BounceProtect
Clean your email lists before you send
How to create a DMARC record and roll it out safely
A practical guide to generating, publishing, and gradually rolling out DMARC. Covers the three policy levels, what the tags mean, and how to avoid blocking legitimate email.
Why DMARC matters
DMARC is now required by Gmail and Yahoo for bulk senders. Without it, your emails are more likely to land in spam. With a proper DMARC policy in place, you protect your domain from spoofing and phishing, and you give receiving servers a clear instruction for what to do with emails that fail authentication.
Understanding the DMARC tags
A DMARC record is a TXT record added at _dmarc.yourdomain.com. Each tag controls a specific behaviour:
p — the policy (none, quarantine, reject). This is the most important tag.
pct — the percentage of messages the policy applies to. Defaults to 100. Setting pct=10 means only 10% of failing messages get the policy applied — useful for gradual rollout.
rua — the email address for aggregate reports. These reports summarise which servers are sending email from your domain and whether they pass authentication. Essential for monitoring.
ruf — the email address for forensic reports. These are individual reports for each failing message. Less commonly used due to privacy concerns.
sp — subdomain policy. Controls what happens to email from subdomains. Defaults to the same as p.
Step 1 — Start with p=none
Never start at p=reject. If any of your legitimate sending sources are not correctly authenticated, those emails will be rejected immediately, causing real delivery failures.
Begin with: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
This tells receiving servers to deliver all email normally but send aggregate reports to your reporting address. Review these reports over two to four weeks to identify every server sending email from your domain.
Step 2 — Fix authentication gaps
The reports will show you every IP address and sending service that sends email using your domain. For each legitimate sender, confirm they are included in your SPF record and are signing with DKIM. Fix any gaps before moving to the next policy level.
Step 3 — Move to quarantine gradually
Once you are satisfied that legitimate email is authenticating correctly, move to: v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@yourdomain.com
This applies the quarantine policy to 10% of failing messages. Monitor the reports. Increase pct over several weeks — 10%, 25%, 50%, 100%.
Step 4 — Move to reject
Once you are at pct=100 quarantine with no legitimate email failing, move to: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
This is the final goal. Failing emails are rejected at the server level, giving you the strongest protection against phishing and spoofing.
Publishing the record
In your DNS provider, add a TXT record:
- Name: _dmarc (or _dmarc.yourdomain.com depending on your provider)
- Value: your generated DMARC record
- TTL: 3600
Verify it is live using the BounceProtect DMARC Checker at bounceprotect.com/tools/dmarc-checker.
Common mistakes
The biggest mistake is going straight to p=reject without monitoring first. A close second is setting pct=100 quarantine before confirming all legitimate senders authenticate correctly. Take the gradual approach — it takes a few weeks longer but avoids disrupting real email.
Ready to validate your email list?
Start free and check your first emails with full validation signals and SMTP verification.
More in Domain Signals