How to set up a DMARC policy
DMARC ties SPF and DKIM to the visible From address and tells receivers what to do when authentication fails. The 2024 bulk-sender rules from Google/Yahoo/Microsoft require DMARC at p=none minimum (p=quarantine strongly recommended) for senders above 5,000/day to consumer addresses.
Setup is one DNS record but the ramp-up matters: start at p=none for 4-6 weeks to monitor, then move to p=quarantine, then p=reject. This guide walks the ramp.
Before you start
- SPF record published and passing for your domain
- DKIM signing enabled and passing for your domain
- DNS edit access
- Email address to receive DMARC aggregate reports (or a DMARC reporting tool like Postmark DMARC, dmarcian, Valimail)
Step-by-step
- 1
Compose the DMARC record
DMARC is a TXT record at _dmarc.yourdomain.com. Start with monitor-only: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100; aspf=r; adkim=r
- 2
Publish the DNS TXT record
In your DNS provider, create the TXT record at _dmarc.yourdomain.com (note the underscore prefix). TTL 3600 is fine.
- 3
Receive and review aggregate reports
Within 24 hours, you'll start receiving daily XML aggregate reports at the rua= address. The reports show every IP and domain claiming to send as you, with SPF/DKIM/DMARC pass/fail counts. Tools like Postmark, dmarcian, EasyDMARC parse these reports readably.
- 4
Identify all legitimate senders
After 1-2 weeks of reports, you should see every legitimate sending source. If a known sender shows 'fail', add to SPF or enable DKIM for it. If an unknown source appears, investigate (could be spoofing or a forgotten SaaS sender).
- 5
Move to p=quarantine
After 4-6 weeks of clean reports with all legitimate senders aligned, change the policy to p=quarantine. This tells receivers to mark unauthorised mail as spam instead of rejecting it.
- 6
Move to p=reject
After 4-6 weeks of clean quarantine reports, change to p=reject. Unauthorised mail will now be rejected at the receiver. This is the strongest anti-spoofing posture.
Set up tracking in 2 minutes instead of 20.
Outsolvi installs as a native Outlook add-in or Gmail Chrome extension. Confidence-scored opens, AI follow-up alerts, native Outlook and Gmail tracking. From $7/mo, 14-day free trial.
Troubleshooting
Aggregate reports not arriving
Check the rua= address can receive mail (some receivers won't send to noreply@ addresses). Check spam folder. Use a dedicated tool (Postmark DMARC Monitoring) rather than parsing XML manually.
Legitimate sender shows 'fail' in DMARC reports
Either SPF doesn't authorise the sending IP or DKIM isn't aligned. Check both. For shared-IP senders (Google Workspace outbound pool), DKIM alignment is the cleaner fix.
Reports show many failures from unknown sources
Could be spoofing attempts (no action needed; DMARC will catch them) or forgotten legitimate sources (old SaaS subscriptions, contractors). Investigate before tightening policy.
Frequently asked
Should I start with p=reject immediately?
No. Always start with p=none for monitoring. Going straight to p=reject can block legitimate sources you didn't know were sending. The 4-6 week monitoring window catches surprises.
What's the pct= tag?
Sample percentage, pct=10 means apply the policy to 10% of unauthorised mail; rest gets the relaxed default. Useful for gradual rollouts.
Does Outsolvi affect DMARC?
No. Outsolvi doesn't send mail on your behalf. Your DMARC policy applies to your sending platform (Google Workspace, Microsoft 365, etc.), not to Outsolvi tracking.
Related reading
More on email tracking
Glossary terms, comparisons, and feature deep-dives related to this guide.
Nate built Outsolvi after watching every email-tracking tool he had ever used lie to him about opens. Outsolvi runs Tier 1 to 5 confidence scoring on every open, native in Outlook and Gmail, so the number on the dashboard is one a rep can actually act on.
We update these pages when the underlying mechanics change. new mailbox-provider rules, new tracker behavior, new measurement gaps. The dates above are real revisions, not auto-touches.