How to Set Up DMARC: From p=none to p=reject (2026 Guide)
The complete step-by-step guide to setting up DMARC in 2026. Move from p=none monitoring through p=quarantine to p=reject enforcement — the prerequisite for BIMI logo display in Gmail and Apple Mail.
DMARC. Step by step.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the non-negotiable prerequisite for BIMI. A domain with p=none will never display a logo in Gmail or Apple Mail, regardless of how perfectly the SVG file is configured. This guide covers the complete path from initial deployment to full enforcement.
Prerequisites
Before creating a DMARC record, confirm the following are already in place:
- SPF record — A TXT record at your apex domain specifying which mail servers are authorised to send on your behalf. Example:
v=spf1 include:_spf.google.com -all - DKIM record — A public key published in DNS that receiving servers use to verify your email signatures. Your email provider generates this.
- DNS access — Write access to your domain's DNS zone (Cloudflare, Route 53, GoDaddy, or your registrar's control panel).
DMARC requires at least one of SPF or DKIM to be correctly configured and aligned with the From: domain before it will function.
Step 1: Create a Monitoring Record (p=none)
Start with a monitoring-only policy. This records authentication failures without affecting mail delivery.
_dmarc.yourdomain.com IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; pct=100"
Tag reference:
| Tag | Required | Description |
|---|---|---|
| v=DMARC1 | Yes | Protocol version. Must be first. |
| p=none | Yes | Policy: monitor only, no action taken. |
| rua=mailto: | Recommended | Email address for aggregate reports. |
| pct=100 | Optional | Percentage of mail subject to policy (default: 100). |
Publish this record and wait 48–72 hours for DNS propagation.
Step 2: Read Your Aggregate Reports
Aggregate reports (RUA) arrive as XML attachments, typically once per day per sending source. They show:
- Which IP addresses sent mail claiming your domain
- Whether SPF and DKIM passed or failed
- How many messages were sent from each source
What to look for: Any legitimate sending service (your ESP, CRM, ticketing system, marketing platform) that is failing SPF or DKIM alignment must be fixed before you move to enforcement. Moving to p=reject with unresolved alignment failures will cause legitimate mail to be blocked.
Common sources that require separate DKIM/SPF configuration: Mailchimp, Salesforce, HubSpot, Zendesk, SendGrid, Google Workspace, Microsoft 365.
Step 3: Move to p=quarantine
Once all legitimate sending sources pass authentication, update the policy to quarantine failed messages:
_dmarc.yourdomain.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=25"
Start with pct=25 to apply the quarantine policy to only 25% of failing messages. Monitor for one to two weeks. If no legitimate mail is being quarantined, increase to pct=100.
Step 4: Move to p=reject
Full enforcement. Unauthenticated messages are rejected outright and never delivered.
_dmarc.yourdomain.com IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"
This is the minimum requirement for BIMI. Gmail and Apple Mail will not process your BIMI record unless your domain has p=quarantine or p=reject with pct=100. A policy of p=none is invisible to BIMI — the logo will never appear regardless of how correctly the rest of the setup is configured.
Why p=none Blocks BIMI
The BIMI specification requires mailbox providers to verify that the sending domain has an enforced DMARC policy before displaying the logo. The rationale: a logo is a trust signal. Displaying a logo for a domain that has not enforced anti-spoofing controls would allow attackers to display verified logos on phishing emails. p=none provides no enforcement, so providers refuse to honour the BIMI record.
Alignment: The Detail Most Guides Skip
DMARC passes only when the authenticated domain aligns with the From: header domain. There are two alignment modes:
- Relaxed (default): The organisational domain must match.
mail.example.comaligns withexample.com. - Strict: The exact domain must match.
mail.example.comdoes not align withexample.com.
For BIMI, use relaxed alignment (adkim=r; aspf=r) unless you have a specific reason for strict. Strict alignment causes failures for subdomains and third-party sending services.
Complete Record Reference
_dmarc.yourdomain.com IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:[email protected]; pct=100"
| Tag | Value | Meaning |
|---|---|---|
| p=reject | Reject | Block unauthenticated mail |
| sp=reject | Reject | Apply same policy to subdomains |
| adkim=s | Strict | DKIM alignment must be exact |
| aspf=s | Strict | SPF alignment must be exact |
| rua= | Email | Aggregate report destination |
| pct=100 | 100% | Apply to all mail |
Next Steps
Once your domain reaches p=reject:
- Generate your BIMI SVG — Use makeBIMI™ to produce a W3C SVG Tiny P/S compliant logo file. Free, no account required.
- Run a DMARC audit — The makeBIMI Domain Audit tool verifies your DMARC, SPF, and BIMI record status in real time.
- Obtain a certificate — For Gmail logo display, a VMC or CMC is required. veriBIMI℠ brokers the full certificate process, including DMARC enforcement management, SVG preparation, and CA application.