Setting up DMARC takes about 15 minutes. You add a TXT record to your DNS with the hostname _dmarc and a policy value. Start with p=none to monitor your email traffic before blocking anything.
Before you create your DMARC record, you need a working SPF and DKIM. DMARC checks both of these to decide if an email is real or fake.
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. The protocol tells inbox providers (Gmail, Outlook, Yahoo) what to do with emails that fail auth checks.
Gmail and Yahoo now require DMARC for bulk senders, so proper setup matters for email deliverability.
What this guide covers:
- Step-by-step TXT record setup
- SPF and DKIM prep work
- Safe rollout from monitoring to full blocking
- Gmail and Yahoo sender rules
- BIMI logo setup (once DMARC is enforced)
- Fixing common problems
How do you set up a DMARC record?
Five steps get your DMARC record live. DNS changes may take a few hours to spread, but the actual work is quick.
1. Check SPF and DKIM first
DMARC won’t work without SPF and DKIM already in place (this trips up most people).
- Make sure your SPF record lists all your sending services
- Check that DKIM signing is on for each email tool
- Test with our DMARC lookup, MXToolbox, and Google Admin Toolbox
2. Build your record
Use a free DMARC generator to make your policy string. Start with p=none so you can watch traffic without blocking emails.
A basic DMARC record looks like this:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
The parts mean:
- v=DMARC1 — marks this as a DMARC record
- p=none — monitor mode (no blocking yet)
- rua=mailto: — where to send daily reports
3. Open your DNS settings
Log in to your domain host (GoDaddy, Namecheap, Cloudflare, or your email admin panel). Find the DNS page — it’s usually called “DNS Management” or “DNS Records.”
4. Add the TXT record
Create a new TXT record with these values:
| Field | What to enter |
| Type | TXT |
| Host | _dmarc (some hosts need _dmarc.yourdomain.com) |
| Value | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com |
| TTL | 1 Hour (or leave default) |
Swap dmarc@yourdomain.com for your real email address. Reports will go there.
5. Watch and upgrade
Check your DMARC reports over the next 2-4 weeks. The XML files show which emails pass or fail. Once your real email passes every time, upgrade from p=none to p=quarantine (spam folder) or p=reject (block fully).
What are the DMARC policy options?
The p= tag tells inbox providers what to do with emails that fail DMARC. Pick your policy based on where you are in the rollout.
| Policy | What happens | When to use |
| p=none | Nothing — just collect data | First 2-4 weeks |
| p=quarantine | Failed emails go to spam | After fixing auth gaps |
| p=reject | Failed emails get blocked | Full protection mode |
Most teams move through all three over 8-16 weeks. Jumping straight to p=reject can block real email from services you forgot to set up (not fun to debug).
Why do Gmail and Yahoo require DMARC now?
Gmail and Yahoo made DMARC required in February 2024. Too many phishing attacks were slipping through, and both providers got tired of cleaning up the mess.
Bulk sender rules
If you send 5,000+ emails per day to Gmail users, these rules apply to you:
- Promo emails need one-click unsubscribe
- Both SPF and DKIM must be set up correctly
- Your From domain must align with SPF or DKIM
- Your spam complaint rate must stay under 0.1%
- A DMARC record must exist in your DNS (p=none is fine to start)
Break these rules and Gmail gets harsh. Hit a 0.3% spam rate and your emails start landing in junk — or worse, get blocked outright.
How do SPF, DKIM, and DMARC work together?
DMARC ties SPF and DKIM into one check. An email passes DMARC if either SPF or DKIM passes and lines up with the From address.
SPF basics
SPF is a list of approved senders. Your SPF record tells mail servers which IP addresses can send email as your domain. However, SPF only checks the hidden “envelope” sender — not the From address people see.
DKIM basics
DKIM adds a digital stamp to your emails. The stamp proves the email wasn’t changed in transit and came from an approved source. DKIM signs with a domain name that DMARC uses for matching.
Alignment
Alignment is the glue. Your email passes DMARC when the SPF or DKIM domain matches (or is a child of) your From domain. Relaxed alignment allows subdomains to match. Strict alignment needs an exact match.
What do you need before adding DMARC?
DMARC will expose every auth gap in your email setup. Do the prep work first, or you’ll block real email by mistake.
List your senders
Most companies send email from more tools than they realize. Write down every service that sends as your domain:
- Billing (Stripe, QuickBooks)
- Support (Zendesk, Intercom)
- Work email (Google Workspace, Microsoft 365)
- Transactional (SendGrid, Amazon SES, Postmark)
- Marketing (HubSpot, Mailchimp, Klaviyo)
- CRM (Salesforce, Pipedrive)
Each tool needs SPF and DKIM set up. Miss even one, and DMARC enforcement will block those emails.
Set up SPF
Your SPF record should list all your senders. Keep it under the 10-lookup limit (a common trap):
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Going over 10 lookups breaks SPF completely. If you’re close, try SPF flattening to combine entries.
Set up DKIM
Every email tool needs DKIM turned on:
- Make DKIM keys in each tool’s settings
- Add the public key to your DNS as a TXT record
- Check that signing works for all email types
The steps vary by provider, but the goal is the same — your domain signs every email.
What’s the safest way to roll out DMARC?
Roll out DMARC in three phases. Rushing breaks things (and fixing broken email auth is a pain).
Phase 1: Monitor
Start with p=none to see what’s happening without changing delivery.
Your first record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Add the TXT record to your DNS with host _dmarc.yourdomain.com. Test it with a DMARC checker tool — changes should show up in a few hours.
Handle the reports. DMARC sends daily XML files that pile up fast. Options include:
- A dedicated inbox (only works for low volume)
- A report tool like dmarcian or Valimail (much easier)
- Custom scripts (if your team likes XML)
Stay in monitor mode for 2-4 weeks before moving on.
Phase 2: Quarantine
After fixing the issues you found in phase 1, switch to p=quarantine. Failed emails now go to spam instead of the inbox.
Use gradual rollout with the pct tag:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com
The pct=25 means only 25% of failures get quarantined at first. Bump it up over time:
- Week 1-2: pct=25
- Week 3-4: pct=50
- Week 5-6: pct=75
- Week 7+: pct=100
Watch your metrics. Check Google Postmaster Tools often. Track your spam rate (keep it under 0.1%), domain reputation (aim for “High”), and auth pass rates (98%+ is good).
If spam rates climb, pause and fix the issue. The email spam checker tool shows exactly where your sent emails land — more useful than Postmaster’s averages.
Phase 3: Reject
The last step blocks all failed emails at the server level.
Full enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
With p=reject, fake emails never reach anyone. Real emails with bad auth also get blocked (so make sure phase 2 went smoothly first).
Reaching p=reject also unlocks BIMI — the logo that shows next to your emails in Gmail.
How do you handle advanced DMARC settings?
Once basic DMARC works, these extra tags give you more control.
Subdomain rules
Large orgs often use subdomains for different email types. DMARC covers subdomains by default, but you can override with sp=:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@yourdomain.com
Here, the main domain uses reject while subdomains use quarantine. Useful for testing new services.
Alignment modes
Tweak how strict the domain matching is:
| Tag | Mode | What it allows |
| aspf=r | Relaxed SPF | Subdomain matches (default) |
| aspf=s | Strict SPF | Exact domain match only |
| adkim=r | Relaxed DKIM | Subdomain matches (default) |
| adkim=s | Strict DKIM | Exact domain match only |
Stick with relaxed unless you have a specific reason to go strict. Strict mode breaks more things than it fixes for most teams.
What are the most common DMARC problems?
DMARC often uncovers auth issues that were hiding for months. Here’s how to fix the usual suspects.
Real email gets blocked
When real email fails DMARC, you’ll hear from angry customers (or see blocked messages in your reports).
Fixes:
- Check every email tool for SPF and DKIM setup
- Add ARC headers for forwarded email scenarios
- Talk to mailing list providers about keeping auth intact
SPF keeps failing
SPF failures happen even when you think everything is included. Usually, it’s a DNS lookup limit issue.
Fixes:
- Count your DNS lookups (max is 10)
- Flatten your SPF by using IPs instead of includes
- Watch for providers changing their IP ranges
DKIM keeps failing
DKIM failures from one service usually mean a setup mistake or outdated keys.
Fixes:
- Double-check the DKIM record format in DNS
- Ask providers about key rotation schedules
- Make sure the DKIM domain aligns with your From domain
How do you keep DMARC working long-term?
DMARC isn’t a set-and-forget thing. Small auth issues grow into big delivery problems if you ignore them.
Check-in schedule
Set a review rhythm based on your email volume:
- Weekly during the first few months
- Monthly once things stabilize
- Quarterly for a deep look
Watch for new email tools, changes in your setup, or spoofing attempts against your domain.
Key metrics
Track these numbers to stay healthy:
| Metric | Target |
| Gmail spam rate | Under 0.1% |
| Domain reputation | “High” in Postmaster |
| DMARC pass rate | 95%+ |
| SPF/DKIM pass rate | 98%+ |
Update your SPF record whenever you add or drop an email service. Review provider updates for IP changes. Catch issues early before they tank your delivery.
Need help with DMARC setup?
DMARC setup requires precision across your whole email stack. One wrong record blocks real email. Poor monitoring leaves you open to spoofing.
EmailWarmup.com’s deliverability team handles the full process — SPF and DKIM audits, DMARC rollout, and BIMI setup. We watch your auth health around the clock and keep you in line with Gmail and Yahoo rules.
What we handle:
- 24/7 support for auth emergencies
- Ongoing monitoring and quick fixes
- BIMI logo setup once DMARC is enforced
- Full DMARC setup with zero email disruption
Book a free call with an email deliverability expert to let us safely set up DMARC.
Frequently asked questions
Here are some commonly asked questions about DMARC setup:
Yes, but each tool needs SPF and DKIM set up first. The hard part isn’t DMARC — it’s making sure every service is properly configured. List all your email tools, verify each one has SPF and DKIM working, then add your DMARC record.
Nothing changes. Your emails are delivered normally while DMARC collects data. Reports show what passes and fails, but no blocking happens until you upgrade to p=quarantine or p=reject.
Not usually. DMARC on your main domain covers subdomains by default. However, you can add separate records for different policies (stricter on the main domain, looser on a test subdomain).
Speed depends on your setup. Clean configs finish in 8-10 weeks. Complex setups with many email tools need 16-20 weeks. Rushing leads to blocked email — move slow and check each phase.
DMARC helps marketing delivery by proving your emails are legit. Just make sure your email platform (Mailchimp, Klaviyo, HubSpot) has SPF and DKIM working before you enforce.
Both protect you, but reject is stricter. Quarantine sends failures to spam — recipients can still find them. Reject blocks failures completely — the email never arrives. Use reject once you’re sure your auth is solid.
