No DMARC Record Found
Your domain has no DMARC record, which means anyone on the internet can send emails pretending to be from your domain. Here's what DMARC is and how to set it up step by step.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that protects your domain from being spoofed. It builds on two existing technologies — SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) — and adds two critical capabilities:
Policy enforcement
DMARC tells receiving mail servers exactly what to do when an email fails authentication: deliver it normally (none), send it to spam (quarantine), or block it entirely (reject).
Reporting and visibility
DMARC sends you daily reports showing every server that sent email using your domain, whether they passed or failed authentication, and how many messages were affected.
DMARC is published as a DNS TXT record at _dmarc.yourdomain.com.
When a receiving server gets an email from your domain, it looks up this record
to determine how to handle authentication failures.
Security risks without DMARC
Without a DMARC record, your domain is vulnerable to several types of abuse:
Phishing attacks
Attackers can send emails that appear to come from your domain (e.g., [email protected]) to trick recipients into revealing passwords, financial information, or installing malware.
Business email compromise
Attackers impersonate executives or vendors by spoofing your domain, requesting wire transfers, changing payment details, or sending fraudulent invoices to your partners and customers.
Domain reputation damage
When your domain is used for spam and phishing, email providers start flagging it as suspicious. This damages your domain's reputation and causes your legitimate emails to land in spam.
Deliverability problems
Google, Yahoo, and Microsoft now require DMARC for bulk email senders. Without it, your legitimate marketing emails, transactional messages, and notifications are more likely to be filtered or rejected.
Prerequisites: SPF and DKIM
DMARC builds on SPF and DKIM. For DMARC to work effectively, you should have at least one (ideally both) configured before deploying DMARC:
SPF (Sender Policy Framework)
SPF specifies which mail servers are authorized to send email on behalf of your domain. It's a DNS TXT record that lists approved IP addresses and includes.
v=spf1 include:_spf.google.com -all
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to outgoing emails, proving they haven't been tampered with in transit. It uses a public key published in DNS and a private key on your mail server.
selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGf..."
Create your first DMARC record
Follow these steps to create and publish your first DMARC record. Always start
with a monitoring-only policy (p=none) to collect data before enforcing.
Verify SPF and/or DKIM are configured
Before adding DMARC, make sure you have at least SPF configured for your domain. Check your DNS for an SPF TXT record on your root domain, and DKIM records if applicable. Learn how to set up SPF or learn how to set up DKIM.
Choose a reporting address
Decide where DMARC aggregate reports should be sent. This can be a dedicated email address (e.g., [email protected]) or a third-party DMARC reporting service. Reports are sent as XML files, so using a reporting service that parses them is recommended.
Create the DMARC record value
Start with this record, replacing the email address with your own:
v=DMARC1; p=none; rua=mailto:[email protected]
This tells receivers: "Don't take any action on failing emails, but send me daily reports about all email from my domain."
Add a TXT record in your DNS
Log in to your DNS provider and create a new TXT record with these settings:
| Field | Value |
|---|---|
| Type | TXT |
| Name / Host | _dmarc |
| Value / Content | v=DMARC1; p=none; rua=mailto:[email protected] |
| TTL | 3600 (or your provider's default) |
Verify the record is published
After saving, wait a few minutes for DNS propagation. You can verify your record by looking up _dmarc.yourdomain.com with a DNS query tool, or by scanning your domain with Domain Guarddog.
Wait for reports and analyze
Within 24–48 hours, you should start receiving aggregate reports from major email providers. Review them for 2–4 weeks to identify all legitimate sending sources and any unauthorized senders.
p=none
to collect data first.
Example records for each stage
Here are the DMARC records you'll use as you progress through the deployment journey.
All records are TXT records published at _dmarc.yourdomain.com.
Stage 1: Monitoring only
Start here. Collect data without affecting email delivery.
v=DMARC1; p=none; rua=mailto:[email protected]
Stage 2: Monitoring with forensic reports
Add forensic reporting for detailed failure information (optional).
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Stage 3: Quarantine (gradual)
Begin enforcement by quarantining a percentage of failing emails.
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
Stage 4: Quarantine (full)
Apply quarantine to all failing emails.
v=DMARC1; p=quarantine; rua=mailto:[email protected]
Stage 5: Reject (gradual)
Begin rejecting a percentage of failing emails.
v=DMARC1; p=reject; pct=25; rua=mailto:[email protected]
Stage 6: Reject (full) — the goal
Maximum protection. All failing emails are blocked.
v=DMARC1; p=reject; rua=mailto:[email protected]
Non-sending domains
For domains that don't send email at all, use this aggressive record:
v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected]
Pair this with an SPF record of v=spf1 -all to completely prevent
any email from being sent as this domain.
Provider-specific setup guides
How to add a DMARC record depends on your DNS hosting provider. Here are instructions for common providers:
Google Workspace
Google Admin Console → Apps → Google Workspace → Gmail → Authenticate email. Google also provides a DMARC setup wizard. Add the TXT record through your DNS provider (not in Google Admin).
Microsoft 365
Microsoft 365 Defender → Email & Collaboration → Policies. Add the DMARC TXT record through your DNS provider. Microsoft's documentation recommends starting with p=none alongside their built-in protection.
Cloudflare
Dashboard → DNS → Records → Add Record. Select TXT type, enter _dmarc as the name, paste your DMARC record as the content. Changes propagate within minutes.
GoDaddy
My Products → DNS → Add New Record. Select TXT type, enter _dmarc as the host, paste the DMARC value. Propagation may take up to 48 hours.
Namecheap
Domain List → Manage → Advanced DNS → Add New Record. Select TXT type, enter _dmarc as the host, paste the value. Changes typically take 30 minutes to propagate.
AWS Route 53
Hosted Zones → select your domain → Create Record. Choose TXT type, enter _dmarc as the record name, paste the value wrapped in double quotes. Propagation depends on TTL.
_dmarc.yourdomain.com, not at the root domain.
Some DNS providers require you to enter just _dmarc as the name
(they add the domain automatically), while others require the full
_dmarc.yourdomain.com. Check your provider's documentation.
Next steps
After publishing your p=none DMARC record, here's what to do next:
Wait 2–4 weeks for reports
Aggregate reports arrive daily from major email providers. Give it time to collect a representative sample of your email traffic.
Progress to quarantine
Once all legitimate sources pass, upgrade to p=quarantine with a gradual pct rollout. See our complete DMARC guide for the full deployment process.
Reach p=reject
The ultimate goal is p=reject — full protection against domain spoofing. With proper preparation, most domains can reach this level within 6–8 weeks.
Protect your domain from spoofing
Domain Guarddog monitors your DMARC, SPF, and DKIM records and guides you through the entire setup process.
Get Started Free