Setting Up DMARC for the First Time

Overview

Setting up DMARC correctly takes a few days to a few weeks, depending on how many services send email from your domain. This guide walks you through the complete setup process from zero to enforcement.

Before you start

Gather answers to these questions:

1. Which domains do you need to protect? Include your primary domain plus any domains used for email (subdomains, regional domains).
2. Which services send email from your domain? Common ones: Google Workspace, Microsoft 365, Mailchimp, HubSpot, Zendesk, Salesforce, Twilio SendGrid.
3. Do you have access to your DNS? You'll need to add TXT records.

Step 1 — Publish a monitoring-only DMARC record

Add this TXT record to your DNS:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]"

Replace [email protected] with a real mailbox or your DMARC+ reporting address.

p=none means monitoring only — no emails are rejected or quarantined. You're just collecting data.

Why start here: You can't safely enforce DMARC until you know all your legitimate sending sources are authenticated. Starting at p=none lets you gather that data without breaking any email.

Step 2 — Check SPF for your domain

Look up your existing SPF record:

dig TXT yourdomain.com

If you have one, open the SPF Explorer in DMARC+ to visualise it. If you don't have one, create it:

v=spf1 include:_spf.google.com -all

Add an include: for every service that sends email from your domain. Examples:

• Google Workspace: include:_spf.google.com
• Microsoft 365: include:spf.protection.outlook.com
• Mailchimp: include:servers.mcsv.net
• SendGrid: include:sendgrid.net

Step 3 — Set up DKIM for each sending service

Log into each service and configure DKIM signing:

Each service will give you a DNS TXT record to publish. Add it to your domain's DNS.

Step 4 — Wait for DMARC reports

After 24–48 hours, you'll start receiving aggregate DMARC reports. DMARC+ processes these and shows them in the Dashboard.

Look at:

• Which sources are passing SPF and DKIM
• Which sources are failing — these need to be fixed before you can enforce

Step 5 — Fix failing sources

For each source failing authentication:

1. Is it a service you use? — Add its SPF include to your SPF record and set up DKIM
2. Is it a service you don't use anymore? — Remove it from your SPF record (or ignore it if it's not in your record)
3. Is it unknown? — Investigate. It may be someone spoofing your domain or a service you forgot about

Repeat until your authentication pass rate is consistently above 95% for 1–2 weeks.

Step 6 — Advance to quarantine

Update your DMARC record:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]"

pct=10 applies the policy to only 10% of failing emails. This lets you test the policy safely before full rollout. Watch the DMARC+ dashboard for any legitimate emails being quarantined. If you see any, fix those sources before increasing pct.

Gradually increase pct to 100 over 2–4 weeks:

pct=10 → pct=25 → pct=50 → pct=100

Step 7 — Advance to reject

Once p=quarantine; pct=100 is stable and you're not seeing legitimate emails being caught:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=reject; rua=mailto:[email protected]"

You're now fully enforced. Any email that doesn't pass SPF or DKIM alignment is rejected before reaching the inbox.

Step 8 — Set up BIMI (optional but recommended)

With p=reject in place, you're eligible for BIMI. See What is BIMI? to get started.

Timeline expectations

Total: 6–12 weeks for a typical organisation.