DMARC Configuring
DMARC Configuring for Domain Protection: Manual Implementation
Step 1: Create a DMARC Record
A DMARC record is a TXT record added to your DNS zone file. Because it is a TXT record, the format is straightforward. When you are starting out, a safe first record looks like this, using a monitoring policy so you can observe before enforcing:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]
Once your reports confirm your legitimate mail authenticates and aligns, you can raise the policy toward quarantine or reject.
DMARC Record Syntax and Tags Explained
With the publication of RFC 9989 in May 2026, the tag set changed: np, psd, and t were added, and pct, rf, and ri were moved to historic status. Records still containing the historic tags keep working, because receivers ignore tags they do not recognise, but they should be left out of new records.
Active tags:
| DMARC Tag | Type | Default | What it means |
|---|---|---|---|
| v | mandatory | The protocol version; always v=DMARC1. | |
| p | recommended | none | The policy mode: reject, quarantine, or none. Technically optional under RFC 9989 (defaults to none),but it should always be set explicitly. |
| sp | optional | inherits p | Policy for existing subdomains. |
| np | optional | inherits sp, else p | Policy for non-existent subdomains (names that do not resolve in DNS). Closes a gap sp did not cover. |
| psd | optional | n | Marks whether a domain is a Public Suffix Domain, supporting the DNS Tree Walk. Most ordinary domains do not set this. |
| t | optional | n | Test mode. t=y asks receivers to apply the next-lower enforcement level while you test; t=n means full enforcement. Replaces the rollout role of the historic pct tag. |
| rua | optional but recommended | Address for aggregate (RUA) reports, governed by RFC 9990. Example: rua=mailto:[email protected]; | |
| ruf | optional | Address for failure reports (formerly forensic, governed by RFC 9991). Most major receivers no longer send these. Example: ruf=mailto:[email protected]; | |
| fo | optional | 0 | Failure reporting options (ignored if ruf is absent): 0, report if both SPF and DKIM alignment fail; 1, report if either fails; d, DKIM failure regardless of alignment; s, SPF failure regardless of alignment. |
| aspf | optional | r | SPF alignment mode: strict (s) or relaxed (r). |
| adkim | optional | r | DKIM alignment mode: strict (s) or relaxed (r). |
Historic tags (defined in RFC 7489, removed by RFC 9989, shown for reference only): pct (percentage of mail the policy applied to; its rollout role is now served by t),rf (failure report format; only afrf was ever used),and ri (requested aggregate report interval; receivers used their own schedules).
Step 2: Create a DNS TXT Record
Next, create the DNS TXT record that publishes DMARC:
Navigate to the DNS section of your domain registrar's or DNS provider's site.
Create a new TXT record.
In the Host or Name field, enter _dmarc.
In the Value field, enter the DMARC record you created in Step 1.
Save the record.
Step 3: Validate the DMARC setup
After configuring DMARC, use an online DMARC lookup tool to validate your setup. It will show your record and whether it is correctly formed.
Wait For Your DMARC Record To Propagate
After publishing, you will need to wait for DNS propagation. How long depends on your DNS provider and your record's TTL. This can take up to 48 hours, though many providers (for example Cloudflare) update within minutes. Lowering the TTL on the _dmarc record before making changes can speed up future updates.
Once propagated, verify your settings again with the lookup tool. That completes a basic DMARC configuration.
Things You Need To Know for Optimal DMARC Configuring
- A DMARC record is not itself a defence mechanism or a signature; it is a published policy. It tells receiving servers how to evaluate mail claiming to come from your domain (by checking SPF and DKIM alignment) and what to do with mail that fails. The protection comes from receivers acting on that policy, which is why enforcement (quarantine or reject) matters.
- With DMARC correctly set up at enforcement, if someone sends spoofed mail from your domain, the receiving server can reject or quarantine it because the message fails to produce an aligned SPF or DKIM pass.
- To set up DMARC, you publish the _dmarc TXT record, optionally pointing rua (and ruf) at addresses where receivers send reports on messages that fail authentication. The p tag in the same record tells receivers how to handle failing mail, for example routing it to junk (quarantine) or blocking it (reject).
- For DMARC to work, you need at least one of SPF and DKIM set up and aligned, though configuring both is strongly recommended for resilience (for example, DKIM survives forwarding when SPF does not). SPF authorises the sending sources for your domain, and DKIM adds a cryptographic signature verifying the message was not altered in transit.
- Several online tools let you check your DMARC record by entering your domain and running a lookup, so you can confirm your settings.
Standard Email Protocols: SMTP, POP3 & IMAP Free4 m- What is Email Security? Free4 m
- Email Security Practices Free4 m
- Building an Email Security Compliance Model Free5 m
- Corporate Email Security Checklist Free3 m 30 s
- What is the difference between Inbound email security and outbound email security? Free4 m
- What is Information Security? Free4 m
- Zero Trust Security Model Free3 m
- What is a DNS Lookup? Free4 m
- Understanding the 10 DNS Lookup Limit for SPF Records Free3 m
- SPF Void Lookups Explained Free2 m
- Creating and Optimizing SPF records for your own domain Free4 m
Video Free2 m- What is SPF Permerror and How to Fix It Free7 m
- Video Free2 m
- SPF Flattening Free5 m
- SPF Macros Free9 m
- Video Free2 m
- What is SPF Alignment? Free3 m
- How to Set Up Microsoft Office 365 SPF record? Free4 m
- How to Set Up Google Workspace SPF Record? Free2 m
- How to Set Up MailChimp SPF Record? Free3 m
- How to Set Up SendGrid SPF Record? Free2 m
- How to Set Up Salesforce SPF Record? Free3 m
- How to Setup Zoho Mail SPF Record? Free2 m
- What is DKIM Alignment? Free3 m
- DKIM Domain Alignment Failures Free6 m
- How to Set Up DKIM for Microsoft Office 365? Free4 m
- How to Set Up DKIM for Google Workspace? Free3 m
- How to Set Up DKIM for MailChimp? Free4 m
- How to Set Up DKIM for SendGrid? Free3 m
- How to Set Up DKIM for Salesforce? Free3 m
- How to Set Up DKIM for Zoho Mail? Free3 m
- DMARC RFC 9989, 9990 and 9991 Free5 m
- What is DMARC Compliance? Free2 m
- DMARC Compliance Requirements Free2 m
- The Benefits of DMARC Free2 m
- DMARC Configuring Free3 m
- Achieving DMARC Enforcement Free2 m
- DMARC Vs Antispam Solutions Free2 m
- DMARC Identifier Alignment Free2 m
- DMARC sp Tag Exceptions & Uses Free1 m
- Configuring DMARC without DKIM Free3 m
- Configuring DMARC without SPF Free2 m
- DMARC Aggregate Report Views Free3 m
- Video - PowerDMARC Aggregate Reports Free2 m 13 s
- DMARC Forensic Report Views Free2 m
- Video - PowerDMARC Forensic Reports Free0 s
- DMARC Forensic PGP Encryption and Decryption Free2 m
- TLS Report Views Free3 m
- Video - PowerDMARC TLS Reports Free0 s
- PDF/CSV Reports Free2 m
- Video - PowerDMARC PDF/CSV Reports Free1 m 1 s