Skip to main content

How to Set Up DMARC Records for Email Sending

This article explains what DMARC is, how it works, and how to correctly publish a DMARC DNS record to protect your sending domain and improve email deliverability.

Updated over 2 months ago

Who This Is For / When to Use

  • Account owners setting up a custom sending domain for email

  • Users configuring DNS records for email authentication

  • Anyone receiving deliverability warnings related to DMARC

  • Teams preparing to move from monitoring to enforcement (quarantine or reject)

What Is DMARC?

DMARC (Domain-based Message Authentication Reporting and Conformance) is an email authentication protocol that builds on SPF and DKIM.

DMARC allows a domain owner to:

  • Verify that emails are legitimately sent from their domain

  • Define how receiving servers should handle unauthorized emails

  • Receive reports about authentication failures and abuse attempts

DMARC is free and is a core requirement for modern email security and inbox placement.

What Is a DMARC Record?

A DMARC record is a TXT DNS record published at _dmarc.<domain>.

It tells receiving mail servers:

  • Which policy to apply if SPF or DKIM fails

  • Where to send authentication reports

  • How strictly to enforce domain alignment

A domain can have only one DMARC record.

DMARC Policy Options (p=)

DMARC policies control how failed emails are handled.

  • p=none
    Monitoring only. Emails are delivered normally, and reports are collected.

  • p=quarantine
    Failed emails are typically sent to spam or junk folders.

  • p=reject
    Failed emails are rejected outright and not delivered.

Best practice: Start with p=none, review reports, then move to stricter enforcement.

Before You Set Up DMARC

Dedicated Sending Domain Required

Before configuring DMARC, you must have a custom sending domain connected to your account.

If you are using the built-in email service:

  1. Go to Settings

  2. Open Email Service

  3. Select Dedicated Domain & IP Address

  4. Click Add New Domain

  5. Complete the domain setup steps

DMARC should be added only after SPF and DKIM are in place.

How to Create a DMARC DNS Record

Step 1: Open Your DNS Provider

Log in to the DNS manager for your domain provider (for example, GoDaddy or Cloudflare).

Step 2: Add a New TXT Record

Create a new DNS record with the following values.

Record Type

  • TXT

Name

  • _dmarc

Value

v=DMARC1; p=none;

TTL

  • Auto or default

DMARC Name Field Examples

  • If your sending domain is domain.com

    • Name: _dmarc

  • If your sending domain is email.domain.com

    • Name: _dmarc.email

Do not enter the full domain unless your DNS provider requires it.

Common DMARC Tags and Their Meanings

Version (v)

  • Required

  • Must always be DMARC1

  • If incorrect or missing, the record is ignored

Policy (p)

  • Defines how failed emails are handled

  • Values: none, quarantine, reject

DKIM Alignment (adkim)

  • Default: r (relaxed)

  • r: Organizational domain match allowed

  • s: Exact domain match required

SPF Alignment (aspf)

  • Default: r (relaxed)

  • Works the same as adkim, but for SPF

Subdomain Policy (sp)

  • Applies a policy specifically to subdomains

  • Defaults to the value of p

Aggregate Reports (rua)

Forensic Reports (ruf)

  • Email address to receive detailed failure reports

  • Less commonly used due to privacy restrictions

Failure Reporting Options (fo)

  • Default: 0

  • Controls when forensic reports are generated

Percentage (pct)

  • Default: 100

  • Applies enforcement to only a percentage of failed emails

  • Only works with quarantine or reject

Publishing and Propagation

After saving the record:

  • DNS propagation can take up to 48 hours

  • Most providers update within a few hours

  • Only one DMARC record should exist per domain

Monitoring DMARC Reports

Once published:

  • Aggregate reports provide visibility into:

    • SPF/DKIM pass and fail rates

    • Unauthorized sending sources

    • Alignment issues

  • Reports help you safely move from nonequarantinereject

DMARC does not block spam you receive. It protects your domain reputation from being spoofed.

Common Issues and Fixes

Multiple DMARC Records Found

  • Issue: More than one DMARC record exists

  • Fix: Remove duplicates and keep only one record

DMARC Not Working

  • Issue: SPF or DKIM not passing

  • Fix: Verify SPF and DKIM are correctly published before enforcing DMARC

Emails Going to Spam After Enforcement

  • Issue: Legitimate senders failing authentication

  • Fix: Review reports and update SPF/DKIM before using quarantine or reject

FAQ

What is DMARC and why is it important?

DMARC prevents others from impersonating your domain by enforcing authentication rules and providing visibility into unauthorized email activity.

Can I change my DMARC policy later?

Yes. Most domains start with p=none, then move to quarantine or reject after reviewing reports.

Can I have more than one DMARC record?

No. Only one DMARC record is allowed per domain or subdomain.

Does DMARC stop incoming spam?

No. DMARC protects your domain from being abused. It does not filter emails you receive.

What happens if I publish DMARC without SPF or DKIM?

DMARC will fail. SPF and/or DKIM must be correctly configured first.

How long should I monitor before enforcing?

Typically 1–2 weeks of clean reports before moving beyond p=none.

Related Articles
Default Headers for Dedicated Sending Domains
Kyrios Email Authentication – DMARC Errors and How to Fix Them
DMARC Record Wizard
Meeting Google and Yahoo Email Sender Requirements
How to Set Up a Dedicated Sending Domain in Kyrios
Did this answer your question?