Initial Setup
Everything you need to publish a correct DMARC record: the DNS record format, the tags that matter, SPF and DKIM prerequisites, and where to put the record at common DNS providers.
The DMARC DNS Record
DMARC is configured with a single TXT record published at the _dmarc subdomain of your sending domain:
- Record name:
_dmarc.example.com(most DNS providers only need_dmarcin the host field) - Record type: TXT
- Example value:
v=DMARC1; p=none; rua=mailto:example.com@reports.dmarcsimple.com
Two rules to remember: the record must start with v=DMARC1, and there can be only one DMARC record per domain. Receiving servers treat multiple records at _dmarc as no record at all.
DMARC Tags Explained
The record is a list of tag=value pairs separated by semicolons. The ones you will actually use:
v=DMARC1- protocol version, required and always firstp=- policy for failing mail:none(monitor),quarantine(spam folder), orreject(block)rua=- mailto address for aggregate reports; use the address DMARCsimple provides for your domainsp=- optional separate policy for subdomains; if omitted, subdomains inheritp=pct=- percentage of failing mail the policy applies to (default 100); useful for gradual rolloutadkim=andaspf=- alignment mode for DKIM and SPF:r(relaxed, the default, allows subdomain matches) ors(strict, exact match)
For initial setup, v, p=none, and rua are all you need. Leave alignment at the relaxed default until your reports tell you otherwise.
Prerequisite: SPF
DMARC evaluates the SPF and DKIM results of each message, so both should be in place before you expect clean reports. For SPF:
- Publish a TXT record at your domain root, e.g.
v=spf1 include:_spf.google.com -all - Include every service that sends mail as your domain: mail server, marketing platform, CRM, helpdesk, transactional sender
- Stay under the 10 DNS lookup limit - too many
includemechanisms cause SPF to permanently fail - Keep exactly one SPF record per domain
You do not need perfect SPF before publishing DMARC at p=none - in fact, DMARC reports are the best tool for finding SPF gaps. See our SPF alignment guide for syntax details.
Prerequisite: DKIM
DKIM is the more reliable path to DMARC alignment, so enable it for every sending service:
- Generate keys in each service (Google Workspace: Admin Console under Gmail authentication; Microsoft 365: Defender portal DKIM settings)
- Publish the public key DNS records the service gives you - usually TXT or CNAME records at
selector._domainkey.example.com - For third-party senders (Mailchimp, SendGrid, etc.), complete their domain authentication so they sign with your domain, not theirs
A service that signs with its own domain will pass DKIM but fail DKIM alignment, which matters for DMARC. Details in our DKIM setup guide.
Adding the Record at Common DNS Providers
The steps are nearly identical everywhere - add a TXT record with host _dmarc and paste the value from DMARCsimple:
- Cloudflare: DNS > Records > Add record > Type TXT, Name
_dmarc, paste the content, Save. Proxy status does not apply to TXT records. - GoDaddy: Domain > DNS > Add New Record > Type TXT, Name
_dmarc, Value is the record string. - Namecheap: Domain List > Manage > Advanced DNS > Add New Record > TXT Record, Host
_dmarc. - Amazon Route 53: Hosted zone > Create record > Name
_dmarc, Type TXT, paste the value in quotes. - cPanel hosting: Zone Editor > Add Record > TXT, Name
_dmarc.example.com.(note the trailing dot some editors require).
If your DNS provider manages the host field automatically, double-check the final record name resolves as _dmarc.example.com - not _dmarc.example.com.example.com.
Verifying Your Setup
After publishing:
- Use the verify check in DMARCsimple to confirm the record resolves and the
ruaaddress is correct - Allow time for DNS propagation - usually minutes, occasionally up to 48 hours
- Expect first aggregate reports within 24 to 48 hours of a successful publish
Ready for what comes next? See Reading Reports to interpret your first data, or Troubleshooting if verification fails.