← Back to Guides

Getting Started with DMARC

A beginner-friendly introduction to DMARC and how to set up monitoring with DMARCWatch.

What Is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication protocol that builds on two existing mechanisms — SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) — to give domain owners control over what happens when an email fails authentication checks.

In practical terms, DMARC lets you publish a DNS record that tells receiving mail servers: "Here is how to verify that messages claiming to come from my domain are legitimate, and here is what to do if they are not."

Why DMARC Matters

Without DMARC, anyone can send email that appears to come from your domain. This is called email spoofing, and it is the foundation of most phishing attacks. DMARC protects your organisation in three important ways:

• Prevents brand abuse. Attackers cannot impersonate your domain to trick your customers, partners, or employees.
• Improves deliverability. Mailbox providers like Google and Microsoft give preferential treatment to domains with properly configured authentication. A strong DMARC policy signals that your domain is trustworthy.
• Provides visibility. DMARC aggregate reports show you every IP address that is sending email on behalf of your domain, so you can identify unauthorised senders and misconfigured services.

How DMARCWatch Helps

DMARC aggregate reports arrive as machine-readable XML files, often compressed, and they can be difficult to interpret on their own. DMARCWatch receives these reports, parses them, and presents the data in a clear dashboard so you can:

• See which IP addresses are sending mail as your domain.
• Monitor SPF and DKIM pass rates over time.
• Identify unauthorised senders quickly.
• Gain the confidence you need to move from a monitoring policy to a strict enforcement policy.

Step-by-Step: Setting Up Your First Domain

Step 1: Create Your DMARCWatch Account

Sign up at DMARCWatch and add your first domain from the dashboard. DMARCWatch will provide you with a unique reporting address in the format your-token@agg.dmarcwatch.io. This is the address that will receive your DMARC aggregate reports.

Step 2: Publish a DMARC DNS Record

Log into the DNS management console for your domain (your registrar or hosting provider) and create a new TXT record with the following details:

• Host / Name: _dmarc
• Type: TXT
• Value: Your DMARC policy string (see below)

Here is a recommended starting record that enables monitoring without affecting mail delivery:

v=DMARC1; p=none; rua=mailto:your-token@agg.dmarcwatch.io; fo=1;

Let's break down each tag:

• v=DMARC1 — Identifies this as a DMARC record. This tag is required and must be first.
• p=none — The policy. none means "take no action on failing messages; just send me reports." This is the correct starting point.
• rua=mailto:your-token@agg.dmarcwatch.io — The address where aggregate reports should be sent. Replace this with the address DMARCWatch assigns to your domain.
• fo=1 — Failure reporting option. The value 1 requests reports when either SPF or DKIM fails, giving you maximum visibility.

Step 3: Verify DNS Propagation

DNS changes can take anywhere from a few minutes to 48 hours to propagate. You can verify your record is live by running the following command in a terminal:

dig TXT _dmarc.yourdomain.com +short

You should see your DMARC policy string in the output. DMARCWatch also provides a DNS verification check in the dashboard to confirm your record is correctly configured.

Step 4: Wait for Reports

Aggregate reports are generated by receiving mail servers and are typically sent once every 24 hours. After publishing your DMARC record, you should start seeing reports in DMARCWatch within 24 to 72 hours, depending on your email volume and which providers your recipients use. Google and Microsoft are usually the fastest reporters.

Step 5: Analyse and Take Action

Once reports begin arriving, review them in your DMARCWatch dashboard. Look for:

• Legitimate senders failing authentication. These might be third-party services (marketing platforms, CRM tools, transactional email providers) that send on your behalf but are not yet configured with proper SPF or DKIM. Update their DNS records before tightening your policy.
• Unknown sources. IP addresses you do not recognise sending as your domain are likely unauthorised. DMARC enforcement will block these.

When you are confident that all legitimate senders pass authentication, you can begin moving your policy from p=none to p=quarantine and eventually to p=reject. See our DMARC Policy Guide for a detailed progression strategy.

What Comes Next

Setting up DMARC is the first step toward a fully protected domain. To deepen your understanding, we recommend reading these companion guides:

• Email Authentication 101 — How SPF, DKIM, and DMARC work together.
• Understanding SPF Records — How to build and optimise your SPF record.
• DKIM Explained — How DKIM signing and verification work.
• Reading Aggregate Reports — How to interpret the data DMARCWatch shows you.