How to setup DMARC

Start with creating email for reports, usually a shared mailbox with an email postmaster@company.com.

Monitor results

Create a TXT file in your DNS: Hostname _dmarc (So the hostname is _dmarc.company.com) Value: v=DMARC1; p=none; rua=mailto:postmaster@company.com; ruf=mailto:postmaster@company.com TTL: 1 hour

The best practice is to have this on for a month to get reports on how your email domain is being used.

It's nice to use powerdmarc.com for reading results. The trial should be enough to see if it's safe to lock down the domain.

Lock it down

When you are ready to lock down your domain you want something like this: v=DMARC1; p=reject; pct=100; rua=mailto:postmaster@company.com; ruf=mailto:postmaster@company.com;

v=DMARC1: DMARC version p=reject: Policy is to reject all email that does not comply with SPF and DKIM rules pct=100: Reject 100% of emails that break the rules, you can have this 50/50 if you like but email probably goes to junkmail. rua=mailto:postmaster@company.com: Report to postmaster email

v: Protocol version v=DMARC1 pct: Percentage of messages subjected to filtering pct=20 ruf: Reporting URI for forensic reports ruf=mailto:authfail@example.com rua: Reporting URI of aggregate reports rua=mailto:aggrep@example.com p: Policy for organizational domain p=quarantine sp: Policy for subdomains of the OD sp=reject adkim: Alignment mode for DKIM adkim=s aspf: Alignment mode for SPF aspf=r

More advanced example, SPF relaxed + DKIM strict: v=DMARC1; p=quarantine; sp=reject; adkim=s; rua=mailto:postmaster-rua@company.com; ruf=mailto:postmaster-ruf@company.com; pct=100; fo=0:1:d:s; Created with powerdmarc.com.