Set up DMARC

DMARC lets you tell receiving mail servers what to do when they get a message that doesn't pass SPF or DKIM authentication checks, such as rejecting, quarantining, or delivering the message. You can also get reports that help you identify possible authentication issues and malicious activity for messages sent from your domain. Set up DMARC by adding a DMARC DNS TXT record (DMARC record) to your domain.

A DMARC record is a line of text that you add to your domain, following your domain providerâ€™s instructions. The line of text uses special syntax and lists all the servers that send email for your domain. Hereâ€™s an example DMARC record:

v=DMARC1; p=reject; rua=mailto:[email protected], mailto:[email protected]; pct=100; adkim=s; aspf=s

What is DMARC?

DMARC helps protect users from forged email messages,
and lets you manage messages that don't pass SPF or DKIM.

Before you begin

You must turn on SPF and/or DKIM for your domain before you can use DMARC. If you haven't set up SPF and/or DKIM, go to Help prevent spoofing, phishing, and spam.
- If you don't set up SPF and/or DKIM before enabling DMARC, messages sent from your domain will probably have delivery issues.
- Allow 48 hours after setting up SPF and/or DKIM before setting up DMARC.
To check if DMARC is already set up for your domain, use one of many free tools available on the internet. If DMARC is already set up, you should review your DMARC reports to check that DMARC is effectively authenticating messages and they are being delivered as expected.
You donâ€™t need to do anything in your Google Admin console to set up DMARC. Instead, determine your DMARC record by following the instructions on this page. Then, log into your domain host and add the DMARC record, following the domain host DMARC instructions.

Step 1: Set up a group or mailbox for reports

The number of DMARC reports you receive by email can vary, and depends on how much email your domain sends and how many domains you send to. You can receive many reports every day. Large organizations might get up to hundreds or even thousands of reports daily. Google recommends that you create a group or a dedicated mailbox to receive and manage DMARC reports.

Important: Typically, the email address for reports is in the same domain as the domain that hosts your DMARC record. If the email address has a different domain, you must add a DNS record at the other domain. See Send reports to an email address in a different domain on the DMARC reports page.

Step 2: Make sure third-party email is authenticated

If you use a third-party service to send mail for your organization, you must make sure that messages sent by third-party services are authenticated and pass SPF and DKIM checks:

Contact your third-party provider to make sure SPF and DKIM are correctly set up.
Make sure the providerâ€™s envelope sender domain matches your domain. Add the IP address of the providerâ€™s sending mail servers to the SPF record for your domain.
Route outgoing mail from the provider through Google using the SMTP relay service setting.

Step 3: Determine your DMARC record

Your DMARC policy is defined in a line of text values called a DMARC record. This record defines:

How strictly DMARC should check messages
Recommended actions for the receiving server, when it gets messages that fail authentication checks

Example of a DMARC record (replace example.com with your domain):

v=DMARC1; p=reject; rua=mailto:[email protected], mailto:[email protected]; pct=100; adkim=s; aspf=s.

The v and p tags must be listed first. Other tags can be listed in any order.

When you start using DMARC, we recommend setting the policy option (p) to none. As you learn how messages from your domain are authenticated by receiving servers, update your policy. Over time, change the receiver policy to quarantine (or reject). See Recommended DMARC rollout.

DMARC record tag definitions and values

Tag	Description and values
v	(Required) DMARC version. Must be DMARC1.
p	(Required) Instructs the receiving mail server what to do with messages that donâ€™t pass authentication. noneâ€”Take no action on the message and deliver it to the intended recipient. Log messages in a daily report. The report is sent to the email address specified with the rua option in the record. quarantineâ€”Mark the messages as spam and send it to the recipient's spam folder. Recipients can review spam messages to identify legitimate messages. rejectâ€”Reject the message. With this option, the receiving server usually sends a bounce message to the sending server. BIMI note: If your domain uses BIMI, the DMARC p option must be set to quarantine or reject. BIMI doesn't support DMARC policies with the p option set to none.
pct	The pct tag is optional but Google recommends you include it in your DMARC record when rolling out DMARC so that you can manage the percentage of email that your DMARC policy applies to. Specifies the percent of unauthenticated messages that are subject to the DMARC policy. When you gradually deploy DMARC, you might start with a small percentage of your messages. As more messages from your domain pass authentication with receiving servers, update your record with a higher percentage, until you reach 100 percent. Must be a whole number from 1 to 100. If you donâ€™t use this option in the record, your DMARC policy applies to 100% of messages sent from your domain. BIMI note: If your domain uses BIMI, your DMARC policy must have a pct value of 100. BIMI doesn't support DMARC policies with the pct value set to less than 100.
rua	The rua tag is optional but Google recommends you always include it in your DMARC record. Send DMARC reports to an email address. The email address must include mailto:. For example: mailto:[email protected] (replace example.com with your domain). To send DMARC reports to multiple emails, separate each email address with a comma and add the mailto: prefix before each address. For example: mailto:[email protected], mailto:[email protected] (replace example.com with your domain). This option can potentially result in a high volume of report emails. We donâ€™t recommend using your own email address. Instead, consider using a dedicated mailbox, a group, or a third-party service that specializes in DMARC reports. To send DMARC reports to an email address thatâ€™s in a different domain than the domain that hosts your DMARC record, add a TXT record to the email domainâ€™s DNS. For details, Send reports to an email address in a different domain, on the DMARC reports page.
ruf	(Not supported) Gmail doesnâ€™t support the ruf tag, which is used to send failure reports. Failure reports are also called forensic reports.
sp	(Optional) Sets the policy for messages from subdomains of your primary domain. Use this option if you want to use a different DMARC policy for your subdomains. noneâ€”Take no action on the message and deliver it to the intended recipient. Log messages in a daily report. The report is sent to the email address specified with the rua option in the policy. quarantineâ€”Mark the messages as spam and send it to the recipient's spam folder. Recipients can review spam messages to identify legitimate messages. rejectâ€”Reject the message. With this option, the receiving server should send a bounce message to the sending server. If you donâ€™t use this option in the record, subdomains inherit the DMARC policy set for the parent domain.
adkim	(Optional) Sets the alignment policy for DKIM, which defines how strictly message information must match DKIM signatures. Learn how alignment works (later on this page). sâ€”Strict alignment. The sender domain name must exactly match the corresponding d=domainname in the DKIM mail headers. râ€”Relaxed alignment (default). Allows partial matches. Any valid subdomain of d=domain in the DKIM mail headers is accepted.
aspf	(Optional) Sets the alignment policy for SPF, which specifies how strictly message information must match SPF signatures. Learn how alignment works (later on this page). sâ€”Strict alignment. The message From: header must exactly match the domain name in the SMTP MAIL FROM command. râ€”Relaxed alignment (default). Allows partial matches. Any valid subdomain of domain name is accepted.

DMARC alignment

DMARC passes or fails a message based on how closely the domain in the From: header matches the sending domain specified by either SPF or DKIM. This is called alignment.

You can choose from two alignment modes: strict or relaxed. You set the alignment mode for SPF and DKIM in the DMARC record using the aspf and adkim DMARC record tags.

Authentication method	Strict alignment	Relaxed alignment
SPF	An exact match between the domain in the Envelope-Sender (also called Return-Path or bounce) address and the domain in the header From: address.	The domain in the header From: address must match or be a subdomain of the domain in the Envelope-Sender (also called Return-Path or bounce) address.
DKIM	An exact match between the relevant DKIM domain, and the domain in the header From: address.	The domain in the header From: address must match or be a subdomain of the domain specified in the DKIM signature d= tag.

In certain cases, Google recommends that you consider changing to strict alignment for increased protection against spoofing:

Mail is sent for your domain from a subdomain outside your control.
You have subdomains that are managed by another entity.

Important: Relaxed alignment typically provides sufficient spoofing protection. Strict alignment can result in messages from associated subdomains to be rejected or sent to spam.

To pass DMARC, a message must pass at least one of these checks:

SPF authentication and SPF alignment
DKIM authentication and DKIM alignment

A message fails the DMARC check if the message fails both:

SPF (or SPF alignment)
DKIM (or DKIM alignment)

Step 4: Add your DMARC record to your domain

Important: Use your domain host's DMARC help documentation for this step. Steps for adding a DMARC record vary, depending on the domain host.

Add or update your record

Important: Make sure you set up DKIM and SPF before setting up DMARC. DKIM and SPF should be authenticating messages for at least 48 hours before turning on DMARC.

Have the text file or line for your DMARC record ready.
Sign in to your domain host, typically where you purchased your domain name. If youâ€™re not sure who your domain host is, see identify your domain registrar.
Go to the page where you update DNS TXT records for your domain. For help finding this page, check the documentation for your domain.

Add or update the TXT record with this information (refer to the documentation for your domain):

Field name	Value to enter
Type	The record type is TXT.
Host (Name, Hostname, Alias)	This value should be _dmarc.example.com (replace example.com with your domain name).
Value	The string that makes up the TXT record. For example: v=DMARC1; p=none; rua=mailto:[email protected], mailto:[email protected]; pct=100; adkim=s; aspf=s. For details, see Determine your DMARC record (earlier on this page).

Note: Some domain hosts automatically add the domain name. After you add or update the TXT record, verify the domain name in the DMARC record to make sure it's formatted correctly.

Save your changes.
If you are setting up DMARC for more than one domain, complete these steps for each domain. Each domain can have a different policy and different report options, as defined in the record.
To verify that DMARC is set up for your domain, use one of the many free tools available on the internet.

Was this helpful?

How can we improve it?