dom4in.net
← All guides
DMARC

Publish a DMARC record without breaking your mail

Start at p=none in monitor mode: one TXT record tells you who is sending as you, and it cannot reject a single legitimate message.

~2 min read 0:00 on this page

The process

The full path to a live, safe DMARC policy. Each crumb is a real step in the Directions below.

Directions

1Confirm SPF and DKIM exist first

DMARC checks that SPF or DKIM passes and aligns with the From: domain. If neither is set up, a strict DMARC policy will reject your own legitimate mail. Make sure both are live before you publish anything stricter than monitoring.

2Open your DNS host's TXT editor

Go to the DNS zone for your domain at your registrar or DNS provider. You are adding exactly one TXT record at the special host _dmarc.

3Create the monitor-only record

Set the host/name to _dmarc (your panel turns it into _dmarc.example.com). Use p=none so nothing is rejected, and point rua at a mailbox you actually read so reports arrive.

Host:  _dmarc
Type:  TXT
Value: v=DMARC1; p=none; rua=mailto:[email protected]; fo=1

4Read the aggregate reports for two weeks

Within a day or two you will receive zipped XML aggregate reports from mailbox providers. Drop them into a free DMARC report reader to see every source sending as your domain — including shadow IT and spoofers.

Confirm every legitimate sender (your mail host, SendGrid, your CRM, invoicing tools) is passing and aligned before you tighten anything.

5Move to quarantine, then reject

Once the reports show only known senders passing, step the policy up: first p=quarantine, optionally with pct=25 to ramp gradually, then p=reject. Reject is the only setting that actually stops spoofing.

v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s

Common issues & fixes

No reports are arriving.

Confirm the rua mailbox exists and can receive external mail, and that the record is at _dmarc, not the root. Some providers also need the rua domain to authorize external reporting with a _report._dmarc record.

Legitimate mail started getting quarantined.

A sender is passing SPF/DKIM but not aligning with your From: domain. Move back to p=none, fix alignment for that sender, then re-tighten.

Two DMARC records exist.

Only one TXT at _dmarc is allowed; multiple records make the policy void. Merge into a single record.

Strict alignment broke a vendor.

adkim=s/aspf=s require exact-domain alignment. If a vendor sends from a subdomain, relax to relaxed (the default) or onboard them onto a subdomain you control.

Written and maintained by Ben McDaniel. Drafted with AI assistance and human-reviewed against each vendor's current setup flow. Vendor interfaces change — if a step looks different, the underlying record is what matters.