DMARC Policy Not Enabled? How to Do It in 5 Easy Steps

If your domain still doesn’t have a DMARC policy enabled, you’re leaving your email system unprotected against one of the most common forms of cyber abuse: spoofing.

A DMARC policy tells receiving mail servers what to do when messages fail authentication checks. Without it, your domain can be used by spammers and phishers, and you won’t even know it’s happening.

Setting up DMARC is simpler than it looks, but you need to have access to your organization's DNS (domain name system). If you don't, ask your developers for help.

Once your SPF and DKIM records are working, you can publish and start using DMARC in just a few steps.

What Is a DMARC Policy?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication standard that builds on SPF and DKIM.

When you send an email, mailbox providers check:

• Whether the sending server is authorized by your SPF record.
• Whether the email has a valid DKIM signature.
• Whether the domains used in SPF and DKIM align with your visible From address.

Your DMARC policy tells the receiving server what to do if those checks fail.

You can choose to:

• Monitor: Take no action, just collect reports.
• Quarantine: Send suspicious messages to spam.
• Reject: Block unauthorized messages entirely.

Why Bulk Email Senders Need to Enable DMARC

Enabling DMARC protects your brand, improves deliverability, and helps you understand how your domain is being used.

Here’s what happens when you don’t have a policy in place:

• Attackers can impersonate your domain in phishing emails.
• Mailbox providers don’t trust your messages, lowering your email deliverability.
• You lack visibility into who’s sending mail on your behalf.

When you enable DMARC, you take control. Every day, you’ll receive reports showing which servers are sending messages from your domain and whether they pass authentication.

For a complete overview and roadmap of DMARC implementation, from setup to ongoing monitoring and beyond, see our DMARC monitoring and compliance guide.

Here are the simple steps to enabling DMARC.

Note: You'll need access to your DNS to do this. If you don't have it, talk to the developer(s) in your organizations that do.

Step 1: Check SPF and DKIM

Before enabling DMARC, make sure SPF and DKIM are properly configured.

SPF

Publish an SPF record in your domain’s DNS that includes all services allowed to send email for your domain. Example:

DKIM

Most email providers let you generate a DKIM key. You’ll need to add it to your DNS as a TXT record under a selector name. Example:

Step 2: Create a DMARC Record

A DMARC record is a simple TXT entry in your DNS. Start with a monitoring-only setup (i.e., a "none" policy) so you can gather data before taking action.

Example:

• v=DMARC1: The version tag.
• p=none: Policy type. “None” means monitor only.
• rua: Where aggregate reports are sent.
• aspf/adkim: Alignment modes. “r” is relaxed, “s” is strict.

Once you add this to your DNS, your domain starts sending DMARC reports.

Step 3: Review the Reports

Mailbox providers send XML files called aggregate reports to the address you specified in your record.

These reports include:

• The IPs and domains sending on your behalf.
• Authentication pass/fail results.
• Message counts by source.

You can read the data using a DMARC report viewer or an automated tool. The goal is to identify legitimate senders that fail SPF or DKIM so you can fix them before moving to enforcement.

Step 4: Move to Enforcement

After two or three weeks of monitoring, you should have a clear picture of your email sources.

Once you’ve fixed all legitimate senders that fail authentication, it’s time to move from p=none to p=quarantine:

This sends unaligned or unauthenticated messages to spam instead of rejecting them outright.If your reports remain clean for several weeks, take the final step to full protection:

Step 5: Maintain and Monitor

DMARC isn’t something you set once and forget. Continue reviewing your reports regularly to catch new senders or configuration changes.

It’s also a good idea to:

• Rotate DKIM keys every 6–12 months.
• Review SPF records quarterly.
• Add new platforms to SPF and DKIM before they start sending.

As your business grows and adds tools that send email, keeping DMARC up to date ensures you stay protected and maintain a strong sender reputation.

Common DMARC Setup Mistakes

Even small misconfigurations can cause deliverability problems. Watch out for these:

1. Using the wrong syntax in DNS. Make sure there are no extra spaces or missing semicolons.
2. Invalid email address in RUA. If your report address isn’t valid, you won’t receive reports.
3. Skipping SPF or DKIM alignment. Both must align with the “From” domain for DMARC to work.
4. Setting p=reject too early. Always verify that legitimate mail streams are authenticating first.

How DMARCeye Helps with DMARC Report Monitoring

When you enable DMARC, mailbox providers start sending daily XML reports. These can be difficult to read manually.

DMARCeye collects and organizes these reports into a clear dashboard. You can see all your sending sources, authentication results, and alignment trends at a glance. It simplifies:

• Monitoring your DMARC performance.
• Identifying spoofing attempts.
• Tracking improvements as you move from monitoring to enforcement.

DMARCeye lets you focus on improving your domain’s trust and deliverability instead of managing raw data.

Get a free trial of DMARCeye today and start protecting your email domain.