Home / Products / DMARC Aide / Setting Up DMARC

Setting up DMARC for your domain involves several steps, including implementing SPF and DKIM first. This guide will walk you through the process of properly configuring email authentication for your domain.

1. Implement SPF (Sender Policy Framework)

SPF allows you to specify which mail servers are authorized to send email on behalf of your domain.

Create an SPF record in your DNS settings:

v=spf1 ip4:YOUR_SERVER_IP include:_spf.google.com include:_spf.mail_provider.com ~all
  • Replace YOUR_SERVER_IP with your mail server's IP address
  • Include any third-party services that send email on your behalf
  • The ~all tag means "soft fail" - recommended for initial setup

How SPF Works

Sender
Sends email from your domain
IP: 192.168.1.1
Receiving Server
Checks sender's authorization
DNS Lookup
DNS SPF Record
Lists authorized IP addresses and mail servers
Pass
IP is authorized
SPF Result
Fail
IP is not authorized

2. Implement DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails that verifies they haven't been tampered with in transit.

Steps to implement DKIM:

  1. Generate DKIM keys using your email service provider's tools
  2. Add the public key to your DNS as a TXT record:
selector._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY"

3. Configure your mail server to sign outgoing emails with the private key

How DKIM Works

Original Email
Private Key Signs
Signed Email
Received Email
Public Key Verifies
Signature Validated

3. Create a DMARC Record

DMARC tells receiving mail servers what to do with emails that fail SPF and DKIM checks.

Add a DMARC record to your DNS as a TXT record:

_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; ri=86400"

Policy options explanation:

  • p=none: Monitor mode (recommended to start)
  • p=quarantine: Send suspicious emails to spam folder
  • p=reject: Block suspicious emails completely
  • rua=: Email address for aggregate reports
  • ruf=: Email address for forensic reports
  • sp=: Policy for subdomains
  • ri=: Reporting interval in seconds (86400 = daily)

DMARC Policy Flow

Email Arrives
SPF Check
DKIM Check
Apply DMARC Policy
none
Monitor
quarantine
Spam Folder
reject
Block
Send Reports to Domain Owner

4. Monitor and Adjust

  1. Start with 'p=none' to monitor without affecting email delivery
  2. Use DMARC Aide to analyze the reports you receive
  3. Gradually increase enforcement as you resolve legitimate authentication failures

Gradual enforcement approach:

p=none
Monitor Only
p=quarantine
pct=25
25% to Spam
p=quarantine
pct=100
All to Spam
p=reject
Block All

Example of a gradual approach:

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

This applies quarantine policy to 25% of failing messages while delivering the rest.

5. Troubleshooting Common Issues

  • Legitimate emails failing: Check if all your sending sources are included in SPF
  • Third-party senders: Some services might send on your behalf but modify headers
  • Subdomain issues: Consider separate policies for subdomains with sp= tag
  • Report analysis: Use DMARC Aide to identify patterns in authentication failures

Conclusion

Implementing DMARC is a gradual process that requires monitoring and adjustment. Start with monitoring mode (p=none) and analyze reports to identify legitimate senders. Gradually increase enforcement as you gain confidence in your setup. DMARC Aide can help you analyze reports and identify issues that need to be addressed.