Prerequisites: SPF and DKIM First
Before you can implement DMARC, you need to have SPF and DKIM in place. DMARC builds on these two protocols — it checks whether incoming emails pass SPF or DKIM authentication and whether the authenticated domain aligns with the visible "From" address. Without SPF and DKIM configured, a DMARC policy has nothing to enforce.
Make sure you have:
- An SPF record published as a TXT record on your domain, listing all servers and services that send email on your behalf (your mail server, Google Workspace, Microsoft 365, any CRM or newsletter tool, etc.)
- DKIM signing enabled for every service that sends email from your domain, with the corresponding public keys published in DNS
If you're not sure whether these are set up correctly, use DMARC Dashboard to check your domain. Our tool analyses SPF, DKIM, and DMARC together and will highlight any gaps.
Step 1: Start with Monitoring (p=none)
The golden rule of DMARC implementation is to never start with enforcement. Begin with a monitoring-only policy that lets you observe authentication results without affecting email delivery.
Add this TXT record to your domain's DNS at _dmarc.yourdomain.com:
v=DMARC1; p=none; rua=mailto:[email protected]
This tells receiving servers to check DMARC alignment but take no action on failures — just send aggregate reports to the address you specified. Use a dedicated mailbox or a DMARC report processing service so reports don't clutter your main inbox.
Step 2: Add Reporting (rua Tag)
The rua tag specifies where receiving servers should send aggregate reports. These XML-formatted reports arrive daily from major email providers like Google, Microsoft, and Yahoo, and they contain invaluable data about every email sent using your domain.
Each report shows:
- The source IP address of the sending server
- How many messages were sent from that IP
- Whether each message passed or failed SPF and DKIM
- Whether alignment was achieved
- What action the receiving server took (based on your policy)
You can also add a ruf tag for forensic (failure) reports, which provide details about individual messages that failed authentication. However, many large providers don't send forensic reports due to privacy concerns, so aggregate reports are your primary source of intelligence.
Step 3: Review Your Reports
This is the most important phase and one you shouldn't rush. Spend at least two to four weeks in monitoring mode, reviewing aggregate reports to build a complete picture of your email ecosystem.
Look for:
- Legitimate senders failing SPF — a third-party service sending email on your behalf that you forgot to include in your SPF record
- Legitimate senders failing DKIM — a service that hasn't been configured to sign emails with your domain's DKIM key
- Alignment failures — emails passing SPF or DKIM but using a different domain in the envelope sender than the "From" header
- Unauthorised senders — IP addresses you don't recognise sending email from your domain, which could indicate spoofing
Fix any legitimate failures you find before moving to the next step. Update your SPF record to include missing services, enable DKIM signing where it's absent, and verify alignment is working.
Step 4: Move to Quarantine
Once you're confident that all legitimate email is passing authentication, tighten your policy to quarantine:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=25
Notice the pct=25 tag. This tells receiving servers to apply the quarantine policy to only 25% of failing messages. The remaining 75% are treated as if the policy were still p=none. This gradual rollout lets you catch any remaining issues without a large-scale disruption.
Monitor your reports for another week or two. If everything looks clean, increase the percentage to 50%, then 75%, then remove the pct tag entirely (which defaults to 100%).
Step 5: Enforce with Reject
The final step is full enforcement. Update your DMARC record to reject messages that fail authentication:
v=DMARC1; p=reject; rua=mailto:[email protected]
With p=reject, receiving servers will block emails that fail both SPF and DKIM alignment. This is the strongest level of protection against email spoofing and the recommended end state for any domain.
You can use the same gradual rollout approach here — start with pct=25 and increase over time if you want an extra safety net.
Common Pitfalls
Even with a careful rollout, there are a few traps to watch out for:
- Email forwarding breaks SPF — when a recipient forwards your email, the forwarding server's IP won't be in your SPF record. This is why DKIM is essential: DKIM signatures survive forwarding, so emails can still pass DMARC via DKIM alignment even when SPF fails.
- Forgotten sending services — organisations often have more services sending email than they realise. Check for CRM systems, helpdesk tools, invoicing platforms, marketing automation, transactional email services, and even internal systems like monitoring alerts.
- Subdomain policy — by default, subdomains inherit the parent domain's DMARC policy. If you have subdomains that send email (like newsletter.yourdomain.com), you may need to set a separate subdomain policy using the
sp=tag or publish individual DMARC records for those subdomains. - Mailing list services — mailing lists that modify the subject line or body will break DKIM signatures. Many lists now use ARC (Authenticated Received Chain) to preserve authentication through the chain, but older list software may cause failures.
Validating with DMARC Dashboard
After each change to your DNS records, use DMARC Dashboard to verify your configuration. Our free tool checks your DMARC, SPF, and DKIM records in real time and gives you a clear grade showing exactly where you stand.
DNS changes can take up to 48 hours to propagate, though most updates are visible within minutes. Run a check after making changes to confirm they've taken effect, and again periodically to ensure nothing has drifted out of alignment.
Remember: implementing DMARC is not a one-off task. As your organisation adds new services or changes email providers, you'll need to update your SPF and DKIM records accordingly. Regular checks help you catch issues before they affect email delivery.