Home/Articles/How to Implement DMARC: A Practical Step-by-Step Guide

How to Implement DMARC: A Practical Step-by-Step Guide

By Harry Shuford · ·

How to implement DMARC is simpler than it looks when you break it into clear steps. Whether you run a small business or a large enterprise, getting Domain-based Message Authentication, Reporting, and Conformance in place protects your brand, improves deliverability, and gives you visibility into who’s sending mail on your behalf.

What DMARC does (and why it matters)

  • Authenticates: DMARC builds on SPF and DKIM to verify the sender really is your domain.
  • Aligns: It requires the visible From: domain to align with the domains authenticated by SPF or DKIM.
  • Enforces: It tells receiving servers what to do with failures: do nothing, quarantine, or reject.
  • Reports: It sends aggregate and (optionally) forensic reports, so you can see sources and fix issues.

How to Implement DMARC: A step-by-step plan

Follow this proven path to get from zero to a reject policy safely.

1) Inventory all domains

  • List every domain and subdomain you own, including those that never send mail (marketing campaigns, CRM, billing, ticketing, marketing-automation subdomains, and parked domains).
  • For each, note if it sends email, through what systems (e.g., Microsoft 365, Google Workspace, Salesforce, Mailchimp, Zendesk), and who administers DNS.

2) Get SPF and DKIM right first

  • SPF: Ensure each sending source is included in your SPF record. Keep it under 10 DNS lookups to avoid permerror. Example:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net -all

  • DKIM: Enable DKIM for each sending platform. Use 1024- or 2048-bit keys. Publish the public key as a DNS TXT record at selector._domainkey.example.com.
  • Alignment goal: You need either SPF alignment or DKIM alignment to pass DMARC. Aim for DKIM alignment where possible, since SPF can break with forwarding.

3) Start with a monitoring policy (p=none)

  • Create a basic DMARC record at _dmarc.example.com (TXT).
  • Point aggregate reports (RUA) to a mailbox or analytics service you control. Example record:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; adkim=s; aspf=s; pct=100 Notes:

  • rua: Aggregate XML reports (daily summaries).
  • ruf: Forensic/failure samples (optional; some receivers send few or none).
  • fo=1: Request reports for any failure (tune per policy).
  • adkim/aspf: s = strict alignment; r = relaxed. Start with relaxed if you expect variations.

4) Monitor reports and map senders

  • Parse RUA data weekly to identify all sending IPs and services.
  • Confirm each sender is authorized in SPF and signing with DKIM using your domain.
  • Fix misaligned sources: adjust From: domains, SPF includes, or DKIM selectors; remove unauthorized systems.

5) Tighten alignment and raise enforcement

  • Move from p=none to p=quarantine when ≥95–98% of legitimate mail passes DMARC.
  • Optionally use pct=50 (or similar) to phase in enforcement gradually:

v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected]; adkim=s; aspf=s

  • After 2–4 weeks of clean reports, move to p=reject and pct=100:

v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s

6) Secure parked and non-sending domains

  • For domains that shouldn’t send mail, publish:
  • SPF: v=spf1 -all
  • DMARC: v=DMARC1; p=reject; rua=mailto:[email protected]; sp=reject
  • This blocks spoofing attempts from unused domains and subdomains.

How to Implement DMARC across multiple providers

  • Email suites (Microsoft 365/Google Workspace): Enable DKIM in each tenant; ensure From: domain equals your primary domain or aligned subdomain.
  • ESPs and marketing tools: Add their SPF include, enable DKIM with your domain (not shared domains), and use a dedicated subdomain (e.g., news.example.com) for consistent alignment.
  • CRMs/support platforms: Many default to their own bounce domains; configure custom return-path and DKIM to maintain alignment.
  • Third-party relays and forwarding: Favor DKIM alignment because SPF often fails after forwarding; DMARC will still pass with DKIM alignment even if SPF fails.

Key tags in a DMARC record (what they mean)

  • v: Protocol version (must be DMARC1).
  • p: Policy for the domain (none, quarantine, reject).
  • sp: Subdomain policy (inherits from p if omitted).
  • rua: Aggregate reports (one or more mailto: URIs, comma-separated).
  • ruf: Forensic reports (optional, often sparse).
  • adkim/aspf: Alignment mode (r = relaxed, s = strict).
  • fo: Failure reporting options (0, 1, d, s).
  • pct: Percentage of messages subject to the policy.
  • ri: Reporting interval (in seconds; receivers may ignore).

Common pitfalls (and easy fixes)

  • Overstuffed SPF: More than 10 DNS lookups causes failures. Consolidate includes or use sending vendor’s dedicated include. Prune deprecated services.
  • No DKIM on a sender: Turn on DKIM; rely on DKIM for alignment through forwards and mailing lists.
  • Misaligned From: domain: Some tools send from their own domain by default. Switch to a custom from-domain you control and DKIM-sign with it.
  • Ignoring reports: p=none without monitoring offers no protection. Review RUA summaries and fix gaps before enforcing.
  • Jumping to reject too fast: Enforce only after you’ve validated all legitimate streams to avoid losing real mail.

How to Implement DMARC and improve deliverability

  • Warm-up approach: Move from none → quarantine → reject over weeks, not days.
  • BIMI readiness: With a strong DMARC policy (quarantine or reject) and good reputation, you can add BIMI for brand logos in inboxes.
  • Continuous hygiene: Set calendar reminders to audit senders quarterly; remove defunct vendors and rotate DKIM keys annually.

Validation and troubleshooting checklist

  • Validate DNS: Use dig/nslookup to confirm the DMARC TXT at _dmarc.example.com is retrievable and exactly one record exists.
  • Send tests: From each platform, send to external mailboxes (Gmail, Outlook, Yahoo) and inspect authentication results in headers (Authentication-Results).
  • Parse RUA: Use a DMARC analyzer to visualize pass/fail by source, volume trends, and newly observed IPs.
  • Triage failures: Check which mechanism failed (SPF/DKIM), then fix alignment or authorization accordingly.

H2: Quick examples you can adapt

  • Monitoring only:

_dmarc.example.com TXT “v=DMARC1; p=none; rua=mailto:[email protected]

  • Gradual enforcement:

_dmarc.example.com TXT “v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected]

  • Full enforcement:

_dmarc.example.com TXT “v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s”

Governance and ownership

  • Assign a mailbox and owner for RUA reports.
  • Document each sending service, its SPF and DKIM settings, and who manages it.
  • Establish a change process: When marketing or IT adds a new sender, updating SPF/DKIM/DMARC is part of the onboarding checklist.

Final takeaways

  • Start with visibility, not punishment: p=none plus reporting.
  • Fix alignment and authenticate every legitimate sender.
  • Escalate policy in stages until you reach p=reject.
  • Keep monitoring—DMARC isn’t “set and forget.”

With this approach, you’ll deploy DMARC with confidence, shut down spoofing from day one on parked domains, and steadily raise protection for active mail streams—without breaking legitimate email.

Further Reading

Author

Harry Shuford

Harry Shuford is an IT specialist and technical writer with a focus on email delivery, deliverability, and the systems that power modern digital communication. With a strong understanding of the technical factors that influence email performance, he writes blog content that helps businesses better understand inbox placement, infrastructure, and best practices for reliable email delivery.