How to Set Up DMARC: A Step-by-Step Guide for Beginners

As a result of email spoofing, Phishing and Business Email Compromise (BEC) are becoming widespread, it has never been more important to safeguard your domain. Cybercriminals impersonate brands and executives to steal data, deceive employees and commit fraud against businesses. To mitigate these threats, ensure good encryption, starting with DMARC.

At the start of this guide, you will learn how to set up DMARC securely and correctly, even if you are not a cybersecurity expert. We will detail what DMARC is, how to configure DMARC, what records are required and how TDMARC by Threatcop can be used to simplify and safeguard the process.

What is DMARC?

DMARC is an acronym for an authentication protocol that stands for Domain-based Message Authentication, Reporting & Conformance. DMARC enables domain owners to mitigate fraudulent emails from being delivered to a user’s inbox. In general, DMARC provides visibility into what domains are sending emails from their domain to support enhanced domain security and abuse awareness. 

• DMARC uses two components to verify email legitimacy:
• Sender Alignment – Alignment” in DMARC specifically checks if SPF’s domain (Return-Path) or DKIM’s domain (d=) matches the ‘From’ domain, based on policy (relaxed or strict alignment)
• Authentication Results – Identifies whether the email passed either SPF or DKIM authentication checks.

Why Do You Need DMARC for Your Organization?

In this technologically advanced world, email is still the most common and most attacked method of communication. Cybercriminals take this as an opportunity to impersonate trusted brands, partners, and sometimes even internal departments such as HR and finance. One of the most common attacks used by criminals is email spoofing. Email spoofing is sending an email that seems and looks like it comes from your domain, without permission granted to do so.

This is where DMARC comes in. DMARC (Domain-based Message Authentication, Reporting & Conformance) is also a kind of security protocol to help to secure your domain against hackers trying to impersonate your domain.  It also ensures you are building email trust and visibility.

Here’s exactly why DMARC is essential for your organization:

Defend Against Email Spoofing and Impersonation

Without DMARC, your domain is open to being spoofed by anyone, including cybercriminals, to send fraudulent emails. This can trick recipients into suddenly transferring funds, revealing sensitive information or clicking a link that would download malware to their device.

DMARC protects you from email spoofing by allowing only sources you have authenticated to send emails on behalf of your domain. If someone tries to spoof your domain, you can reject the email or have it marked as spam based on which DMARC Policy you set (none, quarantine or reject).

Gain Visibility Into The Sources Sending Email

DMARC provides meaningful reporting. When implemented correctly, it sends aggregate and forensics reports showing:

• What mail servers are sending email using your domain​?
• If those emails passed SPF and DKIM checks​.
• How do the recipient’s servers process your emails?

This visibility allows you to see if someone is sending email without authorization, a misconfigured system is acting on behalf of your domain or a third-party sender you were unaware of. Visibility is especially helpful during the monitoring phase of DMARC preparation when you have the policy set to none. ​

Increase Email Deliverability and Reputation

One of DMARC’s hidden benefits is increased email deliverability, as email service providers (ISPs) such as Gmail, Outlook and Yahoo tend to trust emails that pass their authentication checks. The odds of your emails landing in the inbox instead of the spam folder increase significantly when the emails are authenticated properly using SPF, DKIM and DMARC. 

Avoid Business Email Compromise (BEC)

Business Email Compromise (BEC) is a growing threat affecting companies of all sizes. The attacker impersonates an executive, vendor or internal department to trick the employee into:

• Sending a wire transfer
• Providing confidential data
• Paying fake invoices

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a security protocol to protect your domain from hackers pretending to be your domain. It is an active and forward-thinking defence method in order to enhance your overall email security posture.

Understanding the DMARC Record Format

Before configuring DMARC, it’s important to understand the basic structure of a DMARC record. When you create a DMARC record, you place this record in your domain’s DNS. You tell message receivers what to do with messages failing authentication checks and where to send reports about email activity with your domain. The example below is a simple DMARC record that will break down each piece. 

Here is an example DMARC record:

v=DMARC1; p=quarantine; rua=mailto:[email protected]

Explanation of each part:

• v=DMARC1: Version of the protocol
• p=quarantine: Policy to apply (none, quarantine, reject)
• rua: Email address to send aggregate reports
• Note: DMARC is published as a TXT record, not a CNAME.

SPF and DKIM: Your Prerequisites

DMARC cannot work independently; it needs two other means of email authentication (SPF and DKIM) to be set up properly. Once these protocols are in their proper place, you will be able to use DMARC. Together with DMARC, they help confirm that emails are really from your domain and not modified in transit. Let’s just go over quickly what SPF and DKIM do and where they fall into the order of things. 

• SPF validates Mail From/Return-Path, not the ‘From’ header, which is why alignment is critical for DMARC.
• DKIM adds a digital signature to authenticate the sender’s identity.

TDMARC’s Advanced DMARC Utilities provide additional validation of SPF and DKIM records.

How to Set Up DMARC: Step-by-Step

DMARC may seem technical at first glance but once you break it down into steps, the task can be manageable (even if you are new to DNS or email authentication). What follows is a detailed step-by-step guide to properly configuring DMARC for your domain.

Step 1: Select Your DMARC Policy

The DMARC policy determines what action to take when Emails fail authentication checks. There are three policies to select from during your initial configuration based on your existing security strategy:

• none: This policy is only for monitoring mail traffic. Under this policy, no action is taken on emails that fail DMARC, which is the safest option as it allows you to collect data before you enforce stricter rules.
• quarantine: This policy takes action on suspicious emails (e.g., emails not passing DMARC validation) and re-routes them to the recipients’ spam or junk folders rather than ignoring them or rejecting them outright.
• reject: This policy is the strictest. Any email that fails to pass DMARC checks will be rejected, and that email will not be delivered to the recipient. The DMARC reject policy is the strongest form of protection, but should only be implemented after monitoring for errors and validating alignment.

Our Recommendation: Start with none, start gathering reports, and ensure SPF and DKIM alignment are working. Once you feel confident, transition to quarantine and ultimately to rejection.

Step 2: Create a DMARC Record

After you have selected your policy, you can generate your DMARC record. A DMARC record is just a line of text with a few specific instructions given to email servers.

Here is a simple example:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100

Definitions of parameters:

• v=DMARC1: indicates the version of DMARC.
• p=none: the policy (can be none, quarantine or reject).
• rua=mailto: [email protected]: where to send aggregate reports.
• ruf=mailto: [email protected]: where to send forensic (or detailed fails) reports.
• pct=100: percentage of email messages the policy applies to (100% means all email).

You can create this manually but there are tools available (like TDMARC) that make this easy by creating the records and applying the correct syntax and structure, as well as a database of policies so it can be domain-specific.

Step 3: Add the DMARC Record to your DNS

Now that you’ve created your DMARC record, you need to publish it in your DNS, so mail servers will find it and apply it. Follow these steps:

• Log in to your DNS management console (from your domain registrar like GoDaddy, Cloudflare, Namecheap, etc.).
• Create a new TXT record.
• Set the name/host to:
• _dmarc.yourdomain.com
• Paste your DMARC record into the value field.
• Set TTL (Time to Live) to default or 1 hour.
• Save your changes.

Once you save, your DNS begins publishing the DMARC policy to email servers around the world.

Step 4: Check the DMARC Record

Verifying your DMARC record is an important step to take when you publish your DMARC record. This way, you can confirm that your DMARC record is valid and able to be detected correctly by mail servers.

You can use third-party tools such as Google Admin Toolbox or TDMARC’s Verification Utility, which is not only a means to check your DMARC record, but it can also provide deep inspection on findings for SPF/DKIM alignment with possible misconfigurations.

If you got an error in the tool, double-check your syntax and DNS settings. If your DMARC record is misconfigured, the risk is email delivery failure or missed reports.

Step 5: Monitor and Evaluate DMARC Reports

Your DMARC record will start to become operational, and you will begin receiving reports from receiving mail servers to inform you of:

• What email servers are sending email on your behalf?
• How many emails are passing or failing DMARC checks? 
• If unauthorized sources are attempting to spoof your domain.

Types of Reports

Aggregate Reports (rua): Sent daily as a summary report showing authentication results for your emails.

Forensic Reports (ruf): Full reports detailing specific emails that failed DMARC.

Why Monitoring is Important

In this phase, you can begin to transition from a monitoring (none) policy to enforcement (quarantine or reject) without risking legitimate email delivery.

With TDMARC, you will not need to manually extract XML reports; it will provide them. 

• Scheduled Compliance reports, Daily and weekly.
• Executive level of report summaries,
• Threat Geolocation and Volume metrics,
• Source IP Threat Intelligence, 
• Lookalike Domain Detection,
• Blacklist IP Monitoring.

All information is critical for making informed decisions and to enforce your DMARC domain with confidence.

Common DMARC Mistakes

• Misalignment of SPF/DKIM and the domain
• Syntax Errors
• Reports not monitored
• Clients applying reject too soon.

TDMARC: A Smarter and Better Way to Manage DMARC

TDMARC by Threatcop is a premium email authentication and anti-spoofing technology that helps organizations avoid BEC attacks like impersonation, CEO fraud, and invoice scams.

TDMARC is an integral part of Threatcop’s People Security Management (PSM) strategy, aligning specifically with the “Protect” phase of the AAPE (Assess, Aware, Protect, Empower) framework.

TDMARC Key Features

Smart Controls for SPF/DMARC/BIMI 

Natively manage and optimize your domain’s SPF, DMARC and BIMI records from one dashboard. 

Scheduled Compliance and Threat Reports

Get regular reports that include your ongoing email authentication status and any detected threats. 

BIMI Generator and Verification

With the BIMI generator and verification, any brand can easily generate and verify Brand Indicators for Message Identification (BIMI) to display your brand logo in supported inboxes. 

Lookalike Domain Detection

Easily detect any domains that look similar to your brand and execute options to protect from impersonation or spoofing.  

Blacklist IP Monitoring 

You will be able to monitor if any IPs on your behalf being sent out, will show on blacklists so you will be alerted and maintain your email reputation. 

Vendor DMARC Checklist 

The vendor DMARC checklist provides you with an easy to that evaluates your third-party vendors’ DMARC compliance and assists you in protecting your email supply chain. 

Threat Intelligence for Source IPs 

You can assess source IPs that send emails to your domain and could contain malicious actors and/or unauthorized sources. 

3-Step Protection Process using TDMARC

DMARC Alignment and Authentication

• Authenticate outgoing emails by aligning SPF and DKIM with your domain.

Verification and Policy Enforcement

• Verify your DMARC setup and enforce your email handling policies.

Real-Time Reporting and Threat Detection

• See threats and email activity in real-time with detailed, actionable reports.

Final Checklist to Set Up DMARC Successfully

Task	Done?
SPF & DKIM Configured	☐
Choose Policy (none, quarantine, reject)	☐
Generated DMARC Record	☐
Added TXT Record to DNS	☐
Verified DMARC Setup	☐
Started Monitoring Reports	☐

Conclusion

At this point, you’ve learned how to set up DMARC and are ready to take a step further. We recommend starting with a basic “none” policy that gives you visibility into email traffic using your domain and provides a view into who is using your domain. Once you feel confident with the reporting and insights, you can try to move to a “quarantine” or “reject” policy, and block spoofed emails to protect your organization against phishing and business email compromise (BEC) attacks. 

To ease the DMARC process, I encourage you to check out TDMARC by Threatcop. It will automate the DMARC record generation, get all the email data in one place for monitoring, and you’ll get real-time threat intelligence all from one platform. You let TDMARC do all the heavy lifting, while you keep your domain safe and your correspondence trusted.

Frequently Asked Questions