As of February 2024, Google and Yahoo have increased their enforcement of domain authentication. To avoid issues with email delivery, it’s crucial to complete DMARC authentication for the sending domain you use to send emails.

You must set up DKIM before configuring DMARC.

Looking for SPF setup instructions? SPF setup information has moved! Check it out here.

What is DMARC?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a form of authentication that adds an extra layer of security to emails sent from your domain. By specifying a policy (e.g., none, quarantine, or reject) for unauthenticated emails, DMARC helps prevent spoofing and provides insight into potential abuse of your domain.

You must set up DKIM before configuring DMARC.

Checking for DMARC

If you’re not sure whether your domain already has a DMARC policy or not, you can easily find out right in your email marketing account. You must have DKIM set up before you can use this tool.

1. Navigate to your Account > Deliverability tab.
   1. Parent account: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
   2. Subaccounts: Navigate to the appropriate subaccount and click on the gear icon in the upper right corner of your screen.
      1. If you are a Manager or Parent user, scroll down to Subaccount settings and choose Account from the dropdown menu.
      2. If you are an Administrator user, choose Account from the dropdown menu.
   3. Standalone accounts: Click on the gear icon in the upper right corner of your screen and choose Account from the dropdown menu.
2. On the next screen, click on the Deliverability tab.
3. Scroll down to the section that says DMARC status check.
4. Click on the Check DMARC status button.

If your domain has a DMARC policy, a green pill icon will appear in the Policy row, showing the policy type:

• None: Your DMARC policy is p=none
• Quarantine: Your DMARC policy is p=quarantine
• Reject: Your DMARC policy is p=reject

All these options are valid DMARC policies.

If the DMARC status check tool cannot find a DMARC policy on your domain, or if it encounters an error, then you will see an error message.

Error messages typically contain information that indicates the source of the problem. For example, if you see an error message that states that your domain has more than one DMARC record, then the problem is that your domain has more than one DMARC record and you will need to remove one.

Setting up DMARC

DMARC setup requires adding a TXT record to your DNS that specifies your DMARC policy and includes optional settings for reporting. DMARC setup can vary based on your organization’s needs. It’s best done by someone with DNS expertise, as it requires testing, reviewing technical reports, and securing mail streams.

Step 1: Choose a DMARC policy

Decide how you want unauthenticated emails to be treated:

• p=none: Monitors email without taking action on unauthorized emails
• p=quarantine: Sends unauthorized emails to spam
• p=reject: Blocks unauthorized emails from reaching recipients

Only use a quarantine or reject policy if you are sure that DKIM is set up for all of your email traffic.

Step 2: Create a DMARC TXT record

Below is an example of the minimum requirements for a DMARC policy, which you can change later if you want to enforce a stronger policy. Start with a “none” policy, then transition to quarantine or reject as you gain confidence.

1. 1. Log in to your DNS provider’s website or app.
   2. Create a new TXT record and enter the following text, exactly as it appears.
      

      Name	Value
      _dmarc	v=DMARC1; p=none;

   3. Select the TTL value (300 seconds – 30 minutes).
   4. Save the record.

While this is not the only option for setting up DMARC, we cannot provide any additional guidance beyond what is shown above. If you choose to set it up differently, that’s okay, but we won’t be able to help with any questions or troubleshooting for other methods. For anything related to DMARC, your IT team or DNS specialist will be your go-to for assistance.

Step 3: Check your DMARC policy settings

After publishing the DMARC record, allow time for propagation, then verify the settings using a DMARC lookup tool, such as this one. To use this tool, navigate to this page. Under the Check a published DMARC record heading, type your domain in the Domain name box and click on the Check button. If you see a green box that says Valid record, then your DMARC record is correct. You can view the details of your policy in the rows below.

Monitoring and testing DMARC

Testing DMARC involves monitoring DMARC reports and checking for failed authentication attempts. DMARC reports can help you identify unauthorized use of your domain and adjust your policy settings accordingly, and you will only have access to these if you have specified an email address to receive these reports in your DMARC record.

We recommend getting help from service providers who specialize in DMARC. Listed below are two services that can help you through the DMARC implementation process.

• Redsift
• ValiMail

Frequently asked questions about DMARC

For more frequently asked questions about DMARC, check out this article.

Can DMARC work without DKIM?

No, DMARC requires either DKIM or SPF to be set up. DMARC verifies that emails align with either of these protocols. Due to the way that our system functions, DKIM is essential, while SPF is optional.

Should I set DMARC to “reject” right away?

No, it’s best to start with none to monitor performance and adjust before enforcing stricter policies.

I followed all of the instructions exactly, but I’m seeing an error when I try to check my DMARC! Did I do something wrong?

It can take up to 24 hours for DNS records to fully propagate, so there’s no need to panic if you don’t see the DMARC record check tool update right away. Just give the records some time and then try again.

If you’re still seeing errors after 24 hours, there may be a small typo in your record. Try checking it for errant spaces or typos. Additionally, if you copied and pasted the record into your DNS, try typing it in manually instead. Alternately, you can paste it into a text editor, copy it again, and then paste it into your DNS. The goal is to strip any hidden formatting that might tag along when you enter or paste the record into your DNS, as this formatting can prevent our system from reading it.

Where can I find more information about creating DMARC policies?

Here are some additional resources about DMARC policies:

• Overview from DMARC.org
• What is a DNS DMARC record? from Cloudflare’s Learning Center
• DMARC record generator from MX Toolbox

Why am I seeing an error message telling me that I have more than one DMARC record?

Each domain can only have one DMARC record. If you see an error message that says your domain has more than one DMARC record, then you need to remove the extra DMARC record(s).

I send less than 5,000 emails a day, do I really have to set up authentication?

Yes, you do still need to set up authentication. At minimum, you should set up DKIM and DMARC, but SPF is strongly recommended. You may send less than 5,000 emails a day, but our system sends far more than that. Sending from any email service provider (ESP), will qualify you as a bulk sender to inbox providers.

I don’t have an IT team and I don’t know how to do any of this. Where do I even put this record?

We understand that authenticating your domain can feel overwhelming, especially for someone who may not have a lot of experience with these topics. Our goal is to make this process as smooth as possible for everyone, so we’ve collected several resources that will hopefully help you feel a little more confident.

As far as the DNS records are concerned, you or whoever manages your domain should be able to log in to the registrar that hosts your domain to create the required records. Every DNS provider looks a little different, so if you have specific questions about where to click or what to do, your registrar’s help documentation will be your best bet for guidance.

We’ve collected a list of some popular domain providers and their instructions for how to edit DNS records. Just click on the link that corresponds to your domain provider; if you don’t see yours listed here, try visiting your provider’s website and searching their help documents, or contact their Support team.

• Amazon Route 53: Configuring DNS, DNS record types
• Bluehost: DNS Management
• Cloudflare: Manage DNS records
• Domain.com: How to update DNS records, How to update TXT records, DKIM & DMARC
• Dreamhost: DNS overview
• GoDaddy: Add a TXT record
• Hostgator: Basics of DNS records
• Hover: Managing DNS records
• IONOS: Managing TXT records
• Namecheap: How to add a TXT record
• Network Solutions: How do I manage DNS records?, Help & Support home
• Siteground: Manage your DNS records
• Squarespace: Accessing your DNS settings, Adding custom DNS records
• Wix: Adding or updating TXT records
• WordPress: Manage your DNS records

Additional resources

• Authentication and security
• DKIM and deliverability
• DKIM authentication setup
• DKIM for tiered accounts
• Domain names and registrars
• Email authentication: Frequently asked questions
• Email authentication: Overview
• How to allowlist
• SPF authentication setup