All how-to guides
How-to~10 min

How to set up a DMARC policy

Last reviewed June 13, 2026

DMARC ties SPF and DKIM to the visible From address and tells receivers what to do when authentication fails. The 2024 bulk-sender rules from Google/Yahoo/Microsoft require DMARC at p=none minimum (p=quarantine strongly recommended) for senders above 5,000/day to consumer addresses.

Setup is one DNS record but the ramp-up matters: start at p=none for 4-6 weeks to monitor, then move to p=quarantine, then p=reject. This guide walks the ramp.

Before you start

  • SPF record published and passing for your domain
  • DKIM signing enabled and passing for your domain
  • DNS edit access
  • Email address to receive DMARC aggregate reports (or a DMARC reporting tool like Postmark DMARC, dmarcian, Valimail)

Step-by-step

  1. 1

    Compose the DMARC record

    DMARC is a TXT record at _dmarc.yourdomain.com. Start with monitor-only: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100; aspf=r; adkim=r

  2. 2

    Publish the DNS TXT record

    In your DNS provider, create the TXT record at _dmarc.yourdomain.com (note the underscore prefix). TTL 3600 is fine.

  3. 3

    Receive and review aggregate reports

    Within 24 hours, you'll start receiving daily XML aggregate reports at the rua= address. The reports show every IP and domain claiming to send as you, with SPF/DKIM/DMARC pass/fail counts. Tools like Postmark, dmarcian, EasyDMARC parse these reports readably.

  4. 4

    Identify all legitimate senders

    After 1-2 weeks of reports, you should see every legitimate sending source. If a known sender shows 'fail', add to SPF or enable DKIM for it. If an unknown source appears, investigate (could be spoofing or a forgotten SaaS sender).

  5. 5

    Move to p=quarantine

    After 4-6 weeks of clean reports with all legitimate senders aligned, change the policy to p=quarantine. This tells receivers to mark unauthorised mail as spam instead of rejecting it.

  6. 6

    Move to p=reject

    After 4-6 weeks of clean quarantine reports, change to p=reject. Unauthorised mail will now be rejected at the receiver. This is the strongest anti-spoofing posture.

Set up tracking in 2 minutes instead of 20.

Outsolvi installs as a native Outlook add-in or Gmail Chrome extension. Confidence-scored opens, AI follow-up alerts, native Outlook and Gmail tracking. From $7/mo, 14-day free trial.

Try Outsolvi free$7/mo yearly · 14-day trial · no credit card

Troubleshooting

Aggregate reports not arriving

Check the rua= address can receive mail (some receivers won't send to noreply@ addresses). Check spam folder. Use a dedicated tool (Postmark DMARC Monitoring) rather than parsing XML manually.

Legitimate sender shows 'fail' in DMARC reports

Either SPF doesn't authorise the sending IP or DKIM isn't aligned. Check both. For shared-IP senders (Google Workspace outbound pool), DKIM alignment is the cleaner fix.

Reports show many failures from unknown sources

Could be spoofing attempts (no action needed; DMARC will catch them) or forgotten legitimate sources (old SaaS subscriptions, contractors). Investigate before tightening policy.

Frequently asked

Should I start with p=reject immediately?

No. Always start with p=none for monitoring. Going straight to p=reject can block legitimate sources you didn't know were sending. The 4-6 week monitoring window catches surprises.

What's the pct= tag?

Sample percentage, pct=10 means apply the policy to 10% of unauthorised mail; rest gets the relaxed default. Useful for gradual rollouts.

Does Outsolvi affect DMARC?

No. Outsolvi doesn't send mail on your behalf. Your DMARC policy applies to your sending platform (Google Workspace, Microsoft 365, etc.), not to Outsolvi tracking.

Nate SummersCo-Founder, Outsolvi

Nate built Outsolvi after watching every email-tracking tool he had ever used lie to him about opens. Outsolvi runs Tier 1 to 5 confidence scoring on every open, native in Outlook and Gmail, so the number on the dashboard is one a rep can actually act on.

Last reviewed June 13, 2026Editorially independent

We update these pages when the underlying mechanics change. new mailbox-provider rules, new tracker behavior, new measurement gaps. The dates above are real revisions, not auto-touches.