DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that works alongside SPF and DKIM to prevent attackers from sending emails that appear to come from your domain.
Stop attackers from impersonating your staff to scam customers or bypass security controls.
Without a DMARC record, anyone can send an email that looks like it comes from your business. That means phishing emails to your clients, fake invoices to your suppliers, and password reset scams targeting your staff.
Authenticated email is more likely to bypass spam filters and land directly in the inbox.
Setting up DMARC is one of the most impactful security steps a business can take, and it costs nothing. It is also a requirement under the Cyber Essentials certification scheme and recommended by the National Cyber Security Centre (NCSC).
Steps
Type your domain name (for example, yourbusiness.co.uk). The tool generates the correct DNS hostname automatically.
Start with "None" to monitor email without blocking anything. Once you are confident your legitimate email is passing checks, move to "Quarantine" and then "Reject."
Use Advanced Mode to set subdomain policies, alignment modes, and reporting addresses for aggregate and forensic failure reports.
Copy the generated TXT record value and add it to your domain's DNS settings. Your DNS provider's documentation will show you exactly where to paste it.
Enter your domain name without “www” or “https.” For example, if your website is www.yourbusiness.co.uk, enter yourbusiness.co.uk. The tool automatically generates the DNS hostname _dmarc.yourbusiness.co.uk where the record needs to be added.
Easy Mode shows just the two most important settings. This is all most businesses need to get started.
This is the most important setting. It tells email providers what to do when a message fails authentication checks.
None: Monitor only. No emails are blocked. Start here to observe traffic.
Quarantine: Failed messages go to the recipient's spam folder.
Reject: Failed messages are blocked entirely. This is your end goal.
Controls what percentage of failed emails the policy applies to. Start at 100% with "None" policy. When moving to "Quarantine" or "Reject," you can lower this to 10% or 25% first to test.
Toggle to Advanced Mode for additional options. These are not required for basic setup but give you finer control.
Sets a separate policy for your subdomains (for example, mail.yourbusiness.co.uk or marketing.yourbusiness.co.uk). If you do not set this, subdomains inherit the main policy. Attackers frequently target subdomains because they are often overlooked. Options are the same as the main policy: None, Quarantine, or Reject.
Controls how strictly the "envelope from" domain must match the "header from" domain when checking SPF:
The domains only need to share the same base domain. For example, mail.yourbusiness.co.uk matches yourbusiness.co.uk. This is the recommended setting for most businesses.
The domains must match exactly. Use this only if you have a simple email setup with no subdomains sending mail.
Controls how strictly the DKIM signature domain must match the "header from" domain:
The base domain must match. This works with most email providers and marketing platforms.
The domains must match exactly. Only recommended for advanced deployments where you control all signing domains.
Enter an email address to receive daily aggregate reports. These reports show a summary of all email sent from your domain, including which messages passed or failed SPF, DKIM, and DMARC checks. This is essential data for understanding your email ecosystem. Use a dedicated mailbox for this, for example dmarc-reports@yourbusiness.co.uk.
Enter an email address to receive detailed reports on individual authentication failures. Not all email providers send these, but where available, they help investigate specific spoofing incidents. Can be the same as or different from the aggregate report address.
Controls which types of failures generate forensic reports:
0 (default): Generate a report only when both SPF and DKIM fail. This is the least noisy option.
1: Generate a report when either SPF or DKIM fails. More reports, but gives you better visibility during the monitoring phase.
d: Generate a report only when DKIM fails, regardless of SPF.
s: Generate a report only when SPF fails, regardless of DKIM.
How often (in seconds) you want aggregate reports. The default is 86400 (24 hours). You generally do not need to change this, but you can set it to 43200 (12 hours) if you want more frequent reporting during initial setup.
The tool generates two values:
This is the DNS record name where you add the record. It always follows the format _dmarc.yourdomain.com.
This is the TXT record value to paste into your DNS. It starts with v=DMARC1 and includes all the tags you have configured. Use the copy buttons to copy each value individually.
No emails are blocked. Use this when you first set up DMARC so you can see who is sending email from your domain without disrupting legitimate services.
Recommended for initial setup.
Messages that fail authentication checks are marked as suspicious and typically delivered to the recipient's junk folder.
Intermediate level protection.
Messages that fail authentication are blocked entirely. This ensures only authorized emails reach your recipients.
Ensure SPF/DKIM are fully configured first.
Important: Only enable p=reject once you are confident that all your legitimate email services (Microsoft 365, Google Workspace, marketing tools, etc.) are properly configured with SPF and DKIM to prevent valid emails from being blocked.
DMARC reports give you visibility into who is sending email from your domain. Without them, you are flying blind.
Sent daily, these show a summary of all email traffic from your domain, including which messages passed and failed authentication. These are essential for understanding your email ecosystem before tightening your DMARC policy.
Provide detailed information about individual authentication failures. Not all email providers support these, but where available, they help you investigate specific incidents in detail.
Several free services can receive and visualise these reports for you, including Postmark DMARC, DMARC Analyzer, and Google Postmaster Tools.
The number one mistake. If you set your policy to "reject" before confirming all your legitimate email services are authenticated, you will block your own emails. Always start with "none."
Marketing platforms, CRM systems, invoicing tools, and other services that send email on your behalf all need to be included in your SPF record and configured with DKIM before you tighten your DMARC policy.
Without aggregate reports, you cannot see what is happening. You need visibility before you can make informed decisions about your policy.
If you do not set a subdomain policy (sp), your subdomains inherit the main policy. Attackers often target subdomains because they are frequently overlooked.
If you set the percentage to 10% during testing and forget to increase it, 90% of your email traffic is not being protected.
DMARC is just one component of a proper email security setup. SPF, DKIM, and DMARC need to work together, and they need to be configured correctly for every service that sends email on your behalf. If you are not sure where to start, we can help.
Call us: 0800 208 8456 | Email: hello@cyberkaizen.co.uk
