DMARC Configuration

Recommended DMARC rollout

Important: Set up DKIM and SPF at least 48 hours before setting up DMARC.

DMARC should be rolled out gradually:

1. Start with a policy set to none (no enforcement for 100% of messages) for one week:
• Messages are delivered normally. There is no risk of messages being rejected or marked as spam.
• Review your DMARC reports daily to identify any issues with your outgoing email or email senders.
• One week is usually enough time for the daily reports to contain data representative of all your mail streams.
2. After monitoring DMARC reports for at least a week and seeing no issues with your outgoing email, move to a quarantine policy for a small percentage of messages:
• Messages that don't pass DMARC go to the recipient's spam folder. Recipients can review these messages.
• You determine what percentage you start with and when you increase it. For example, a small organization might start with 10% of their messages, but a large organization might start with 1% of their messages.
• You can use reject instead of the quarantine if required. Caution: The reject policy means that messages that don't pass DMARC are rejected by receiving servers and never delivered.

Apply an enforcement policy

Sign in to your domain and access your DMARC record.

1. Enter one of these policies, starting with none and moving to quarantine or reject:
• v=DMARC1; p=none; rua=mailto:dmarc@example.com
• v=DMARC1; p=quarantine; pct=5; rua=mailto:dmarc@example.com
• v=DMARC1; p=reject; rua=mailto:postmaster@example.com,dmarc@example.com

Notes:

• Replace the example email address after mailto with the email for your domain.
• Replace the value for pct with the percentage that you want to apply (quarantine and reject only).
1. Review your DMARC reports daily.
2. If you set your policy to quarantine (or reject) gradually increase the percentage over time to cover 100% of messages.