How to Set Up DMARC

DMARC depends on SPF and DKIM — set both up first. DMARC adds alignment on top: it requires that the domain authenticated by SPF or DKIM matches the domain in the visible From address, which is what closes the spoofing gap those two leave open on their own.

DMARC is a single TXT record published at _dmarc.yourdomain:

• v=DMARC1 — required version tag.
• p — the policy: none, quarantine, or reject.
• rua — where to send aggregate (daily summary) reports.
• pct — percentage of failing mail the policy applies to (use for gradual enforcement).
• sp — an optional separate policy for subdomains; aspf and adkim set alignment to strict or relaxed.

1. Publish a monitoring record. Start with v=DMARC1; p=none; rua=mailto:dmarc@yourdomain at _dmarc.yourdomain.
2. Collect reports. Aggregate reports arrive at your rua address; a DMARC report analyzer makes them readable.
3. Find and fix unaligned senders. Identify every legitimate service and make sure it passes SPF or DKIM and aligns with your From domain.
4. Raise the policy. Move to p=quarantine (failing mail goes to spam), optionally ramping with pct.
5. Enforce. Once reports show only authorized senders passing, move to p=reject — failing mail is refused outright.

The most common DMARC mistake is leaving the policy on p=none for years. In monitor mode, receivers report failures back to you but reject nothing — so your domain can still be spoofed. The whole point of the rollout is to reach quarantine or reject. ZoneWatcher's DMARC monitor flags a record stuck on p=none, a missing rua, or a pct below 100.

If mail is still landing in spam after this, work through why is my email going to spam.