What is DMARC?

Think of DMARC like a sign-off policy for your business email. Imagine you run a hair salon and send appointment reminders to customers. DMARC is the mechanism that tells Gmail, Outlook, and other email services: "Emails that say they're from my salon's address — here's how to verify they're genuine, and here's what to do if they're not."

The full name is Domain-based Message Authentication, Reporting and Conformance — but you don't need to remember that. What you do need to know is that it's a text record stored on your domain (the same place your website address points) and that every business sending email should have one.

DMARC works alongside two other settings called SPF and DKIM. SPF lists the servers that are allowed to send email on your behalf. DKIM adds a digital signature to your emails. DMARC ties the two together and tells receiving servers what to do when checks fail — either let the email through, send it to spam, or block it entirely.

In plain English: DMARC is a trust signal for your email. Without it, there's nothing to stop someone from sending an email that looks like it came from you — and no guarantee your real emails will reach the inbox.

What happens if DMARC is missing or broken?

  • Your emails land in spam folders. Major email providers like Google and Microsoft now flag domains without DMARC as higher risk. Since 2024, Gmail and Yahoo require DMARC for bulk senders — and more providers are following suit.
  • Scammers can send emails pretending to be you. Without DMARC set to "quarantine" or "reject", there is nothing stopping a fraudster from sending emails using your domain name. This is called domain spoofing and it happens to small businesses every day.
  • Customers may never receive your quotes or booking confirmations. If your domain reputation suffers because of spoofed emails, all your outgoing messages — including legitimate ones — are more likely to be filtered out.
  • Your domain reputation suffers over time. Email providers track the reputation of sending domains. A domain associated with spam (even spam you didn't send) becomes increasingly hard to recover.
Real-world example: A plumber in Sheffield had no DMARC record. A scammer used his business domain to send fake invoice emails to his customers, asking them to update their bank details. Because there was no DMARC policy in place, those emails bypassed spam filters and looked completely legitimate. His customers lost money, and his business reputation was badly damaged.

How to check if your DMARC is set up correctly

You can check your DMARC record for free in under a minute using either of these tools:

A healthy DMARC result will show a record like v=DMARC1; p=reject; rua=mailto:.... If you get "No DMARC record found" or see p=none, there's work to do.

How to fix DMARC

The fix depends on who provides your email. Find the right section below — each one takes around 10–20 minutes to implement, and no technical skills are needed.

Google Workspace

If you use Google Workspace (Gmail for business)

  1. Sign in to your Google Admin console.
  2. Go to Apps → Google Workspace → Gmail → Authenticate email.
  3. Follow the instructions to set up DKIM — this generates a key you'll add to your domain's DNS records.
  4. Once DKIM is active, add a DMARC TXT record to your domain's DNS.

    Set the Host to:
    _dmarc Set the Value to:
    v=DMARC1; p=quarantine; rua=mailto:youremail@yourdomain.com
  5. Google's full guide is at support.google.com/a/answer/2466563.
Microsoft 365

If you use Microsoft 365 (Outlook for business)

  1. Sign in to the Microsoft 365 admin centre.
  2. Go to Settings → Domains and select your domain.
  3. Microsoft will guide you through setting up SPF and DKIM records in your domain's DNS.
  4. Once those are in place, add a new TXT record.

    Set the Host to:
    _dmarc Set the Value to:
    v=DMARC1; p=quarantine; rua=mailto:youremail@yourdomain.com
  5. Microsoft's documentation: DMARC setup in Microsoft 365.
Wix

If you use Wix

  1. Log in to your Wix account and go to Domains → Manage → DNS Records.
  2. Click Add Record and choose TXT.
  3. In the Host field, enter:
    _dmarc
  4. In the Value field, enter:
    v=DMARC1; p=quarantine; rua=mailto:youremail@yourdomain.com
  5. Save the record. Changes can take up to 48 hours to propagate.
WordPress / Hosting

If you use WordPress (via your hosting provider)

  1. Log in to your hosting control panel (cPanel, Plesk, or similar).
  2. Find the DNS Zone Editor or DNS Management section.
  3. Add a new TXT record.
  4. Set the Name/Host to:
    _dmarc Set the Value to:
    v=DMARC1; p=quarantine; rua=mailto:youremail@yourdomain.com
  5. Save and allow up to 48 hours for the change to take effect.
cPanel / Domain Registrar

General fix (cPanel or domain registrar)

If you manage your DNS directly through your domain registrar (GoDaddy, Namecheap, 123-reg, etc.), the process is the same regardless of provider:

  1. Log in to your domain registrar and find the DNS settings for your domain.
  2. Add a new TXT record.
  3. Set the Host field to:
    _dmarc
  4. Set the Value to:
    v=DMARC1; p=quarantine; rua=mailto:youremail@yourdomain.com
  5. Replace youremail@yourdomain.com with an email address you actually check — this is where DMARC reports will be sent.
Start with p=quarantine, not p=reject. Setting your policy to none first gives you visibility without changing how emails are handled. Move to quarantine once you're confident your SPF and DKIM are both correctly set up. Only move to reject after a few weeks of clean reports.

How to verify the fix worked

  1. Go to mxtoolbox.com/dmarc.aspx.
  2. Enter your domain name (e.g. mybusiness.co.uk) and click DMARC Lookup.
  3. A passing result will show a green "DMARC Record Found" message and display your full DMARC record.
  4. Check that the p= value is not none — it should be quarantine or reject for full protection.
  5. If you see "No DMARC record found", wait a couple of hours and try again — DNS changes can take time to propagate around the internet.

What DMARC settings mean — quick reference

Setting (p=) What it means Who it's for
none Monitor only — emails are not blocked or filtered, but reports are sent to your rua address. Useful for getting started without disrupting email flow. New to DMARC — gather data first
quarantine Suspicious emails (those that fail DMARC checks) are sent to the recipient's spam folder rather than the inbox. Legitimate emails from your domain are not affected. Most small businesses
reject Suspicious emails are blocked entirely at the mail server — they never reach the recipient at all. The strongest protection, but requires your SPF and DKIM to be fully correct first. Established domains with correct SPF and DKIM