Lesson 5: Setting up your DMARC record for cold emai
We’re adding new chapters to this cold email course as they’re released. Join the waitlist to get notified when a new chapter is available.
In this lesson, you’ll learn how DMARC (Domain-based Message Authentication, Reporting and Conformance) protects your domain from spoofing and gives you full visibility into how your emails are handled by receiving servers.
I’ll walk you through what DMARC is, how alignment works, and why it’s essential for stopping scammers from impersonating your domain. We’ll also cover DMARC reporting, so you can monitor who is sending emails on behalf of your domain, detect unauthorized activity, and spot misconfigured SPF or DKIM records before they hurt your deliverability.
If you’re building a technical cold email setup, understanding DMARC, alignment, and DNS configuration is critical to protect your brand reputation and maximize inbox placement.
Here is the guide on how to set up DMARC
In this lesson, you’l learn:
- How DKIM works like a tamper-evident seal on every email you send – so if anyone intercepts and alters your message in transit, the receiving server knows immediately that something is wrong
- Why this matters for your prospects: without DKIM, attackers can hijack your sender reputation to insert malicious links into your emails, making your trusted name work against the very people you’re trying to reach
- That DKIM is a one-time setup per domain using a private/public key pair – straightforward enough that Woodpecker’s step-by-step guides walk you through it for every major provider
- How DKIM works as the second layer of a three-part authentication stack alongside SPF and DMARC each one adding a level of protection the others alone can’t provide
Hi, in this lesson I will cover DMARC.
If you want to skip the theory part and set up DMARC, go to the guide I linked under this lesson.
Using that guide, make sure to at least enable DMARC reporting.
In short this will give you more information about your deliverability.
No worries, the guide will explain it in more detail.
So, DMARC stands for:
Domain-based Message Authentication, Reporting and Conformance.
That’s a long one but pretty well describes what DMARC does.
Let’s break it down.
First, it’s “Domain-based” that means you set it up in your domain DNS panel.
Next is “Message Authentication.”
To make DMARC effective, you should have at least SPF or DKIM set up, ideally both.
DMARC allows you to tell email receivers what to do when SPF or DKIM fail.
But that’s not all.
DMARC also introduces the concept of alignment.
In simple terms, alignment means your domain shows up consistently in different email components.
Now, let’s see how you can check this and why it’s so important.
As we discussed when you send an email, your domain shows up in multiple places.
One of them is the email header.
In the email header, you’ll find the From address domain.
That’s what the recipient sees in their inbox.
For SPF alignment, the domain in the Return-Path must match the From address domain.
For DKIM alignment, the domain in the d= tag must match the From address domain.
This is what DMARC checks.
This may sound a bit abstract, so let’s walk through a real-world example.
Imagine you use [email protected] as your email.
A scammer could use their real address like [email protected].
They can set up SPF and DKIM for their own domain.
But here’s the trick:
They can spoof the From address to look like it came from [email protected].
To the recipient, it appears like it’s from you.
This is called spoofing.
Meanwhile, the scammer sends the email from their domain.
So their SPF and DKIM records pass, but only for their domain.
This is where DMARC and alignment kick in.
The receiving mail server checks the From address.
It sees your domain.
Then it checks the Return-Path, so what is used by SPF.
That shows the scammer’s domain meaning it’s not aligned.
Then it checks the DKIM signature’s d= tag, again, the scammer’s domain.
That also doesn’t align with the From address.
Since neither SPF nor DKIM are aligned, DMARC fails.
If you have DMARC reporting enabled, you’ll see this failure in your reports.
Now you know someone tried to spoof your domain, and you can take action.
You can test this yourself.
Send an email to yourself and inspect the header.
For instance in GMail you can find the email header when you open the email.
Then click on the three dots on the top right in the email thread.
Lastly, click on “show original”.
Now you will see the email header.
There, you will see:
- The From address meaning what the recipient sees
- The Return-Path, what SPF uses
- And The d= tag domain, so what DKIM uses
If all three show your domain, it’s properly aligned.
If not, and someone is spoofing you, only the From address will be yours.
The others will show the scammer’s domain.
That causes alignment to fail.
Okay, that’s the core of DMARC. But there’s more.
Let’s talk about the Reporting part.
When you set up DMARC, you can choose to receive aggregate reports.
These are sent once per day.
They show:
- Which IPs sent emails using your domain
- Whether SPF and DKIM passed
- Whether they were aligned
- And whether DMARC passed or failed
This helps you:
- Spot unauthorized senders
- Catch misconfigured SPF or DKIM records
- Understand how your domain is being used
These are all things a legitimate sender would care about.
Next is the “Conformance” part.
This tells the receiving end what to do when DMARC fails.
You have three options:
- None: take no action; just monitor
- Quarantine: send the email to spam
- Reject: block the email entirely, meaning it bounces
So now, since you are doing cold outreach, start with p=none.
Then, watch your DMARC reports for a while.
If SPF and DKIM are working, consider moving to p=quarantine.
That way, spoofed emails get flagged as spam.
Your brand reputation will be safer as prospects are less likely to see those emails.
Let’s cover the last part.
How to add a DMARC record.
Go to your domain’s DNS panel.
[look into the camera]
There, create a new TXT record.
Set the name to underscore dmarc (_dmarc) and TTL to auto.
For the value, start simple and just set the p= tag to none.
This enables DMARC with a “monitoring-only” policy.
[look into the camera]
If you want to get reports, add a rua= tag after the p= tag.
This tells providers to send daily DMARC reports to the email you specified.
[look into the camera]
Lastly, once you are sure that SPF and DKIM work you can enforce DMARC.
To do this change the p= tag to either:
- quarantine, so emails go to spam
- or reject so that spoofed emails always bounce
[look into the camera]
Alright, this was a lot to take in but I hope you now fully understand DMARC.
Just like with SPF and DKIM, we have detailed help articles to guide you.
I will link them under this lesson.
Thanks for joining me and see you in the next lesson.