How to Set Up DMARC Without Breaking Your Email

A practical, step-by-step guide. Email Posture.

DMARC is the record that decides whether someone can send email pretending to be your domain. Without it, an attacker can put your domain in the From address and most mail servers will deliver it. With it set to enforcement, those forged messages get quarantined or rejected.

The reason so many domains never finish setting it up is fear, and it's a reasonable fear. Turn DMARC straight to "reject" before you've checked your own sending, and you can quietly start blocking your own invoices, newsletters, and app notifications. The good news is there's a safe path that never risks your real mail. Here it is.

You can check where your domain stands right now with our free checker before you start, and again after each step to confirm it took.

First, understand the three records

DMARC doesn't work alone. It sits on top of two other records, and it only helps if at least one of them is in place and lined up with your domain.

• SPF lists the servers allowed to send email for your domain.
• DKIM adds a cryptographic signature to your outgoing mail so receivers can confirm it wasn't tampered with and really came from you.
• DMARC tells receivers what to do when a message claiming to be from you fails both of those checks, and asks them to send you reports.

So the order matters. Get SPF and DKIM right first, then layer DMARC on top.

Step 1: Confirm SPF is correct

Look up the TXT record on your root domain for one that starts with v=spf1. It should list every service that sends email as you: your mailbox provider (Google Workspace, Microsoft 365), plus any tools like a CRM, a help desk, an invoicing app, or a marketing platform.

A typical record looks like this:

Two common mistakes to avoid. First, you can only have one SPF record per domain, so merge everything into a single line. Second, SPF allows a maximum of ten DNS lookups, and stacking too many include: entries breaks it silently. If you're near the limit, trim senders you no longer use.

End the record with -all (hard fail) once you're confident the list is complete, or ~all (soft fail) while you're still verifying.

Step 2: Confirm DKIM is enabled

DKIM is turned on inside each sending platform, not in one central place. In Google Workspace, Microsoft 365, and most email tools, there's a setting that gives you a DKIM record (or two) to publish in DNS, usually at a host like selector._domainkey.yourdomain.com.

Turn it on for every service that sends mail as you. This is the step people skip, and it matters, because DMARC needs SPF or DKIM to pass and to align with your domain. DKIM alignment is the more reliable of the two, especially for forwarded mail.

Step 3: Publish DMARC at p=none and just watch

This is the step that makes the whole process safe. Publish a DMARC record set to p=none. That means "don't change how you deliver anything, just send me reports." It cannot break your mail. All it does is start the flow of data you need.

Create a TXT record at _dmarc.yourdomain.com:

The rua address is where the daily aggregate reports go. Point it at a mailbox you'll actually read, or at a DMARC reporting service that turns the raw XML into something human.

Leave this running for two to four weeks. You're waiting to see every legitimate source that sends mail as you, including the ones you forgot about.

Step 4: Read the reports and fix the gaps

The aggregate reports show you, source by source, what's passing and what's failing SPF and DKIM alignment. Your job here is simple: find every legitimate sender that's failing, and fix it, either by adding it to SPF or by enabling DKIM for it.

You'll almost always find a surprise. An old marketing tool, a billing service, a form provider, something that's been sending as you without proper authentication. Sort those out now, while DMARC is still at p=none and nothing is being blocked.

When the only things still failing are sources you don't recognize (which is usually spoofing, exactly what you want to stop), you're ready to enforce.

Step 5: Move to p=quarantine

Step the policy up to quarantine, which sends failing mail to spam rather than the inbox:

If you're cautious, you can ramp gradually with the pct tag, applying the policy to a percentage of mail first, for example pct=25, then raising it. Watch your reports for another week or two. If no legitimate mail is getting caught, keep going.

Step 6: Move to p=reject

This is full enforcement. Forged mail is refused outright:

This is the goal. A domain at p=reject with aligned SPF and DKIM is genuinely hard to impersonate.

One detail people miss: the subdomain policy. By default subdomains inherit your main policy, but if you set sp=none, every subdomain is left wide open even though your root domain looks protected. Unless you have a specific reason, don't weaken sp.

Common mistakes to avoid

• Jumping straight to p=reject without spending time at p=none first. This is how you block your own mail.
• Forgetting a sending service, so its mail starts failing once you enforce.
• More than one SPF record, or more than ten SPF lookups.
• Setting sp=none and leaving subdomains spoofable.
• Publishing DMARC and never reading the reports, so you never actually reach enforcement. Monitoring-only is not protection.

Check your work

After each step, re-run the free checker to confirm the record is published correctly and your grade is moving in the right direction. And if you'd rather not babysit the reports forever, that's the part worth automating: continuous monitoring re-checks your setup every day and emails you the moment something regresses, so a silent change doesn't quietly reopen the door months later.

Related: How to Set Up DKIM · SPF Record Not Working? · Why Are My Emails Going to Spam?