← All articles

Deploying DMARC step by step

GottaPhish Team · April 15, 2026

Deploying DMARC is less about writing one DNS record and more about running a controlled rollout: start in monitoring mode, discover every legitimate sender, fix alignment, then progressively enforce. Rushed enforcement is the number-one cause of dropped legitimate mail, so treat this as a staged migration.

Prerequisites

DMARC builds on SPF and DKIM, so confirm both are in place first:

Verify a real message currently passes both and aligns with your From: domain before you touch DMARC.

Step 1 — Publish a monitoring record

Start at p=none. This changes nothing about delivery; it only requests reports.

_dmarc.example.com.  IN  TXT
  "v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1"

If reports go to a different domain, add an authorization record there:

example.com._report._dmarc.reports-vendor.net. IN TXT "v=DMARC1"

Step 2 — Read the aggregate reports

Aggregate reports are XML, one per receiver per day, keyed by source IP:

<record>
  <row>
    <source_ip>198.51.100.10</source_ip>
    <count>42</count>
    <policy_evaluated><dkim>pass</dkim><spf>fail</spf></policy_evaluated>
  </row>
  <identifiers><header_from>example.com</header_from></identifiers>
</record>

Raw XML is painful at scale — feed it into a DMARC analytics tool. Build an inventory of every sending IP: marketing platform, ticketing system, HR tool, invoicing, help desk, your own MTAs. For each, confirm whether it passes SPF and/or DKIM and aligns.

Step 3 — Fix the legitimate senders

For every source that fails alignment:

Iterate until aggregate reports show ~100% of legitimate volume passing and aligned. This phase can take several weeks for a large organization.

Step 4 — Quarantine with a ramp

Move to quarantine, but roll it out gradually using pct:

"v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com; adkim=s; aspf=s"

pct=25 applies the policy to a random quarter of failing mail; the rest still gets none treatment. Increase 25 → 50 → 100 over successive weeks, watching reports for any legitimate sender you missed.

Step 5 — Enforce reject

Once quarantine at pct=100 is clean, move to full enforcement:

"v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s"

Don't forget subdomains. Set an explicit subdomain policy so a spoofer can't abuse an unused one:

"v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@example.com"

Alignment mode: strict vs relaxed

Relaxed is usually correct; use strict only when you fully control every subdomain sender.

The whole point of DMARC is p=reject with high coverage. A domain left at p=none forever is monitored but still spoofable — reporting is a means, enforcement is the goal.

Ongoing operations

How GottaPhish helps

Reaching p=reject stops exact-domain spoofing, but attackers respond with look-alike domains and display-name lures that DMARC can't block. GottaPhish and its expert support team help you close that residual gap: realistic simulations against precisely those vectors — cousin domains, mis-aligned senders — plus dashboards that map each attack to the users who fell for it. Our experts assist with setup, design scenarios that match your enforcement stage, and help you interpret the results so your DMARC rollout is paired with the awareness training that closes the human gap.