How to Set Up DMARC: Step-by-Step Guide

Published on September 20, 2024

Learn how to configure DMARC for your company’s email with a step-by-step guide. We’ll cover everything you need — from prerequisites to adding DMARC to your DNS — so you can secure your domain against email spoofing. Before we dive in, here’s a quick high-level overview of the process.

  1. Add your DMARC record into your DNS
  2. Select the TXT record type
  3. Add the host value (see details below)
  4. Add the value information (see details below)
  5. Save the DMARC record
  6. Validate the DMARC setup (see details below)

For more details, read on. 
 

Why Is DMARC Important?

Thanks to its sheer ubiquity and undeniable usefulness, email has never been more important. But it has also never been secure, thanks to one critical flaw: Anyone can send email using someone else's identity. And per CSO Online, email has become a $775 million-a-month bonanza for cybercriminals who spoof corporate email accounts to impersonate top executives and trusted brands in phishing scams targeting employees, customers, and the general public.

These aren't just one-off attacks anymore, either. We've reported extensively on the increasingly sophisticated ways imposters are posing as suppliers to defraud entire corporate supply chains. Today, email impersonations account for more than half of all Internet-related business losses and are implicated in 67% of all data breaches.

But the damage done from these attacks extends far beyond their immediate victims. Get impersonated, and your company can face lost business, lawsuits, and steep regulatory fines. What's more, negative news stories and social media tirades over crimes committed in your brand's good name can render your legitimate, revenue-generating emails all kinds of toxic, if they aren't blacklisted all together.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) helps organizations prevent all this from happening. Here's how.
 

How DMARC Strengthens Email Authentication & Domain Protection

First introduced in 2012 by a consortium of industry leaders, DMARC is an open standard authentication protocol that works with SPF and DKIM to prevent the fraudulent use of legitimate brands in email attacks. More than 2.5 billion mailboxes are DMARC-enabled worldwide.

DMARC empowers email receiver systems to detect unauthorized emails posing as a brand and allows the brand to dictate how those emails should be handled, protecting its reputation and recipients from fraud.

With DMARC in place, you can:

  • Authenticate all legitimate email messages and sources for your email-sending domains, including those from your own infrastructure, as well as those sent by business units and third-party email partners
  • Instruct email providers what to do with unauthenticated email messages by establishing a DMARC enforcement policy
  • Gain visibility into the legitimate and fraudulent uses of your domains, so you can work with takedown venders to stop cybercriminals from hijacking your brand in email scams

dmarc authentication process

 

Off

FAQs

You can effortlessly add a DMARC record to the DNS server in under five minutes, no technical support required.

First, make sure your Office 365 account is properly linked to your domain and has been verified. You'll need to:

  1. Refer back to your domain registrar and go to the DNS manager.
  2. Select the DMARC policy that you'd like to enforce:
    1. p=none
    2. p-quarantine
    3. p=reject
  3. Add an email address where DMARC reports can be sent.
  4. Create the TXT record value based on the attributes you've used in the "value" field.

To pass DMARC, a message must pass at least one of these checks: Sender Policy Framework (SPF) authentication and alignment, as well as DomainKeys Identified Mail (DKIM) authentication and alignment. 


What Is an Enforcement Policy?

When you set a DMARC enforcement policy for your organization, you're instructing email receiving systems what to do when email purporting to come from your approved domains fails authentication. These policies include:

  • p=none: Email is delivered to its intended recipient without restriction
  • p=quarantine: Email that fails authentication is sent to the intended recipient's junk folder
  • p=reject: Email that fails authentication gets deleted and never reaches its intended recipient
     

DMARC Mechanics

DMARC uses DNS as the mechanism for policy publication. DMARC records are hosted as TXT DNS records in a DMARC specific namespace, which is created by prepending "_dmarc" to the email domain.

For example, if the email domain "example.com" publishes a DMARC record, issuing a DNS query for the TXT record at "_dmarc.example.com," will retrieve the DMARC record. Email receiver systems use the policies published to inform how they process emails purporting to come from the sender's email domain.
 

DMARC Setup Steps for Your DNS

You should have SPF and DKIM deployed and authenticating messages for at least 48 hours before setting up DMARC. Then, you can follow these DMARC setup steps to add DMARC to your DNS.

Step 1: Create a DMARC record

  • Use our DMARC Setup Tool to easily create the required TXT record. It should look something like this example:V=DMARC1; p=none; rua=mailto:dmarc-feedback@
    This example record instructs receiver systems to generate and send aggregate feedback to "dmarc-feedback@" your domain. The p=none tag indicates you are only interested in collecting feedback. Alternatively, you could use a p=quarantine, or p=reject tags for emails that fail authentication.

Step 2: In your DNS, follow these DMARC setup steps to create a DNS TXT record

  • Log into the management console of your DNS hosting provider, and while this can vary by provider, you want to locate the page that allows you to add a DNS TXT record

Step 3: In the Type box, select TXT Record Type

Step 4: In the Host Value box, enter _dmarc as the "host"

Step 5: In the TXT Value box, enter the record you created using DMARC Record Creator

Step 6: Save the DMARC record

Step 7: Validate the DMARC setup

Use DMARC Checker to verify your record has been set up correctly

Go to our DMARC tool

Taking DMARC to Task & Scale

Setting up DMARC in DNS only takes a few minutes. But to be effective against brand impersonation, DMARC must be set to its highest enforcement level, p=reject. And while this is relatively straightforward when you're talking about a single domain, it can be complicated and time consuming for organizations with thousands of domains spanning dozens of email senders and outside email distribution partners.

However, when deployed using automated DMARC implementation solutions such as Agari DMARC Protection, large organizations have been able to rapidly drive phishing-based brand impersonations to near zero. Not only does this preserve brand reputation and the efficacy of revenue generating email programs, it also protects employees, customers, partners and the general public from costly email scams.

For more information on DMARC adoption and its benefits, download Getting Started with DMARC

READ THE GUIDE
Related Products
DMARC Protection
Related Solutions
DMARC Email Authentication
Related Content
generate your dmarc record