How to create and add a DMARC record

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect your domain from spoofing and phishing attacks. It works by using the results of SPF and DKIM authentication checks and instructs receiving mail servers how to handle emails that fail those checks.

DMARC is configured as a TXT record in your domain’s DNS settings. The record defines the policy that receiving mail servers should apply to messages that fail authentication.

Step 1: Ensure SPF and DKIM are configured

Before setting up DMARC, make sure that SPF and DKIM are already configured for your domain.

DMARC relies on these authentication methods to verify whether an email is legitimate. If SPF and DKIM are not configured correctly, DMARC will not function as intended.

Step 2: Create the DMARC record

A DMARC record is created as a TXT record in your domain’s DNS.

All DMARC records must include at least two required tags:

v=DMARC1
p=policy

Example DMARC record:

v=DMARC1; p=none;

Explanation:

v=DMARC1
Specifies the DMARC protocol version.

p=none
Defines the policy that should be applied to emails that fail authentication.

Step 3: Choose a DMARC policy

The DMARC policy determines how receiving mail servers should handle emails that fail authentication.

p=none
No action is taken on failing messages. This policy is typically used when monitoring authentication results.

p=quarantine
Emails that fail DMARC authentication may be sent to the recipient’s spam or junk folder.

p=reject
Emails that fail authentication are rejected and not delivered.

Many domains start with p=none to monitor authentication results before moving to stricter policies.

Step 4: Add the DMARC record to your DNS

Log in to your DNS provider (for example Cloudflare, GoDaddy, Namecheap, etc.) and create a new TXT record.

Typical configuration:

Host / Name
_dmarc

Type
TXT

Value

v=DMARC1; p=none;

Save the record once it is added.

DNS changes may take some time to propagate across the internet.

Step 5: Add reporting (recommended)

DMARC supports reporting so domain owners can monitor authentication activity.

You can add an email address to receive aggregated reports using the rua tag.

Example:

v=DMARC1; p=none; rua=mailto:[email protected]

These reports help identify legitimate senders and detect unauthorized sources sending emails from your domain.

Common DMARC configuration issues

SPF or DKIM not configured
DMARC relies on SPF and DKIM. If these are missing or misconfigured, DMARC checks may fail.

Incorrect DNS host name
The DMARC record must be created under the host name _dmarc.

Syntax errors in the DMARC record
Incorrect formatting or missing tags can cause the DMARC policy to be ignored.

Using strict policies too early
Applying a reject policy before verifying legitimate senders can block valid emails.