Set up a DMARC policy

We recommend implementing a DMARC policy to protect your users from spoofed and phishing emails.

Spammers can forge a "From" address that appears to come from your domain, hurting your brand and sending reputation. DMARC policies combat this by giving domain owners more control over what inbox providers do with spoofed/unauthorised emails from their domain.

Setting up up a DMARC policy

  1. Designate an email address where you'd like to receive DMARC daily reports (for example "")

  2. Contact your company's Domain Name System (DNS) administrator and ask them to create a TXT record in DNS for your DMARC record.

  3. Use the following syntax in the DMARC TXT record. Host name: (or just _dmarc, depending on your hosting company requirements. Points to/Value: (example) v=DMARC1; p=none; pct=100;


What does that syntax mean?

Specifying p=none means, "Take no action. Log affected messages on the daily report only." Learn more about these settings in Return Path's DMARC article.

  1. Make sure your domain DNS has a valid SPF and DKIM records, as well as an A record, Mail Exchange (MX) record, or AAAA record.

  2. Monitor your domain DMARC reports for at least 30 days with policy=none. This helps you ensure that your legitimate email is authenticating correctly before you decide to implement a reject (p=reject) or quarantine (p=quarantine) policy. Don't forget to update DMARC records with a designated email address after implementing a reject or quarantine policy.

What to include in your DMARC report

Your DMARC report should include:

  • IP Information (the IP address that sent the email)
  • Time when the message was received by the ISP
  • Authentication results for SPF, DKIM, and DMARC
  • ISP (The ISP that received the message and is sending the forensic report)
  • Subject
  • URLs (if present in the sent email)
  • Message ID
  • Delivery Result (Whether the message was rejected, quarantined, or delivered)
  • From address
  • Mail From address
  • DKIM From address if the message was signed with DKIM


Reports may vary

Different ISPs format their report uniquely. Not every report will include all of the above details.

For more details on DMARC, refer to or Google's Help Center.