DMARC (Domain-based Message Authentication, Reporting and Conformance) protects your domain from being spoofed in phishing emails. It tells receiving mail servers what to do when someone sends an email pretending to be from your domain. This guide walks you through setting up SPF, DKIM, and DMARC — in that order — so your domain is fully authenticated and protected.
Before You Start
You'll need access to your domain's DNS settings. This is usually managed through your domain registrar (e.g. GoDaddy, Cloudflare, 123 Reg, Namecheap) or your hosting provider.
DMARC relies on two other authentication methods — SPF and DKIM — which need to be in place first. If either is missing, DMARC won't work properly. The setup order is:
- SPF — tells receivers which mail servers are allowed to send email for your domain
- DKIM — adds a digital signature to your emails so receivers can verify they haven't been tampered with
- DMARC — ties SPF and DKIM together and tells receivers what to do if authentication fails
Step 1 — Set Up SPF
SPF is a DNS TXT record that lists all the servers and services authorised to send email on behalf of your domain.
How to create your SPF record
- Log in to your DNS provider and navigate to your domain's DNS settings
- Add a new TXT record
- Set the Host/Name to @ (or leave blank, depending on your provider)
- Set the Value to your SPF record
Example SPF records
Microsoft 365:
v=spf1 include:spf.protection.outlook.com ~all
Google Workspace:
v=spf1 include:_spf.google.com ~all
If you use additional services that send email from your domain (e.g. a CRM, marketing platform, or helpdesk), add their SPF include too. For example, if you use Microsoft 365 and HubSpot:
v=spf1 include:spf.protection.outlook.com include:mail.hubspot.net ~all
Important: You can only have one SPF record per domain. If you need to authorise multiple senders, combine them into a single record using multiple "include:" entries. SPF also has a limit of 10 DNS lookups — if you hit this limit, consider using an SPF flattening service.
Step 2 — Set Up DKIM
DKIM adds a cryptographic signature to your outgoing emails. The receiving server checks this signature against a public key published in your DNS to verify the message is genuine and hasn't been altered in transit.
For Microsoft 365
- Go to Microsoft Defender portal → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM
- Select your domain and click Enable
- Microsoft will give you two CNAME records to add to your DNS:
- selector1._domainkey.yourdomain.com
- selector2._domainkey.yourdomain.com
- Add both CNAME records in your DNS provider
- Wait for DNS propagation (up to 48 hours, usually much faster), then go back to the Defender portal and enable DKIM signing
For Google Workspace
- Go to Google Admin Console → Apps → Google Workspace → Gmail → Authenticate email
- Select your domain and click Generate New Record
- Google will give you a TXT record to add to your DNS with the host name google._domainkey
- Add the TXT record in your DNS provider
- Wait for DNS propagation, then go back to the Admin Console and click Start Authentication
If you use other services that send email from your domain (e.g. a CRM or marketing tool), check their documentation for DKIM setup instructions. Each service will have its own DKIM key that needs adding to your DNS.
Step 3 — Set Up DMARC
Once SPF and DKIM are in place and have been working for at least 48 hours, you're ready to add DMARC.
DMARC is a DNS TXT record published at _dmarc.yourdomain.com.
Start with monitoring mode (p=none)
Always start with p=none. This tells receivers to send you reports about authentication results without affecting email delivery. It lets you see what's passing and failing before you enforce anything.
- Add a new TXT record in your DNS
- Set the Host/Name to _dmarc
- Set the Value to:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r
Replace dmarc-reports@yourdomain.com with an email address where you want to receive DMARC aggregate reports. This can be any mailbox — consider creating a dedicated one so the reports don't clutter someone's inbox.
What each part means
v=DMARC1 | Identifies this as a DMARC record (required) |
p=none | Policy — what to do with failing emails. none = monitor only, quarantine = send to spam, reject = block entirely |
rua=mailto:... | Where to send aggregate reports (daily XML summaries of authentication results) |
adkim=r | DKIM alignment mode — r = relaxed (subdomains pass), s = strict |
aspf=r | SPF alignment mode — r = relaxed, s = strict |
Step 4 — Monitor Your Reports
After publishing your DMARC record with p=none, you'll start receiving aggregate reports within 24–72 hours. These are XML files sent to the email address you specified in the rua tag.
The raw XML reports can be hard to read. Free tools like MXToolbox, dmarcian, or EasyDMARC can parse the reports into a readable dashboard.
Review the reports and look for:
- Legitimate services failing authentication — these need their SPF or DKIM configured before you enforce DMARC
- Unknown senders passing authentication — investigate whether these are legitimate services you've forgotten about or potential spoofing
- High volumes from unfamiliar IPs — could indicate your domain is being spoofed
Stay on p=none for at least 2–4 weeks. Make sure all your legitimate email sources are passing both SPF and DKIM before moving to enforcement. Rushing this step can cause legitimate emails to be blocked.
Step 5 — Enforce DMARC (Quarantine, then Reject)
Once your reports show that all legitimate email is passing authentication, you can start enforcing DMARC in stages:
Stage 1: Quarantine
Update your DMARC record to:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r
This sends emails that fail authentication to the recipient's spam/junk folder instead of their inbox. Monitor for a further 1–2 weeks and check that no legitimate email is being caught.
Stage 2: Reject
When you're confident everything is working, move to the strongest policy:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r
This tells receiving servers to reject (bounce) any email from your domain that fails authentication. This is the gold standard for domain protection.
The phased approach above — moving from p=none to p=quarantine to p=reject, with a monitoring period at each stage — is the safest way to roll out DMARC. Don't skip steps. Make sure your reports are clean before tightening the policy.
Step 6 — Verify Your Setup
After completing the setup, verify everything is working:
- Send a test email to an external address (e.g. a personal Gmail account)
- Open the email and view the message headers (in Gmail: three dots menu → "Show original")
- Look for these three results — all should show PASS:
- SPF: PASS
- DKIM: PASS
- DMARC: PASS
You can also use online checkers like MXToolbox to look up your domain's SPF, DKIM, and DMARC records and check for errors.
Quick Reference — DNS Records Summary
| Record | Type | Host/Name | Value (example for M365) |
| SPF | TXT | @ | v=spf1 include:spf.protection.outlook.com ~all |
| DKIM | CNAME | selector1._domainkey | Generated by M365 — copy from Defender portal |
| DMARC | TXT | _dmarc | v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com |
Problems with Proofpoint? Fix Them Fast
We diagnose and resolve Proofpoint issues quickly — from email delivery problems to configuration errors — keeping your business secure and running smoothly.
Speak to an expert