This specifies the DMARC version (currently 1).
• p=none: This sets the initial policy to “none” for monitoring purposes. Emails will still be delivered, but you’ll receive reports on authentication failures.
• fo=1: This enables forensic reporting, providing detailed information about authentication failures.
• rua=mailto:dmarc_reports@yourdomain.com: This tells email servers where to send aggregate reports about DMARC failures. Replace “dmarc_reports@yourdomain.com” with a valid email address you can access.
• ruf=mailto:dmarc_alerts@yourdomain.com: This tells email servers where to send forensic reports for individual failures. You can use the same email address as “rua” or create a separate one for alerts. 

STEP 2: Version & Initial Policy Setup

The order of your DMARC entries is essential for clarity. Specify the DMARC version with v=DMARC1 and set the initial policy to p=none for monitoring.

Employ fo=1 for forensic reporting and input your email address for rua (aggregate reports) and ruf (forensic reports). Make sure the email addresses listed for rua and ruf are valid and monitored, as they will receive diagnostic information about your email flow and authentication failures.

In this initial setup, your record will look like:

v=DMARC1; p=none; fo=1; rua=mailto:dmarc_reports@yourdomain.com; ruf=mailto:dmarc_alerts@yourdomain.com;

STEP 3: Submit & Monitor

Once the TXT record is created, save the changes with your DNS provider. Allow at least a week for monitoring before implementing stricter policies like p=quarantine or p=reject.  This phased rollout confirms that all your legitimate email sources are passing SPF and DKIM properly.

Configuring DMARC Enforcement Policies (Quarantine vs. Reject)

Once you’ve verified that legitimate sources are aligned correctly, it’s time to enforce stricter policies.

How To Set Up DMARC Quarantine Policy?

To set up a quarantine policy, update your DMARC TXT record’s p= tag from none to quarantine. Your revised record should look something like:

v=DMARC1; p=quarantine; rua=mailto:dmarc_reports@yourdomain.com; ruf=mailto:dmarc_alerts@yourdomain.com; fo=1

If the receiver maintains a quarantine mailbox, messages will be directed there, leaving the administrator with the pivotal decision to deliver or discard them. Alternatively, recipients hosting mailboxes may choose to divert non-compliant emails to the spam folder, empowering users to decide whether to move them to the inbox.

While quarantine is often viewed as a gradual testing option, it demands meticulous configuration. Legitimate emails may be incorrectly flagged if your SPF or DKIM records aren’t properly aligned. That’s why continuous DMARC report monitoring is critical during this phase to avoid disrupting legitimate communication.

How To Set Up DMARC Reject Policy?

To set up a reject policy, update your existing DMARC TXT record’s p= tag from none or quarantine to reject. This approach makes sure that recipients are not exposed to potential threats, as malicious emails are outright blocked without entering spam or quarantine folders.

Your updated TXT record will look like this:

v=DMARC1; p=reject; rua=mailto:dmarc_reports@yourdomain.com; ruf=mailto:dmarc_alerts@yourdomain.com; fo=1

The proactive nature of “reject” prevents end-users from falling victim to phishing attempts, safeguarding them from clicking on harmful links or opening malicious attachments. While this provides robust security, organizations should be cautious about legitimate emails failing authentication. If any legitimate sender fails SPF or DKIM alignment, their emails may also get rejected.

A well-monitored p=reject policy offers both maximum protection and minimal disruption to legitimate communications.

How to Test and Validate DMARC?

Once your DMARC record is published, it’s essential to verify that it’s working as intended. Even small misconfigurations like incorrect tags, typos in email addresses, or alignment mismatches can lead to authentication failures or missed reports.  

Testing your setup helps you catch issues early, avoid delivery disruptions, and prepare confidently for policy enforcement. It will help you verify if your record is:

• Published correctly in DNS
• Structured using valid syntax
• Pointing to functioning rua and ruf addresses
• Actively sending and receiving reports

Step-by-Step DMARC Validation

1. Choose a DMARC checker tool.
2. Enter your domain name into the tool and check. The tool will fetch and evaluate your DMARC record.
3. The DMARC checker will scan your domain and return a thorough report. Many tools also assign a score or flag warnings (e.g., missing tags, invalid email addresses, weak policy, etc.).

Tip: If your score is 7/10 or lower, it’s a sign your authentication needs improvement.

What to Do If Issues Are Found?

If the tool flags issues, revisit your DMARC TXT record and correct any syntax, alignment, or policy errors. You can test again immediately after DNS propagation (usually within a few minutes to 24 hours, depending on TTL settings).

In Conclusion

DMARC emerges as an essential strategy in strengthening email security against phishing and impersonation threats. You can start with ‘quarantine’ to track any legitimate email delivery issues. With ‘reject,’ you strive for a stronger consequence, increasing the possibility that recipient hosts will remove unauthorized communications.

To improve email security, set DMARC settings to “reject,” which emphasizes a proactive approach to suspected risks. By combining SPF, DKIM, and DMARC policies, organizations establish a robust defense mechanism. This step-by-step guide offers practical insights for implementation, enabling businesses to mitigate risks and deliver trusted communication.

FREE DMARC SETUP HELP

SSL2BUY offers free DMARC configuration support with every DigiCert Verified Mark Certificate. Let our experts help you set up correctly and make sure your domain is VMC-ready.

Book DMARC Setup Assistance

 

Have Questions? We’re Here to Help!