Domain-based Message Authentication, Reporting & Conformance (DMARC)

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a specification created by a group of organizations in the email delivery industry. Its purpose is to reduce email abuse by standardizing reporting for email authentication/validation systems.

In other words, it standardizes how email receivers perform authentication using SPF and DKIM protocols.

How do I set it up?

Create an Email Account

You're going to want a dedicated email account to use for receiving the DMARC reports. We recommend something like

Decide which Tags to use

The entire list of tags are available here in section "Page 46". But it's generally overkill to use all of them. The most important are the v, rua, p, and ruf tags.

Start by Monitoring

By setting the policy tag to "none", you're telling the email receivers not to quarantine or reject your emails, and rather to simply send you a daily aggregate report.

To set this up, add a TXT DNS record to your domain:

v=DMARC1; p=none;

Optionally, you can set "" to receive a copy of the phished/spoofed email.

Quarantine Time

After you've monitored your DMARC reports and added SPF/DKIM records to any legitimate 3rd-party sources that were being flagged in the report, it's time to enable quarantine mode.

Simply set p=quarantine; in the TXT DNS record you added previously.


This is the final stage, but some people choose to ignore it and leave their DMARC setup in quarantine mode.

To tell your email receivers to reject the spoofed/phished emails, just set p=reject; in the TXT DNS record you added previously.

Example Deployment Cycle

Using the many DMARC tags, you can really fine-tune your DMARC policy.

Here's an example deployment cycle:

  1. Monitor all.
  2. Quarantine 1%.
  3. Quarantine 5%.
  4. Quarantine 25%.
  5. Quarantine 50%.
  6. Quarantine all.
  7. Reject 1%.
  8. Reject 10%.
  9. Reject 50%.
  10. Reject all.