Complete DMARC Implementation Guide

Once you’ve published a basic DMARC record, the real work begins: implementing it correctly across all your domains and systems.

DMARC (Domain-based Message Authentication, Reporting & Conformance) works best when every mail source in your organization is authenticated, aligned, and monitored.

This guide goes beyond the basics to help you configure DMARC in DNS, manage multi-domain environments, and move safely from testing to full enforcement.

Step 1: Start with a Centralized DMARC Strategy

If your organization manages multiple domains or subdomains, treat DMARC as a long-term policy framework, not a one-off DNS record. Start by identifying:

• All your sending sources (CRMs, marketing tools, ticketing systems, HR platforms, etc.)
• All domains and subdomains used for sending mail.
• Which systems are managed internally vs. by third-party vendors.

It’s common for each department or business unit to have its own sending setup. But without a coordinated DMARC strategy, reports become fragmented and enforcement becomes risky.

Create an inventory of senders and decide which domain each will send from. This is your foundation for full compliance.

Step 2: Review SPF and DKIM Across All Sending Systems

DMARC relies on SPF and DKIM to authenticate messages. If either one fails or isn’t aligned, DMARC will fail too.

SPF Checks

Each domain should have a single SPF record listing all authorized senders:

Best practices:

• Avoid chaining more than 10 DNS lookups (SPF has a hard limit).
• Don’t create multiple SPF records; merge them into one.
• Always end with -all to reject unauthorized senders.

DKIM Checks

Each email-sending system (like HubSpot or Office 365) provides DKIM selectors to add to your DNS:

Confirm that:

• Every service signs messages with its own DKIM key.
• The “d=” field matches your domain (for alignment).
• Keys rotate periodically for better security.

Document every DKIM selector and associate it with a known sending source. This makes troubleshooting easier later.

Step 3: Publish a Proper DMARC Record

DMARC records are TXT entries added to your DNS under _dmarc.yourdomain.com.

A solid starting point for implementation looks like this:

Let’s break this down:

• v=DMARC1 - Required protocol version.
• p=none - Monitoring mode (collect reports, no enforcement).
• rua=mailto: - Aggregate report destination.
• aspf=r / adkim=r - Relaxed alignment (safer for multi-domain setups).

If you’re managing multiple domains, use unique report addresses to tell them apart:

For subdomains, you can publish a separate record (e.g. _dmarc.mail.yourdomain.com) or inherit the policy from the organizational domain.

Step 4: Analyze DMARC Reports and Validate Alignment

Once live, mailbox providers will send you DMARC aggregate (RUA) reports daily, summarizing which IPs sent mail for your domain and how they performed.

Look for:

• Unknown IPs sending email (possible spoofing).
• Known systems failing SPF or DKIM.
• Misaligned authentication results.

Each report line includes:

• SPF result: Pass or fail.
• DKIM result: Pass or fail.
• Alignment: Whether each result matches your domain.

If a legitimate sender fails alignment, fix that before moving to enforcement.

For a deeper explanation, see our guide on How to Read DMARC Aggregate Reports.

Step 5: Handle Third-Party Senders

Many DMARC issues stem from third-party platforms that send emails on your behalf, like marketing tools, CRMs, or payment processors.

To ensure these messages pass DMARC:

1. Add their sending IPs or include mechanisms to your SPF record.
2. Publish their DKIM keys as provided.
3. Make sure they use your domain in the “From” header, not a generic shared domain.

If a vendor doesn’t support DKIM alignment, SPF alignment must be perfect to avoid rejection.

Tip: Keep a shared internal list of all approved third-party senders and their DNS configurations.

Step 6: Move from Monitoring to Enforcement

Once your reports show all legitimate senders are authenticating correctly, start enforcing DMARC.

Transition gradually:

1. p=none → p=quarantine (send failing messages to spam).
2. p=quarantine → p=reject (block failing messages entirely).

You can also test partial enforcement using the pct tag:

This applies enforcement to 50% of traffic while monitoring results.

As you tighten enforcement, continue reviewing your reports daily.

Step 7: Configure Subdomain Policies

Subdomains can either inherit your main policy or have their own. For example:

Here:

• p=none applies to the main domain.
• sp=reject enforces DMARC on all subdomains.

Use this when you’re testing on the main domain but want stricter enforcement for transactional subdomains like billing.yourdomain.com.

Step 8: Avoid Common Implementation Mistakes

Even well-prepared teams make these errors:

• Multiple SPF records on one domain.
• Missing rua tag (no reports).
• Using a monitoring-only policy forever (p=none).
• Forgetting to update DKIM keys after platform changes.
• Ignoring unaligned subdomains.

DMARC only protects you if it’s actively monitored and enforced. Leaving it at p=none indefinitely offers no protection against spoofing.

Step 9: Maintain and Monitor Over Time

Once your DMARC policy is fully enforced, ongoing monitoring ensures everything stays healthy.

Regularly review:

• New IPs appearing in reports (potential new senders).
• Changes in authentication pass rates.
• Whether third-party integrations are still authenticating correctly.

DMARC isn’t a “set it and forget it” system. It’s an evolving part of your domain’s security posture.

How DMARCeye Helps You Manage Implementation

Setting up DMARC is one thing. Maintaining it across multiple domains and platforms is another. DMARCeye is an AI-powered DMARC monitoring and management platform that:

• Collects and interprets your DMARC reports.
• Maps all your sending sources visually.
• Flags misaligned or unauthorized senders.
• Tracks progress as you tighten your policy.

Easily see whether your implementation is working, which systems need adjustment, and how close you are to full compliance.