Setting up DMARC for the first time

Before you start

You need three things:

• A domain you control (you can edit its DNS records).
• An address to send DMARC reports to. trustyourinbox gives you a unique one.
• About five minutes.

Step 1 — Confirm you can edit DNS

Log into your domain registrar (GoDaddy, Namecheap, Cloudflare, whoever you bought the domain from). Look for "DNS settings", "DNS records", or "Manage DNS". You should see a list of records like A, CNAME, MX, TXT.

If you can see those, you can publish DMARC. If you can't, you may need to ask whoever manages your DNS to do it on your behalf — most registrars let you grant a delegate access.

Step 2 — Publish a starter DMARC record

Add a new TXT record with these values:

• Name / Host: _dmarc (some registrars want the full hostname: _dmarc.acme.com)
• Type: TXT
• Value: v=DMARC1; p=none; rua=mailto:<your-address>; pct=100
• TTL: 3600 (or whatever the default is — doesn't matter much)

If you're a trustyourinbox customer, the unique RUA address shows up on your Domains page after you verify ownership. Replace <your-address> with that.

Step 3 — Wait for DNS propagation

Most DNS changes propagate in 5-15 minutes, but TTLs and ISP caches can stretch this to a few hours. Don't panic if it doesn't show up immediately. You can check with this command from a terminal:

dig +short TXT _dmarc.your-domain.com

Or paste your domain into our free DMARC audit — it'll tell you whether the record is live and what's in it.

Step 4 — Wait for reports

Mailbox providers send DMARC aggregate reports once per day, usually 12-24 hours after their reporting period closes (which is typically end-of-UTC-day for them). So:

• If your mail flows through Gmail, expect first reports within 24-48 hours of mail actually being sent.
• If your domain has very low outbound volume (say, 1-2 emails/day), reports may take longer or arrive sporadically.
• If you don't send any mail, no one has anything to report on. Send something — even a test email to a Gmail account works.

Step 5 — Read what you get

Each report contains a per-source-IP breakdown of what mail the provider saw, whether SPF and DKIM passed, and whether they aligned with the From: domain. Reading raw DMARC XML is unpleasant, so use a tool — that's what trustyourinbox is for. Each report on the dashboard gets a plain-English summary describing what happened and whether anything looks off.

Once you have 2-4 weeks of reports and you can identify every IP that's legitimately sending mail in your name, you're ready for the next step: Progressing past p=none safely →

What can go wrong

The TXT record won't save. Some registrars require quoting around the value. Try wrapping it in double quotes: "v=DMARC1; p=none; rua=mailto:...".

The TXT record saves but isn't visible. DNS caches can be sticky. Wait an hour, try a different DNS resolver (dig +short TXT _dmarc.acme.com @1.1.1.1), and see if it shows up.

You publish but never get reports. Most likely cause: no mail is actually being sent from the domain. DMARC reports are about traffic — if there isn't any, there's nothing to report. Less likely: the rua= address is malformed (typo, wrong domain, etc).

Related

• Progressing past p=none safely — when you're ready to enforce.
• DMARC alignment, in plain English — what to actually look for in your first reports.
• Counting your SPF lookups — and why 1024-bit DKIM is being phased out — fix these alongside DMARC.