CIVRA Get Started
Guides

How to Set Up DMARC for a Small Business (Step-by-Step Guide)

April 7, 2026 4 min read The CIVRA Team
The short answer

Setting up DMARC for a small business takes three steps. Publish SPF and DKIM records, add a DMARC record to your DNS starting at p=none to monitor, then tighten it to quarantine or reject once your reports look clean. It stops attackers from spoofing your exact domain.

You can set up DMARC for a small business in three steps. Publish SPF and DKIM records first, add a DMARC record to your DNS in monitoring mode, then move it to an enforcing policy once your reports confirm legitimate mail is passing. The whole process usually takes a few weeks, mostly spent watching reports.

DMARC stops attackers from sending email that appears to come from your exact domain. It is one of the most effective free protections a small business can add, and it does not require dedicated IT staff.

What DMARC Actually Does

DMARC tells receiving mail servers what to do with messages that claim to be from your domain but fail authentication checks. It builds on two existing standards, SPF and DKIM.

  • SPF lists which servers are allowed to send mail for your domain.
  • DKIM adds a cryptographic signature that proves a message was not tampered with.
  • DMARC ties them together and lets you set a policy plus receive reports.

Without DMARC, anyone can put your domain in the "From" field and email your customers or staff. With an enforcing DMARC policy, those forged messages get rejected or sent to spam.

Step 1 — Set Up SPF and DKIM First

DMARC depends on SPF and DKIM, so confirm both are working before you touch DMARC.

  1. Publish an SPF record. Add a TXT record to your DNS listing your sending services. A generic example looks like v=spf1 include:_spf.yourprovider.com -all.
  2. Enable DKIM. Microsoft 365 and Google Workspace both generate DKIM keys in their admin console. Turn it on and publish the key they give you as a DNS record.
  3. Verify. Send a test email to a personal account and check the message headers for spf=pass and dkim=pass.

If you use other tools that send mail on your behalf, such as a newsletter platform or invoicing software, make sure they are included too.

Step 2 — Add Your DMARC Record in Monitoring Mode

Start with p=none. This is monitoring mode. It changes nothing about how your mail is delivered, but it tells you who is sending email using your domain.

Add a TXT record at _dmarc.yourdomain.com with a value like this generic example:

v=DMARC1; p=none; rua=mailto:[email protected]

The rua tag is where aggregate reports get sent. Use an inbox you will actually read, or a free DMARC reporting service that turns the raw XML into readable summaries.

Leave this running for a few weeks. You are looking for any legitimate senders that are failing authentication so you can fix them before you start blocking.

Step 3 — Move to Quarantine, Then Reject

Once your reports show your real mail passing cleanly, tighten the policy in two stages.

  • Quarantine. Change to p=quarantine. Failing messages now go to spam instead of the inbox. Watch for a week or two.
  • Reject. Change to p=reject. Failing messages are blocked outright. This is full protection.

You can also ramp up gradually using the pct tag, which applies the policy to a percentage of mail at a time. Move slowly. Rushing to reject before your reports are clean can send your own invoices and newsletters to spam.

What DMARC Does Not Protect Against

This is the part most guides skip. DMARC only protects your exact domain. It does nothing about look-alike domains or impersonation from outside your domain.

An attacker can register yourbusiness-invoices.com or yourbu5iness.com, and DMARC will not stop a single message because those are entirely different domains that DMARC has no authority over. They can also impersonate your CEO from a free Gmail account.

This is the gap that catches small businesses. Authentication handles spoofing of your domain. It cannot read intent or catch a convincing look-alike. That is where CIVRA fits in, analyzing sender identity, look-alike domains, and the language of a message to catch the targeted attacks that slip past authentication and spam filters.

A Realistic Timeline

For most small businesses with one or two sending services, the full rollout looks like this:

  • Week 1 — confirm SPF and DKIM, publish p=none.
  • Weeks 2 to 4 — read reports, fix any failing legitimate senders.
  • Week 5 — move to p=quarantine.
  • Week 6 or later — move to p=reject.

There is no rush. The reports are doing the work for you.

FAQ

Is DMARC free to set up?

Yes. DMARC, SPF, and DKIM are open standards configured through your DNS settings at no cost. The only investment is the time spent reading reports before you enforce.

Will DMARC block my own emails?

It can if you enforce too early. That is why you start at p=none and only move to quarantine or reject after reports confirm your legitimate mail is passing authentication.

Does DMARC stop all phishing?

No. DMARC stops attackers from spoofing your exact domain, but it does not stop look-alike domains, lookalike display names, or impersonation from external accounts. You need behavioral analysis for those.

How long does DMARC take to set up?

The DNS changes take minutes, but a safe rollout takes several weeks because you should monitor reports before enforcing. Skipping the monitoring phase is the most common mistake.

Want protection for the attacks DMARC cannot see? See how CIVRA complements your email authentication at civra.ai/pricing, or start at app.civra.ai.

Stop the email that gets through.

CIVRA catches the targeted phishing and business email compromise your filter misses — built for small teams without a security department.

Start free →

← All posts