How to Set Up DMARC Records for Email

What is DMARC?

DMARC (Domain-based Message Authentication Reporting and Conformance) is an email authentication protocol that protects your domain from spoofing and phishing.

It works by combining SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to confirm that emails sent from your domain are legitimate.

With DMARC, you publish a policy that tells receiving mail servers what to do if an email fails authentication.

DMARC Policies (p=)

• p=none → Monitor email traffic, no action taken. (Best for starting/testing)

• p=quarantine → Unauthorized emails go to spam/junk.

• p=reject → Unauthorized emails are blocked completely.

Steps to Set Up a DMARC Record

Step 1: Set Up a Custom Sending Domain

If using PXME (LeadConnector) email service:

• Go to Settings > Email Services > Dedicated Domain & IP Address > Add New Domain.

• Complete domain verification before adding DMARC.

Step 2: Access Your DNS Settings

• Log in to your domain registrar or DNS host (e.g., GoDaddy, Cloudflare).

• Open DNS Management for your sending domain.

Step 3: Create a DMARC Record

• Record Type: TXT

• Name: _dmarc.yourdomain.com

  • Example: For domain.com → enter _dmarc

  • For email.domain.com → enter _dmarc.email

• Value (basic example):

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; adkim=r; aspf=r;

Step 4: Understand Key DMARC Tags

• v=DMARC1 → Version (required).

• p= → Policy (none | quarantine | reject).

• adkim= → DKIM alignment (r = relaxed, s = strict).

• aspf= → SPF alignment (r = relaxed, s = strict).

• rua= → Address to receive aggregate XML reports.

• ruf= → Address to receive forensic (failure) reports.

• fo= → Forensic report options (0 = all fail, 1 = any fail, d = DKIM fail, s = SPF fail).

• pct= → Percentage of failed emails subject to policy.

• ri= → Report interval in seconds (default 86400 = daily).

Step 5: Publish the Record

• Save the TXT record in your DNS host.

• Wait up to 24–48 hours for DNS propagation.

Step 6: Monitor DMARC Reports

• Review aggregate reports (rua) and forensic reports (ruf).

• Identify unauthorized sources sending from your domain.

• Gradually tighten your policy:

  1. Start with p=none → gather data.

  2. Move to p=quarantine → partial enforcement.

  3. Finally set p=reject → full protection.

Pro Tips

• Always start with p=none to avoid blocking legitimate emails while testing.

• Enable reports (rua/ruf) to monitor unauthorized use.

• Use strict alignment (adkim=s; aspf=s) once SPF/DKIM are confirmed.

• Check reports regularly to improve deliverability and catch spoofing attempts.

FAQs

Q1: Why is DMARC important?
It prevents spoofing, phishing, and unauthorized use of your domain by enforcing SPF & DKIM checks.

Q2: Can I change my policy later?
Yes. Best practice: start with none, then move to quarantine, then reject.

Q3: What happens if my DMARC is misconfigured?
Legitimate emails may fail to deliver. Always test and review reports before strict enforcement.

Q4: How do DMARC reports work?

• RUA reports (XML) → show aggregate pass/fail data.

• RUF reports → detailed failure data (optional).

Q5: What’s the best setting for pct=?

• Use pct=100 once fully enforcing.

• Use pct=20–50 during testing to apply enforcement gradually.