How to Set Up DMARC Monitoring: Step-by-Step Guide (2026)
DMARC is the last mile of email authentication. SPF and DKIM do the heavy lifting, but DMARC ties them together and shows you what's happening. We configure DMARC for every client. This guide covers setup and monitoring.
Prerequisites: SPF and DKIM Must Be Ready First
DMARC requires SPF and DKIM to be working already. If you haven't set those up:
- Go to mxtoolbox.com
- Run SPF Check on your domain (look for green ✓)
- Run DKIM Check on your domain (look for green ✓)
If either is red/yellow, set them up first. Come back to DMARC after both are valid.
Assuming SPF and DKIM are valid, let's add DMARC.
Step 1: Understand DMARC Policy Options
DMARC policy tells email providers what to do with emails that fail SPF/DKIM authentication.
Three policy options:
p=none
- Policy: "Monitor only, don't enforce"
- Action on failure: Email is delivered anyway (no action)
- Use case: Testing/monitoring phase
- Risk: Low (doesn't affect delivery)
p=quarantine
- Policy: "Suspicious emails go to spam folder"
- Action on failure: Email goes to spam folder (not deleted, can be recovered)
- Use case: Recommended for cold email (safer while testing)
- Risk: Medium (some legitimate emails may be quarantined)
p=reject
- Policy: "Reject emails that fail authentication"
- Action on failure: Email is rejected (bounced back to sender)
- Use case: Maximum security (for established domains with perfect authentication)
- Risk: High (legitimate emails rejected, hard to recover)
Recommendation for cold email:
Start with p=none (1 week), move to p=quarantine (2 weeks), then p=reject (permanent).
This gives you time to test and catch problems before blocking legitimate emails.
Step 2: Create DMARC Record in DNS
- Log into your domain registrar (GoDaddy, Namecheap, Domain.com, etc.)
- Find DNS settings / DNS management
- Look for "Records" or "Manage DNS"
- Click "Add Record" or "Create New Record"
- Select record type: TXT
- Name field: _dmarc
- Value field: (copy-paste from below based on your policy)
For p=none (monitoring only, week 1):
v=DMARC1; p=none; rua=mailto:admin@yourdomain.com; ruf=mailto:admin@yourdomain.com
For p=quarantine (enforcement, week 2-3):
v=DMARC1; p=quarantine; rua=mailto:admin@yourdomain.com; ruf=mailto:admin@yourdomain.com
For p=reject (maximum enforcement, week 4+):
v=DMARC1; p=reject; rua=mailto:admin@yourdomain.com; ruf=mailto:admin@yourdomain.com
Field explanation:
- v=DMARC1: DMARC version (always this)
- p=none/quarantine/reject: Policy enforcement level
- rua=mailto:admin@yourdomain.com: Email address to receive aggregate reports (weekly summary of DMARC results)
- ruf=mailto:admin@yourdomain.com: Email address to receive forensic reports (detailed failure info)
- Save the record
- Wait 24-48 hours for DNS propagation
Step 3: Verify DMARC Record is Live
- Go to mxtoolbox.com
- Find "DMARC Check" tool
- Enter your domain name (yourdomain.com)
- Click check
- Look for result showing your DMARC policy
Expected result (if p=quarantine):
`
v=DMARC1; p=quarantine; rua=mailto:admin@yourdomain.com; ruf=mailto:admin@yourdomain.com
`
If record doesn't show:
- DNS propagation may still be in progress (wait another 24 hours)
- Double-check you saved the record correctly (exact spelling, no typos)
- Try different DNS checker (dnschecker.org)
Step 4: Set Up DMARC Report Monitoring
DMARC sends you reports automatically. You need a place to receive and interpret them.
Option A: Google Postmaster Tools (Free, Gmail Only)
If you're using Gmail:
- Go to postmaster.google.com
- Click "Add Property"
- Enter your domain (yourdomain.com)
- Google asks you to verify domain (add verification TXT record)
- After verification, Google shows:
- Authentication results (SPF/DKIM/DMARC pass rate)
- Spam complaints
- Delivery issues
- Domain reputation
This is free and great for Gmail senders.
Option B: Postmark / SendGrid DMARC Dashboard (Free Tier)
If using other email providers:
- Log into your email provider (Postmark, SendGrid, Brevo, etc.)
- Find "DMARC" or "Email Authentication" section
- They usually have built-in DMARC reporting
- Dashboard shows:
- DMARC pass rate (% of emails passing authentication)
- DMARC failures (% failing)
- Aligned/misaligned results
- Actionable issues
Option C: Dedicated DMARC Monitoring (Paid)
For serious monitoring, use tools like:
- Valimail
- Dmarcian
- DMARC Check
- OnDMARC
These tools:
- Aggregate DMARC reports automatically
- Show visual dashboards
- Alert you to issues
- Help troubleshoot failures
Cost: $50-500/month depending on domain count
Step 5: Interpret DMARC Reports
DMARC reports arrive weekly via email at the address you set (admin@yourdomain.com).
Weekly aggregate report shows:
- Total emails sent from domain: 5,000
- SPF pass rate: 99%
- DKIM pass rate: 99%
- DMARC alignment: 98%
What each metric means:
DMARC Alignment: >95% is good
- Alignment: Email passed both SPF and DKIM and they matched the "From" domain
- Misalignment: Email failed or didn't match properly
- Goal: 95%+ alignment before moving to p=reject
If alignment is <90%:
- Check if there's a subdomain being used (different from main domain)
- Check if a third-party tool is sending (SalesForce, HubSpot, etc.)
- Add alignment rules for subdomains in DMARC record
Example with subdomain alignment:
v=DMARC1; p=quarantine; subdomain_policy=quarantine; rua=mailto:admin@yourdomain.com
Forensic Reports (RUF)
- Shows detailed info on emails that failed authentication
- Arrives with each failure (can be frequent)
- Useful for troubleshooting specific issues
Example forensic report:
`
From: amazon-bounces@yourdomain.com (from SalesForce)
Result: FAIL (SPF mismatch)
Reason: Email came from IP 199.x.x.x, but SPF only authorizes 150.x.x.x
Solution: Add 199.x.x.x to SPF record
`
Step 6: Troubleshooting DMARC Issues
Issue: Low DMARC Alignment (<90%)
Cause: A third-party tool is sending from your domain but not properly configured.
Example tools:
- SalesForce
- HubSpot
- Mailchimp
- Zapier
- Slack notifications
Solution:
- Identify which tool is failing (check forensic reports)
- Get SMTP server/IP from that tool
- Add to SPF record
Example: SalesForce sending from IP 199.x.x.x
- Old SPF: v=spf1 include:sendgrid.net ~all
- New SPF: v=spf1 include:sendgrid.net include:salesforce.com ~all
- Save SPF, wait 24 hours, monitor DMARC alignment again
Issue: SPF Mismatch
Cause: Email is from subdomain (hello@mail.yourdomain.com) but SPF is only on main domain (yourdomain.com).
Solution:
- Option 1: Use main domain for sending (recommended)
- Option 2: Add SPF record to subdomain separately
- Create separate SPF on mail.yourdomain.com
- Create separate DKIM selector for subdomain
Issue: DKIM Signature Missing
Cause: Email provider not signing with DKIM.
Solution:
- Verify DKIM is enabled in email provider settings
- Verify DKIM selector is correct (ask provider)
- Verify DKIM public key is in DNS (run DKIM check on mxtoolbox)
- Ask provider for help (this is provider-specific)
Step 7: Monitor Continuously (Ongoing)
After setup, monitor weekly:
Weekly Checklist:
- [ ] Check DMARC alignment (should stay >95%)
- [ ] Review DMARC aggregate report
- [ ] Check for new forensic failures
- [ ] Update SPF if new tools detected
- [ ] Monitor email deliverability (should stay 75-85% inbox)
Monthly Checklist:
- [ ] Review month's DMARC trends
- [ ] Check if any authentication score declined
- [ ] Update security policies if needed
When to Escalate Policy from p=none to p=quarantine:
After 1 week on p=none, check:
- [ ] DMARC alignment >95%
- [ ] Bounce rate <2%
- [ ] No deliverability issues
- [ ] No complaints from legitimate senders
If all check, move to p=quarantine.
When to Escalate from p=quarantine to p=reject:
After 2 weeks on p=quarantine, check:
- [ ] DMARC alignment >98%
- [ ] No forensic failures from known legitimate sources
- [ ] Email deliverability stable
- [ ] No known third-party tools being used
If all check, move to p=reject (maximum security).
Complete DMARC Setup Example
Week 1: Initial Setup (p=none)
- Create DMARC record with p=none
- Monitor alignment (watch for issues)
- Identify any misaligned sources (third-party tools)
- Fix SPF/DKIM issues discovered
Expected alignment: 80-90%
Week 2: Move to Quarantine (p=quarantine)
- Edit DMARC record, change p=none to p=quarantine
- Continue monitoring alignment
- Quarantined emails go to spam, but you can recover them
- Fine-tune authentication issues
Expected alignment: 92-95%
Week 3-4: Monitor and Stabilize
- Keep p=quarantine active
- Let alignment stabilize at >95%
- Address any remaining issues
Week 4+: Move to Reject (p=reject)
- Edit DMARC record, change p=quarantine to p=reject
- Permanent enforcement (failed emails are rejected)
- Continue monitoring monthly
- Maintain >98% alignment
FAQ
Do I need DMARC if I have SPF and DKIM?
Technically no, but practically yes. DMARC is the last piece that makes reputation score stick. Without it, ISPs are less confident in authentication.
What's the difference between aggregate and forensic reports?
Aggregate (RUA): Weekly summary of all authentication results. Forensic (RUF): Detailed info on each failure. Both useful but forensic is noisier.
Should I start with p=none or p=quarantine?
Always start with p=none. This gives you time to test without blocking legitimate email.
What if my alignment is stuck at 90%?
Check for third-party tools using your domain. Get their IPs/servers and add to SPF. Also check for subdomains being used (require separate SPF/DKIM).
How long until I can move to p=reject?
Minimum 3-4 weeks: 1 week p=none (test), 2 weeks p=quarantine (monitor), then p=reject. Don't rush.
What happens if I skip DMARC?
Email deliverability drops 10-15%. Not critical for small sending, but hurts at scale.