DMARC Setup Guide: How to Set Up DMARC (with a Record Example)

A step-by-step DMARC setup walkthrough for small business owners and freelance agencies — no email-infrastructure jargon. Copy the DMARC record example, add it at your registrar, and roll it out safely.

First: SPF, DKIM and DMARC in one sentence each

  • SPF is a DNS record listing which servers are allowed to send email for your domain.
  • DKIM adds a cryptographic signature to your emails so receivers can verify they weren't tampered with.
  • DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails — and where to send you reports.

You should have SPF and DKIM working before enforcing DMARC, but you can safely add a monitoring-only DMARC record (p=none) at any time to start collecting data.

The exact DMARC record to add

DMARC lives in a single TXT record at a specific hostname. Create a TXT record with:

FieldValue
TypeTXT
Name / Host_dmarc  (the registrar appends your domain → _dmarc.example.com)
Value / Contentv=DMARC1; p=none; rua=mailto:dmarc@example.com
TTLAuto / 3600

Here is a complete DMARC record example you can adapt — replace the email address with one you actually monitor:

v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1; adkim=r; aspf=r; pct=100

What each tag means:

TagMeaning
v=DMARC1Required. Must be first and exactly this.
p=nonePolicy: monitor only (no action taken yet).
rua=mailto:Where aggregate (daily summary) reports are sent. Do not skip this.
ruf=mailto:Optional. Where forensic/failure reports are sent (many providers ignore it).
adkim / aspfAlignment mode: r = relaxed (recommended), s = strict.
pctPercent of mail the policy applies to (100 = all).
Check your DMARC record free →

How to add the DMARC record at your registrar

The steps are nearly identical everywhere: you're just adding one TXT record in the DNS section.

Cloudflare

  1. Open your domain → DNS → Records.
  2. Click Add record. Type = TXT.
  3. Name = _dmarc. Content = your DMARC value. Proxy status doesn't apply to TXT.
  4. Save.

GoDaddy

  1. Go to My Products → Domain → DNS / Manage DNS.
  2. Under Records, click Add. Type = TXT.
  3. Host = _dmarc. TXT Value = your DMARC value. TTL = 1 Hour.
  4. Save.

Namecheap

  1. Dashboard → Manage → Advanced DNS.
  2. Click Add New Record. Type = TXT Record.
  3. Host = _dmarc. Value = your DMARC value. TTL = Automatic.
  4. Save all changes (green check).
Tip: Enter the host as _dmarc only — not _dmarc.example.com. Registrars automatically append your domain. Adding the full name creates _dmarc.example.com.example.com, which won't work.

DNS changes can take from a few minutes up to 24–48 hours to propagate. After a while, verify it resolves before moving on.

The rollout timeline: none → quarantine → reject

Never jump straight to p=reject. Ramp up so legitimate mail is never lost:

StagePolicyDurationGoal
1. Monitorp=none2–4 weeksCollect reports; confirm all your real senders pass SPF/DKIM.
2. Quarantinep=quarantine; pct=1002–4 weeksFailing mail goes to spam. Watch for false positives.
3. Enforcep=rejectOngoingSpoofed mail is blocked outright.

You can ease into quarantine gradually with pct (e.g. p=quarantine; pct=25) before applying it to 100% of mail.

Common DMARC mistakes to avoid

  • Multiple DMARC records. Only one TXT record may start with v=DMARC1 at _dmarc. Two records make DMARC invalid — receivers ignore all of them.
  • Missing rua. Without a reporting address you get no data and are effectively flying blind. Always include one.
  • Syntax typos. Tags are separated by semicolons, v=DMARC1 must come first, and there are no quotes inside the value. A stray space or comma can break the whole record.
  • Enforcing too early. Turning on p=reject before your legitimate mail passes alignment will silently block real emails.
  • Wrong host. Placing the record on @ or the bare domain instead of _dmarc.
Watch out: DMARC reports arrive as raw XML files from dozens of mailbox providers. Reading them by hand is painful — which is exactly why most people set up p=none and then never look at the data again.

Frequently asked questions

Do I need SPF and DKIM before DMARC?

You can add a p=none DMARC record any time to start collecting reports, but for DMARC to actually protect you, at least one of SPF or DKIM must pass and be aligned with your domain. Set up both first, then enforce.

What does p=none actually do?

p=none takes no action on failing mail — it only asks receivers to send you aggregate reports. It's the safe starting point that lets you see who's sending as your domain before you enforce a stricter policy.

How long should I stay on p=none before quarantine?

Typically 2–4 weeks — long enough to confirm that every legitimate sending source (your mail host, newsletters, invoicing tools, CRM) is passing SPF or DKIM. Once reports show no unexplained failures, move to quarantine, then reject.

Can I have more than one DMARC record?

No. A domain must have exactly one DMARC TXT record at _dmarc. If two exist, the policy is treated as undefined and ignored. If you need multiple reporting addresses, list them in one record separated by commas.

Get a plain-English weekly DMARC report — create a free account →

PlainDMARC turns those messy XML reports into a single weekly verdict in plain English — branded with your agency's logo for each client, and one flat price covers every domain on your plan.