Configuring DMARC

This guide explains how to set up DMARC for your domain and configure MailSentinel to receive reports.

Understanding DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving mail servers:

How to authenticate emails from your domain
What to do with emails that fail authentication
Where to send authentication reports

DMARC Record Structure

A DMARC record is a TXT record published at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com

Key Components

Tag	Required	Description	Values
`v`	Yes	Version	Always `DMARC1`
`p`	Yes	Policy	`none`, `quarantine`, `reject`
`rua`	No	Aggregate report address	`mailto:email@domain.com`
`ruf`	No	Forensic report address	`mailto:email@domain.com`
`adkim`	No	DKIM alignment	`r` (relaxed), `s` (strict)
`aspf`	No	SPF alignment	`r` (relaxed), `s` (strict)
`pct`	No	Policy percentage	`0-100`

Step 1: Choose Your Initial Policy

We recommend starting with p=none (monitoring mode):

v=DMARC1; p=none; rua=mailto:your-dmarc-address@mailsentinel.io

Policy Progression

Stage	Policy	Duration	Goal
1	`p=none`	2-4 weeks	Gather data, identify senders
2	`p=quarantine; pct=10`	1-2 weeks	Test enforcement
3	`p=quarantine; pct=50`	1-2 weeks	Increase coverage
4	`p=quarantine`	1-2 weeks	Full quarantine
5	`p=reject`	Ongoing	Full protection

Step 2: Get Your MailSentinel Report Address

Go to Settings > DMARC Configuration
Copy your unique report address:

your-org-id@reports.mailsentinel.io

Step 3: Create Your DMARC Record

Starter Record (Monitoring Only)

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

Intermediate Record (Quarantine)

v=DMARC1; p=quarantine; pct=25; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Full Protection Record

v=DMARC1; p=reject; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io; adkim=s; aspf=s

Step 4: Publish the Record

Add a TXT record to your DNS:

Field	Value
Type	TXT
Host	`_dmarc`
Value	Your DMARC record
TTL	3600 (1 hour)

Step 5: Verify in MailSentinel

Go to your domain in MailSentinel
Click Check DNS
Verify the DMARC record is detected

Receiving Reports

After publishing your DMARC record:

Aggregate Reports (RUA) - Sent daily by receiving mail servers
Forensic Reports (RUF) - Sent for individual failures (if enabled)

Reports typically start arriving within 24-48 hours.

Common Mistakes to Avoid

1. Jumping to Reject

Never start with p=reject. You may block legitimate emails from services you forgot to configure.

2. Missing Report Address

Without rua, you won't receive reports. Always include a report address.

3. Wrong Record Location

The record must be at _dmarc.yourdomain.com, not the root domain.

4. Multiple DMARC Records

Only one DMARC record should exist. Multiple records cause unpredictable behavior.

Monitoring Your Progress

MailSentinel tracks your DMARC journey:

Pass Rate - Percentage of emails passing authentication
Source Analysis - Who is sending email as your domain
Alignment Issues - SPF/DKIM alignment problems
Policy Readiness - When you're ready to increase enforcement

DMARC Policy Progression Timeline

Week 1-2: Monitoring Phase

Policy: p=none Goal: Gather data, identify all sending sources

Actions:

Publish DMARC record with p=none
Monitor reports daily
Identify all legitimate senders
Fix authentication issues
Document all sources

Week 3-4: Testing Phase

Policy: p=quarantine; pct=10 Goal: Test enforcement on small percentage

Actions:

Update DMARC to quarantine 10%
Monitor for issues
Verify legitimate emails still deliver
Fix any problems
Gradually increase percentage

Week 5-6: Gradual Increase

Policy: p=quarantine; pct=50 Goal: Increase enforcement coverage

Actions:

Update to 50% quarantine
Continue monitoring
Ensure all sources authenticated
Prepare for full quarantine

Week 7-8: Full Quarantine

Policy: p=quarantine Goal: Full quarantine enforcement

Actions:

Remove percentage, quarantine all failures
Monitor closely for first week
Verify no legitimate emails affected
Prepare for reject policy

Week 9+: Full Protection

Policy: p=reject Goal: Maximum protection against spoofing

Actions:

Update to p=reject
Monitor for any issues
Maintain ongoing monitoring
Review reports regularly

DMARC Alignment Explained

SPF Alignment

SPF aligns when the envelope sender domain matches the From: domain:

Relaxed (r):

Envelope: bounce@mail.yourdomain.com
From: user@yourdomain.com
✅ Aligns (subdomain OK)

Strict (s):

Envelope: bounce@yourdomain.com
From: user@yourdomain.com
✅ Aligns (exact match)

DKIM Alignment

DKIM aligns when the signing domain matches the From: domain:

Relaxed (r):

DKIM d=: mail.yourdomain.com
From: user@yourdomain.com
✅ Aligns (subdomain OK)

Strict (s):

DKIM d=: yourdomain.com
From: user@yourdomain.com
✅ Aligns (exact match)

Alignment Tags

adkim=r - Relaxed DKIM alignment (default)
adkim=s - Strict DKIM alignment
aspf=r - Relaxed SPF alignment (default)
aspf=s - Strict SPF alignment

DMARC Report Analysis

Understanding Report Data

Key Metrics:

Pass Rate - Percentage passing DMARC
Volume - Total emails reported
Sources - Unique sending IPs
Failures - Emails failing authentication

Failure Reasons:

SPF fail - IP not authorized
DKIM fail - Invalid or missing signature
Alignment fail - Domain mismatch
Both fail - Complete authentication failure

Using MailSentinel Reports

MailSentinel automatically:

Parses XML reports
Extracts key metrics
Identifies sending sources
Highlights failures
Provides remediation guidance

Next Steps

Understanding DMARC Reports - Learn to interpret your data
SPF Configuration - Set up SPF for your domain
DKIM Setup - Configure DKIM signing
Email Delivery Troubleshooting - Fix delivery issues
Google Workspace Setup - Complete Google setup
Microsoft 365 Setup - Complete Microsoft setup