How to setup DMARC

Start with creating email for reports, usually a shared mailbox with an email [email protected].

Monitor results

Create a TXT file in your DNS: Hostname _dmarc (So the hostname is _dmarc.company.com) Value: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected] TTL: 1 hour

The best practice is to have this on for a month to get reports on how your email domain is being used.

It's nice to use powerdmarc.com for reading results. The trial should be enough to see if it's safe to lock down the domain.

Lock it down

When you are ready to lock down your domain you want something like this: v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected];

v=DMARC1: DMARC version p=reject: Policy is to reject all email that does not comply with SPF and DKIM rules pct=100: Reject 100% of emails that break the rules, you can have this 50/50 if you like but email probably goes to junkmail. rua=mailto:[email protected]: Report to postmaster email

v: Protocol version v=DMARC1 pct: Percentage of messages subjected to filtering pct=20 ruf: Reporting URI for forensic reports ruf=mailto:[email protected] rua: Reporting URI of aggregate reports rua=mailto:[email protected] p: Policy for organizational domain p=quarantine sp: Policy for subdomains of the OD sp=reject adkim: Alignment mode for DKIM adkim=s aspf: Alignment mode for SPF aspf=r

More advanced example, SPF relaxed + DKIM strict: v=DMARC1; p=quarantine; sp=reject; adkim=s; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; fo=0:1:d:s; Created with powerdmarc.com.