Services
Services Overview Information Security Policies Infosec Audits
Solutions
WISP - Written Information Security Program iO™ ClickSafe eMail
Resources
Email Deliverability Check
iO™ Media
Blog Podcast - Cash in the Cyber Sheets
About Us
Contact Us About Us Input Output ADA Compliance Statement Privacy Policy Satisfaction Guarantee Terms & Conditions
CONTACT US

How to Setup DMARC

email security and deliverability nit - network and information transfer security mgmt May 29, 2025
how to setup dmarc blog social image

Email is the lifeblood of modern business communication. But with phishing, spoofing, spam, and impersonation attacks more prevalent than ever, protecting your domain and reputation is no longer optional — it’s mission-critical. That’s where DMARC comes in. Whether you’re a small business or a growing enterprise, setting up DMARC (along with SPF and DKIM) ensures your emails land in inboxes — not the recipient's spam folder — and that cybercriminals can’t impersonate your brand. In this guide, we’ll break down what DMARC is, why it matters, how to set it up correctly, and how to monitor it effectively to safeguard your domain and maximize email deliverability.

 

What Is Email Authentication: DMARC, SPF, & DKIM?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It sounds like something you’d see on a compliance report and immediately hand off to IT with a “good luck.” But in plain terms, DMARC is your domain’s bouncer at the email club entrance. It decides which emails are allowed in, which get kicked out, and which ones end up in the inbox purgatory of spam.

DMARC authentication works by validating each email message using both SPF and DKIM to verify the legitimacy of the sender. By tying SPF and DKIM together, DMARC authentication ensures that only legitimate email messages are delivered, helping to prevent spoofing and phishing attacks.

DMARC works alongside two other security protocols: SPF and DKIM. Let’s break them down:

 

What Is SPF?

SPF (Sender Policy Framework) is a DNS-based email validation system. It tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. The SPF record is configured in the DNS settings of your email domain to specify which servers are authorized to send emails for that domain.

  • Example SPF record: v=spf1 include:_spf.google.com ~all

  • If an email is sent from an unauthorized server, SPF fails.

 

What Is DKIM?

DKIM (DomainKeys Identified Mail) uses public-key cryptography to attach a digital signature to emails. This proves the message wasn’t modified in transit and that it really came from your domain. DKIM authentication verifies the integrity and authenticity of each outgoing email, ensuring it is legitimate and not forged.

  • Your DNS holds the public key, while the sender uses the private key.

  • If the signature doesn’t match, DKIM fails.

 

What Is DMARC?

email in a social bubble

DMARC ties SPF and DKIM together. It tells email servers what to do when an email fails authentication and provides feedback via reports.

So when someone asks, "What is DMARC in simple terms?" it's this: DMARC protects your domain from being spoofed and helps your legitimate emails get delivered.

 

DMARC Record Breakdown

To set up DMARC, you need to add a TXT record to your domain's DNS configuration. The DMARC policy is published as a DNS TXT record.

Here is an example DMARC record, also known as a DMARC TXT record:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; sp=reject;

Here’s what those parts mean:

  • v=: Version. Always “DMARC1”

  • p=: Policy. What to do with failed mail (none, quarantine, reject)

  • rua=: Aggregate report URI. Where to send daily XML reports

  • ruf=: Forensic report URI (optional). Sends detailed failure samples

  • fo=: Failure reporting options (e.g., fo=1 means report on any failure)

  • sp=: Subdomain policy (if different from parent domain)

  • pct=: Percentage of messages to which the policy applies. If not set, the default value is 100.

This one DMARC DNS TXT record tells receiving email servers how protective (or forgiving) they should be with your domain’s emails when suspicious behavior is detected. In other words, it instructs them on what to do with email claiming to come from you, depending on whether it passes SPF and DKIM.

Want to see if your SPF, DKIM, and DMARC records are configured correctly? Check them out here: Input Output - Email Audit

 

Why DMARC Matters and What Happens When DMARC Fails

If you’re wondering, “Is DMARC really necessary?” — as of May 5, 2025, the answer is a hard yes. Major email providers like Gmail, Yahoo, and Microsoft have tightened their requirements. Domains without properly configured DMARC, SPF, and DKIM records are now far more likely to see their emails rejected or dumped into the spam abyss. These changes are part of a larger push to combat phishing and spoofing at scale, specifically targeting phishing attacks and email spoofing as major risks that DMARC helps prevent.

So yes — DMARC is no longer optional. It’s the standard for anyone serious about their brand, reputation, and getting their messages delivered. Misconfigured DMARC records can also cause delivery issues, including blocking legitimate mail, so proper setup is essential to avoid these problems.

 

Why Don’t Companies Use DMARC?

Despite its importance, many businesses still haven’t adopted DMARC. Why? Usually, it boils down to:

  • Not knowing what DMARC is

  • Assuming it’s too technical or time-consuming to set up

  • Fear of breaking email deliverability

  • Believing their domain isn’t a target (spoiler: it is)

  • The challenge of managing DMARC across multiple email services

As a result, they remain exposed to spoofing attacks — often without even realizing it.

 

Can You Send Emails Without DMARC?

Technically, yes. But practically? Not anymore. Without a DMARC policy in place, your emails are at the mercy of new filtering policies. In fact, 40–60% of messages from domains lacking DMARC are now either flagged, quarantined, or outright rejected by leading providers. If you use a custom domain without DMARC, the risk of deliverability problems is even higher.

So while it’s possible to send email without DMARC, you’re gambling with your brand’s reputation and inbox placement.

 

What Does a Failed DMARC Mean?

man on laptop, emails failing

A failed DMARC check, also known as a DMARC fail or DMARC failure, usually means that either SPF or DKIM (or both) didn’t align with what your DMARC policy expected. When messages that fail DMARC checks are detected, this can result in a bounce message or error message, indicating the email was blocked or rejected. In business terms: your emails may not reach your customers.

That could look like:

  • A “message blocked due to DMARC” bounce message or error message

  • Your email going straight to spam

  • Clients not getting invoices, contracts, or even that snarky holiday e-card

DMARC failures are logged in DMARC failure reports, which provide detailed information to help diagnose the cause of the failure and improve email security.

What happens next depends on your DMARC policy (p=):

  • p=none: Just monitor and report (you’ll receive DMARC failure reports for messages that fail)

  • p=quarantine: Likely spam folder

  • p=reject: Flat-out rejected at the server level (often accompanied by a bounce message or error message)

Some providers (especially Gmail, Yahoo, and Microsoft) will enforce their own stricter rules regardless, especially if you have no policy at all.

Common causes of DMARC failures:

  • SPF record missing or misconfigured

  • DKIM signature missing or broken

  • Email being sent from an unauthorized source (like a rogue marketing tool)

Repeated DMARC failures can lead to ongoing deliverability issues and damage your sender reputation. The result? Poor deliverability, lower trust, and yes, potentially lost revenue. To troubleshoot, it’s important to review DMARC failure reports and analyze the error messages or bounce messages you receive. So if you’ve been wondering, “Why would an email fail at DMARC even when SPF and DKIM pass?” — it’s probably due to alignment issues, meaning the domains don’t match up as expected.

 

How to Set Up DMARC (Step-by-Step)

Setting up DMARC isn’t rocket science, but it does require attention to detail. DMARC validation is crucial for email security, and using a DMARC record checker helps verify your setup to prevent spoofing and phishing attacks.

Here’s the core requirements.

  • Create and manage DMARC records for your domain by adding a DNS TXT record. Each domain's DMARC record should be properly configured to ensure DMARC authentication. All services that send mail on your behalf must be included in your DMARC, SPF, and DKIM setup.

  • Understand how receiving servers work: When you send mail, receiving servers perform DMARC checks on incoming messages. These checks determine whether to accept, quarantine, or reject emails based on your DMARC policy.

  • Monitor with reports: DMARC authentication results are included in aggregate reports and forensic reports. Configure your DMARC record to send aggregate reports and failure reports to your chosen email address. These reports help you monitor email flow, identify spoofing attempts, and improve domain security.

  • Troubleshoot issues: Use DMARC reports and a DMARC record checker to troubleshoot issues with DMARC records, email deliverability, and authentication failures.

  • Subdomain management: By default, subdomains inherit DMARC policy from the parent domain unless you override this with a separate DMARC record for the subdomain.

  • Rollout process: Use the 'pct' parameter in your DMARC record to control the percentage of messages affected by your policy. Gradually increasing this value will apply your DMARC policy to more messages as you monitor results.

  • Multiple domains: Ensure each domain's DMARC record is configured and validated. Use DMARC validation tools to confirm correct setup across all domains.

 

Step 1: Set Up SPF

  • Log into your domain’s DNS settings.

  • Add a TXT record with your SPF value. Example: v=spf1 include:_spf.google.com ~all

For full DMARC protection, make sure to enable both SPF and DKIM authentication by setting up the appropriate DNS TXT records for each.

 

Step 2: Set Up DKIM

  • Generate a DKIM key in your email service provider.

  • Add the public key as a TXT DNS record.

The authentication status of each email is determined by the DKIM signature and the corresponding DNS record.

 

Step 3: Create Your DMARC Record

  • Add a DMARC TXT record named _dmarc.yourdomain.com

  • Example value: v=DMARC1; p=none; rua=mailto:[email protected];

This means: “Don’t reject anything yet, but send me reports.”

 

Step 4: Gradually Enforce DMARC

  • Move from p=none (monitoring) to p=quarantine (flag suspicious) to p=reject (block unauthorized emails).

  • This stepwise approach ensures you don’t accidentally block legitimate traffic before confirming proper setup. As you increase the 'pct' parameter, the policy will apply to more messages, allowing for a gradual rollout and broader coverage over time.

  • Start by collecting and reviewing reports, fixing any issues, then tightening enforcement as confidence grows.

 

How Do I Add a DMARC Record?

Most domain providers let you add DNS records via a simple interface. Create a new TXT record with the name _dmarc and paste your policy string into the value field. For example:

Name: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:[email protected];

It's important to keep your DMARC records up to date and review them regularly to ensure your email authentication and security settings remain effective.

 

How to Solve DMARC Issues

If your DMARC reports are showing failures, use them to troubleshoot issues with DMARC authentication. Here’s what to check:

  • SPF alignment: Is the sending server authorized in your SPF record?

  • DKIM signature: Is it configured correctly and pointing to your domain?

  • Forwarders: They often break SPF. You might need DMARC override rules.

  • Third-party senders: Tools like CRMs or email marketing platforms must be authenticated with their own SPF/DKIM settings.

Use our easy email auditing tool to see if you have issues with your DMARC, SPF, or DKIM configuration settings.

 

Is DMARC p=none Safe?

p=none is the most lenient setting. It doesn’t block any mail — just monitors it. While this can be useful when starting out, it’s no longer considered safe or compliant under many new email sender policies.

Think of p=none as the training wheels. You’ll want to graduate to p=quarantine and eventually p=reject to actually protect your domain and your recipients. But — and this is critical — this should be done gradually over time.

Jumping straight to p=reject can cause serious headaches if there’s even a minor misconfiguration in your SPF or DKIM setup. A missing include, a mistyped DNS record, or an unauthenticated third-party service could suddenly get all your emails blocked outright. It's important to ensure that legitimate mail from trusted sources is not blocked when moving to stricter DMARC policies.

Start with p=none, monitor the reports you receive, fix any issues, and then move to p=quarantine. After confirming that everything is routing as expected and no legitimate senders are getting caught, you can confidently roll out p=reject.

This phased approach ensures you’re protecting your domain without unintentionally torpedoing your own communications.

 

Platform-Specific Guides

  • Office 365 / Microsoft 365: DMARC, SPF, and DKIM all have setup options via the Admin Center. Note: Microsoft 365 performs DMARC checks on all incoming email to help prevent spoofing and phishing attacks.

  • GoDaddy: DNS records added via the Domain Manager.

 

Keep It Tight: Monitoring & Maintenance

team performing network monitoring on computer screens

Setting up DMARC is only the beginning. Now you need to monitor it like your company’s inbox reputation depends on it—because it does.

DMARC reports (sent to the rua email you specified) contain gold: who’s sending email on your behalf, who’s failing, and where problems may arise. These aggregate reports provide a summary of authentication results across all email sources, helping you understand overall DMARC compliance and spot potential spoofing attempts.

 

How to Check if an Email has Passed SPF, DKIM, and DMARC

You can check these headers in your received email by viewing the original/raw message. When doing so, you are reviewing the authentication status of each email. Look for authentication results like:

  • spf=pass

  • dkim=pass

  • dmarc=pass

For a user-friendly check, try tools like MXToolbox, Google’s Admin Toolbox, or the headers analyzer in EasyDMARC.

 

How Do I Get DMARC Reports?

To receive DMARC reports, your DMARC record must include the rua= tag with an email address. The rua tag is used to send aggregate reports to the specified email address:

rua=mailto:[email protected]

These reports come in XML format and contain information about who is sending email on your behalf, whether the emails passed SPF/DKIM, and if they aligned with your policy.

Want to make DMARC reporting and review even easier? Check out our easy to use iO™ ClickSafe eMail deliverability tool!

 

Why Am I Getting So Many DMARC Emails?

If your inbox is suddenly flooded with DMARC reports, congratulations — you’ve entered monitoring mode. These reports, which may include both aggregate reports and failure reports, are sent daily by every receiving mail server that handles your domain’s messages. While helpful, they’re hard to read manually, which is why tools exist to parse them for you.

You can create inbox rules to route them to a folder or use a monitoring service to automate parsing and visualizations.

 

What Is a DMARC Analyzer?

A DMARC analyzer is a tool that ingests, parses, and presents DMARC reports in a readable format. It gives you dashboards, alerts, and recommendations to spot spoofing attempts, misconfigurations, or unauthorized senders. Advanced analyzers can also process forensic reports, providing detailed incident analysis to help identify and address specific threats.

Popular options include:

  • DMARC Analyzer: Known for guided enforcement workflows.

  • Valimail Monitor: More enterprise-level enforcement and automation.

  • iO™ ClickSafe eMail: Our own premium-grade analyzer built for businesses serious about deliverability and email authentication. It includes real-time visualizations, smart alerting, and expert-guided remediation.

Most serious analyzers run over $100/month, but they pay for themselves by keeping your brand out of spam folders and phishing attempts.

 

How Input Output Makes DMARC Easy

image of email inbox

We know the DMARC rabbit hole is deep. SPF, DKIM, alignment, enforcement — it’s a lot. That’s why the Input Output ClickSafe eMail deliverability tool exists:

  • We analyze your DNS settings, implement or correct SPF/DKIM/DMARC, and align your authentication records.

  • We use a DMARC record checker to verify your DMARC setup, ensuring your configuration is correct and your email authentication is effective.

  • We monitor failures and help you transition to full DMARC enforcement without breaking your email.

  • We train your team, or just handle the whole thing if you’d rather not.

With iO™ ClickSafe eMail, we take it even further:

  • It’s not just a monitoring dashboard. It identifies what’s wrong and lets you fix it with a single click.

  • Easily configure and manage SPF, DKIM, DMARC, and BIMI (Brand Indicators for Message Identification) — boosting trust and visual recognition in inboxes.

  • Includes support for MTA-STS, ensuring your emails are sent securely with encryption to protect them in transit.

  • Offers user-friendly, visual reporting for both rua (aggregate) and ruf (forensic) DMARC reports so you can quickly identify and resolve issues.

What makes it especially powerful is its simplicity: Input Output ClickSafe eMail makes it easy to manage authentication records, avoids costly misconfigurations, and ensures your emails go exactly where they’re supposed to — the inbox.

Want your email to land in inboxes instead of limbo — and do it securely, visibly, and reliably? Let’s talk.

 

Conclusion

DMARC isn’t just another line item in your compliance checklist — it’s the backbone of trustworthy, secure email communication. With inbox providers now enforcing strict sender requirements, adopting DMARC (alongside SPF and DKIM) is essential to avoid bounces, protect your reputation, and maximize your message reach. But setup and enforcement can be tricky, and getting it wrong can hurt more than help.

That's why Input Output built ClickSafe eMail — to make email authentication dead simple, secure, and effective. Whether you're just starting with p=none or ready to fully enforce p=reject, we help you get there with confidence.

Ready to protect your brand, boost deliverability, and stop spoofing in its tracks? We’re here to help.

STAY INFORMED

Subscribe now to receive the latest expert insights on cybersecurity, compliance, and business management delivered straight to your inbox.

We hate SPAM. We will never sell your information, for any reason.

CATEGORIES

iO Circle Logo

INPUT OUTPUT

Information Security Policies, Programs, & Audits Made Easy

Input Output integrates cybersecurity and compliance seamlessly with business management and development. With expertise in security, compliance, and risk management, we empower businesses to enhance productivity and profitability. Our blog shares insights drawn from years of experience, helping companies navigate complex security challenges while fostering growth and operational excellence.