← Back to blog

The Complete Guide to DMARC Compliance in 2026

| Celeric Team

What Is DMARC and Why Does It Matter?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that protects your domain from unauthorized use. It builds on SPF and DKIM to give domain owners control over how receiving mail servers handle unauthenticated messages.

As of 2024, Google, Yahoo, and Microsoft all require DMARC for bulk senders. If you send more than 5,000 emails per day, you must have a DMARC record or risk having your emails rejected outright.

Even if you're a small sender, DMARC protects your domain from being spoofed by phishers and spammers, which can damage your reputation and deliverability.

The Three Pillars: SPF, DKIM, and DMARC

SPF (Sender Policy Framework)

SPF tells receiving servers which IP addresses are authorized to send email for your domain. It's a TXT record in your DNS.

Example SPF record: 

v=spf1 include:_spf.google.com ~all

This says "only Google's servers can send email for my domain; soft-fail everything else."

Common mistakes:

  • Having multiple SPF records (only one is allowed)
  • Exceeding the 10 DNS lookup limit
  • Using +all instead of ~all or -all

    • DKIM (DomainKeys Identified Mail)

    DKIM adds a digital signature to your outgoing emails. The receiving server verifies this signature against a public key published in your DNS.

    DKIM is typically configured through your email provider (Google Workspace, Microsoft 365, etc.). The provider generates a key pair and tells you what DNS record to add.

    DMARC (Domain-based Message Authentication)

    DMARC ties SPF and DKIM together. It tells receiving servers what to do when an email fails authentication:

  • p=none: Monitor only (reports sent to you, no action taken)
  • p=quarantine: Send failing emails to spam
  • p=reject: Block failing emails entirely

    • Example DMARC record: 

    v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

    Step-by-Step DMARC Setup

    Step 1: Check Your Current Status

    Use our free DMARC checker to see where you stand. It analyzes your SPF, DKIM, DMARC, MX records, blacklist status, and DNS configuration in seconds.

    Step 2: Set Up SPF

    If you don't have an SPF record, add one as a TXT record:

  • Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, etc.)
  • Add a TXT record for your root domain
  • Set the value based on your email provider:
    • - Google Workspace: v=spf1 include:_spf.google.com ~all - Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all - Multiple providers: v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

    Step 3: Enable DKIM

  • Go to your email provider's admin panel
  • Find the DKIM or "Email authentication" settings
  • Generate a DKIM key
  • Add the provided DNS record (usually a CNAME or TXT record)
  • Activate DKIM signing

    • Step 4: Add a DMARC Record

    Start with monitoring mode:

  • Add a TXT record for _dmarc.yourdomain.com
  • Set the value to: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100
  • Wait 2-4 weeks and review the aggregate reports

    • Step 5: Enforce Your Policy

    After confirming all legitimate senders pass authentication:

  • Upgrade to quarantine: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
  • Monitor for 2-4 weeks
  • Move to reject: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100

    • Google/Yahoo/Microsoft Requirements

    Google (Gmail)

  • SPF or DKIM required for all senders
  • DMARC required for senders of 5,000+ messages/day
  • One-click unsubscribe required for marketing emails
  • Spam complaint rate must be below 0.3%

    • Yahoo

  • SPF and DKIM authentication required
  • DMARC record with at least p=none
  • Enforcing alignment between SPF/DKIM and the From header

    • Microsoft (Outlook)

  • Strengthening authentication requirements
  • DMARC compliance increasingly expected
  • Non-compliant senders see reduced deliverability

    • Common Mistakes to Avoid

  • Jumping straight to p=reject — Start with p=none and monitor first
  • Forgetting about third-party senders — CRMs, marketing tools, and transactional email services all need to be in your SPF record
  • Multiple SPF records — You can only have one; combine all includes into a single record
  • Not monitoring DMARC reports — The rua reports show you who's sending email as your domain
  • Ignoring subdomain policy — Set sp=reject if you don't send email from subdomains

    • Ongoing Monitoring

    DMARC compliance isn't set-and-forget. Your email infrastructure changes over time:

  • New marketing tools get added
  • Team members set up email forwarding
  • Third-party services start sending on your behalf

    • Set up continuous monitoring to catch issues before they affect your deliverability.

    Free DMARC Checker

    Not sure where you stand? Check your domain now — it's free, instant, and no signup required.

    Check Your DMARC Compliance

    Use our free tool to check your domain's SPF, DKIM, DMARC, MX records, and more in seconds.

    Free Domain Check View Monitoring Plans