DMARC deployment
The DMARC setup checklist
Getting to p=reject safely is a sequence, not a single DNS edit. Work through these seven phases in order. Each one links to the tool or guide you need for that step.
Why the order matters
If you publish p=reject before you know who sends mail as your domain, you will block your own newsletters, invoices, and helpdesk replies. The safe path starts in observation mode (p=none with a rua address), reads real report data for a few weeks, fixes every legitimate sender, and only then tightens the policy.
Inventory your senders
List every system that sends email using your domain in the From address: your mailbox provider, marketing platform, CRM, billing system, helpdesk, and any custom apps. Each one needs to be authenticated before you enforce anything.
- Check your current posture first with the free DMARC checker. It shows whether you already have a DMARC, SPF, or BIMI record.
- If you have not received any reports yet, the not receiving DMARC reports guide explains what to verify.
Set up SPF and DKIM for every provider
DMARC passes when SPF or DKIM passes and aligns with your From domain. Configure both for each sender on your inventory. SPF lists the servers allowed to send for your domain; DKIM signs each message with a key published in your DNS.
- Build a single, valid SPF record with the SPF record generator.
- Read the SPF overview and DKIM overview to understand what each one can and cannot prove.
- Fixing a broken SPF setup? See common SPF errors and DKIM failures.
Publish p=none with a rua address
Start in observation mode. A p=none policy changes nothing about delivery, but the rua tag tells mail providers where to send daily aggregate reports. Those reports are how you learn who really sends as your domain.
- Generate a correct record with the DMARC record generator. Set a
ruaaddress you control. - If a checker still reports your policy as not enabled after publishing, work through DMARC policy not enabled.
Read your reports for a few weeks
Aggregate reports arrive as compressed XML, one or more per provider per day. Read them until you recognise every sending source and its pass rate. This is the phase you cannot skip: it is the difference between enforcing safely and blocking your own mail.
- Decode a single XML file by hand with the DMARC report analyzer.
- For an ongoing view across every report and every domain, the DMARC reports dashboard resolves each source to a named provider and tracks alignment over time.
Stop reading XML by hand
Point your rua address at DMARCTrust and every report is parsed automatically: who sends as your domain, whether they align, and where the failures are. Free for one domain.
Fix alignment for legitimate senders
A sender can pass SPF or DKIM and still fail DMARC if the authenticated domain does not match your From domain. That is an alignment problem. Work through every legitimate source in your reports that fails DMARC and fix its alignment before you tighten the policy.
- Understand the rules with the DMARC alignment guide.
- For provider-specific fixes, see alignment issues and why ESP mail fails DMARC.
Move to p=quarantine
Once your reports are clean, raise the policy to p=quarantine. Mail that fails DMARC now lands in spam instead of the inbox. Start with a low pct if you want to ramp gradually, and keep watching reports for any sender you missed.
The from none to reject guide walks through the staged rollout, including how to use pct.
Enforce with p=reject
When quarantine has run for a couple of weeks with no surprises, raise the policy to p=reject. Mail that fails DMARC is now refused outright, which is what stops attackers from spoofing your domain. Keep your rua reporting on permanently: new senders and broken configs show up there first.
If real mail still fails after reaching reject, do not roll back blindly. The DMARC passes but spoofing continues article covers the edge cases worth checking.
Run this checklist with reports on autopilot
DMARCTrust gives you a dedicated reporting address, parses every aggregate report, and alerts you when a sender breaks or a DNS record changes. One DNS record gets you through phases 4 to 7.