Pillar Guide

Complete DMARC Implementation Guide

Everything you need to implement DMARC from scratch. This comprehensive guide covers SPF, DKIM, DMARC configuration, report analysis, and progressive enforcement rollout from p=none to p=reject.

20 min read
All Levels

Table of Contents

Overview: What You'll Accomplish

By the end of this guide, you will have:

SPF configured - All legitimate email servers authorized
DKIM implemented - Cryptographic signatures on all outbound emails
DMARC at p=reject - Maximum protection against domain spoofing
Report monitoring system - Automated analysis and alerting
95%+ DMARC pass rate - Near-perfect email authentication
Timeline: Complete implementation takes 8-12 weeks for safe, progressive rollout without disrupting legitimate email.

Prerequisites & Planning

What You'll Need

DNS access (ability to add TXT records)
Email server admin access (for DKIM configuration)
Mailbox to receive DMARC reports (recommend dedicated address)
List of all email sending sources (servers, third-party services)

Discovery Phase: Identify All Email Sources

Before starting, create a comprehensive inventory of all systems that send email using your domain:

  • Primary email servers (Exchange, Gmail Workspace, Office 365)
  • Marketing platforms (Mailchimp, SendGrid, Constant Contact)
  • Transactional email services (Postmark, Mandrill, Amazon SES)
  • CRM systems (Salesforce, HubSpot, Pipedrive)
  • Support desk software (Zendesk, Freshdesk, Intercom)
  • E-commerce platforms (Shopify, WooCommerce, Magento)
  • Internal applications (custom apps, monitoring alerts)
  • Forwarding rules (any email forwarding or redirects configured)
Important: Missing even one legitimate email source during SPF/DKIM configuration will cause delivery issues later. Take time to document everything thoroughly.

Phase 1: Configure SPF (Week 1)

SPF (Sender Policy Framework) authorizes which IP addresses can send email on behalf of your domain.

Step 1: Build Your SPF Record

Start with the basic structure:

v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
v=spf1 - SPF version identifier
include: - Delegate to another domain's SPF record
~all - Softfail (recommended for testing)
-all - Hardfail (use after testing)

Step 2: Add All Email Sources

Common third-party SPF includes:

ServiceSPF Include
Google Workspaceinclude:_spf.google.com
Microsoft 365include:spf.protection.outlook.com
SendGridinclude:sendgrid.net
Mailchimpinclude:servers.mcsv.net
Zendeskinclude:mail.zendesk.com

Step 3: Watch the 10 DNS Lookup Limit

Critical: SPF records are limited to 10 DNS lookups. Each include: counts as 1 lookup, plus any nested lookups within those includes.

Use our SPF Surveyor tool to verify your record stays under the limit.

Step 4: Deploy SPF Record

  1. Add TXT record at your domain root (yourdomain.com)
  2. Wait 5-60 minutes for DNS propagation
  3. Verify with: dig yourdomain.com TXT
  4. Test by sending emails and checking headers
Read full SPF configuration guide

Phase 2: Implement DKIM (Week 2)

DKIM (DomainKeys Identified Mail) adds cryptographic signatures to your emails, proving they haven't been tampered with.

Step 1: Generate DKIM Keys

Generate a 2048-bit RSA key pair for each email source:

# Generate DKIM key pair
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem

Step 2: Configure Email Server

Add the private key to your email server configuration. For common platforms:

  • Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email
  • Microsoft 365: Exchange Admin Center → Mail Flow → DKIM
  • Postfix: Configure OpenDKIM with your private key

Step 3: Publish DNS Records

Add TXT record at: selector._domainkey.yourdomain.com

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

Common selector names: default, google, selector1, k1

Step 4: Verify DKIM Signing

  1. Send a test email to yourself
  2. View the email source/headers
  3. Look for DKIM-Signature: header
  4. Verify with our DKIM Inspector tool
Pro Tip: Configure DKIM for ALL email sources before moving to Phase 3. Each third-party service (SendGrid, Mailchimp, etc.) has its own DKIM setup process.
Read full DKIM implementation guide

Phase 3: Deploy DMARC p=none (Week 3-4)

Start with monitoring mode to collect data without affecting email delivery.

Create Your First DMARC Record

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com; fo=1
p=none - Monitor only, no enforcement
rua - Daily aggregate reports destination
ruf - Real-time forensic reports destination
fo=1 - Send forensic reports when any authentication mechanism fails

DNS Deployment

  1. Add TXT record at: _dmarc.yourdomain.com
  2. Set TTL to 300 (5 minutes) for easy testing
  3. Wait for DNS propagation (5-60 minutes)
  4. Verify with: dig _dmarc.yourdomain.com TXT
First Reports: You'll receive your first aggregate reports 24-48 hours after deployment. Most providers (Google, Yahoo, Microsoft) send daily summaries.
Read detailed DMARC record creation guide

Automate Your DMARC Implementation

Let TrustYourInbox handle the heavy lifting: automated report analysis, progressive enforcement, and 24/7 monitoring.

Start Free Trial

Need Expert Help?

Our DMARC specialists can handle your entire implementation, from audit to p=reject.

Talk to an Expert

Free Implementation Tools

DMARC Policy Generator

Create validated DMARC records instantly

SPF Surveyor

Check SPF lookup count and syntax

DKIM Inspector

Verify DKIM signatures and DNS records