Setting up DMARC comes down to publishing one DNS TXT record, but the order matters: get SPF and DKIM working first, start your policy in monitor mode, then tighten once the reports look clean. Here's the full sequence, including how to add the record in cPanel.
Step 1: Confirm SPF and DKIM are already working
DMARC builds on SPF and DKIM, so they need to be in place before DMARC can do anything useful. SPF lists the servers allowed to send for your domain; DKIM signs your messages so receivers can verify they weren't altered. If either is missing, your real mail can fail DMARC the moment you start enforcing.
Check that you have an SPF record published and that your sending platform is DKIM-signing your mail. Bird works a little differently: you publish a DKIM record and a return-path CNAME when you set up your sending domain, and SPF aligns through that return-path with no record at your apex, so once the domain is verified you're ready for DMARC.
Step 2: Build your DMARC record
Start simple. A monitor-only record looks like this:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comThat publishes a valid policy, applies no enforcement, and asks receivers to send daily aggregate reports to the address in rua. Use a mailbox you'll actually check, or a dedicated address you can point at a report-parsing service. For a breakdown of every available tag, see what is a DMARC record.
Keep p=none for now. Monitor mode is the safe starting point, and you'll tighten it in step 5.
Step 3: Add the record at your DNS host
The record goes in your DNS as a TXT entry at the _dmarc subdomain. The fields you'll enter are roughly the same everywhere:
- Type:
TXT - Host / Name:
_dmarc(some hosts want the full_dmarc.yourdomain.com) - Value / Content: the record from step 2
- TTL: leave the default, or 3600
Save it, and you're published. The naming is the one place people slip: enter _dmarc, not your bare domain.
How do I add a DMARC record in cPanel?
cPanel is common enough to be worth its own walkthrough. In cPanel, DNS records live in Zone Editor.
- Log in to cPanel and open Zone Editor (under the Domains section).
- Find the domain you're protecting and click Manage.
- Click Add Record, then choose Add "TXT" Record from the dropdown.
- In the Name field, enter
_dmarc.yourdomain.com.(cPanel often appends the domain, so_dmarcmay be enough; include the trailing dot if it shows the full name). - Leave TTL at the default.
- Confirm Type is set to
TXT. - In the Record / TXT Data field, paste
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. - Click Save Record.
That's it. cPanel writes the entry into your zone file, and it starts resolving once DNS propagates (usually minutes, occasionally up to a day).
Step 4: Verify the record is live
Don't take it on faith, check it. The quickest way is a DNS lookup from your terminal:
dig +short TXT _dmarc.yourdomain.comYou should see your record echoed back. On Windows, nslookup -type=TXT _dmarc.yourdomain.com does the same thing. Plenty of free DMARC checkers will also fetch and validate it in a browser. If nothing comes back, give propagation a little time, then confirm the host name is _dmarc and not the bare domain.
Step 5: Read the reports, then tighten the policy
This is where DMARC earns its keep. Within a day or two, aggregate reports start landing in your rua mailbox. Watch them until you're confident every legitimate sender is authenticating and aligning. Reading a DMARC report covers what the fields mean.
Once the data is clean, step the policy up. Move from p=none to p=quarantine, watch again, then to p=reject for full enforcement. You can ease into quarantine with pct= to apply the policy to a slice of mail first. The policy ladder is explained in what is a DMARC policy.
If legitimate mail starts failing as you tighten, don't panic and don't roll back blindly. How to fix DMARC failures covers the usual culprits, which are almost always an alignment gap or a sender you forgot to authenticate.
For Bird-specific setup, the SPF, DKIM, and DMARC guide has the exact records and values for your account, and you can manage everything from your sending domains.