How to Set Up DMARC

What DMARC does

DMARC is a DNS record that tells receiving mail servers what to do when an email claiming to be from your domain fails SPF and DKIM checks. Without DMARC, each mail provider makes its own decision. With DMARC, you set the rules.

DMARC also enables aggregate reporting. Providers like Google, Microsoft, and Yahoo send you daily XML reports showing every source that sent email as your domain, whether it passed or failed authentication, and what action was taken. This is the data AcornDMARC parses for you.

Prerequisites

Before setting up DMARC, you need two things already in place:

• SPF record: A DNS TXT record on your domain that lists which servers are authorized to send email as your domain. If you send through Gmail, Postmark, SendGrid, or any other provider, their IP ranges need to be in your SPF record.
• DKIM signing: Your email provider should be signing outbound messages with a DKIM key. Most hosted providers (Google Workspace, Microsoft 365, Postmark) do this automatically, but you may need to add a DKIM DNS record to enable it.

If you are not sure whether SPF and DKIM are set up, check your DNS records with dig TXT yourdomain.com or use AcornDMARC's dashboard, which shows alignment status for every sender.

Step 1: Choose your policy

DMARC has three policy modes. Start with none and work up.

• p=none: Monitor only. Mail servers deliver everything normally but send you reports. Start here.
• p=quarantine: Failing emails go to spam. Use this after you have reviewed reports and fixed alignment issues.
• p=reject: Failing emails are blocked entirely. This is the goal, but only after you are confident all legitimate senders pass.

Step 2: Create your DMARC DNS record

Add a TXT record to your domain's DNS with the host _dmarc:

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]"

Replace [email protected] with the RUA address AcornDMARC gives you when you add your domain. The rua tag tells providers where to send aggregate reports.

Optional tags

• ruf=mailto:...: Forensic (failure) reports. Most providers ignore this, but it does not hurt to include it.
• pct=100: Percentage of messages the policy applies to. Default is 100. You can lower this during rollout (e.g., pct=10) to apply quarantine or reject to only a fraction of traffic while you monitor.
• adkim=r: DKIM alignment mode. r (relaxed) allows subdomains. s (strict) requires exact match.
• aspf=r: SPF alignment mode. Same as above.

Step 3: Wait for reports

After publishing your DMARC record, providers will start sending aggregate reports within 24 to 48 hours. Google sends daily. Microsoft sends daily. Yahoo sends daily. Smaller providers may take longer or send weekly.

Reports arrive as email attachments (XML inside zip or gzip files). AcornDMARC receives these automatically, parses the XML, and shows the data in your dashboard.

Step 4: Review and tighten

Once reports are flowing, review your dashboard for:

• Unauthorized senders: IP addresses you do not recognize sending as your domain. These could be spoofing attempts or forgotten services.
• Alignment failures: Legitimate senders that fail SPF or DKIM. Fix these before tightening your policy.
• Pass rates: When your pass rate is consistently above 95% and you have addressed all alignment issues, move to p=quarantine. When you are confident, move to p=reject.