How to Add DMARC to Your Irish Business Email (Step-by-Step)

If you have just run the Digital Trust Mark assessment on your domain, or if you have been told your business email is missing DMARC, this guide will walk you through fixing it. The whole process takes about five minutes and costs nothing.

DMARC is the control that prevents attackers from sending emails that appear to come from your domain. Without it, anyone can send a convincing phishing email that looks like it came from your company — to your customers, your suppliers, or your staff. With it, receiving mail servers know to quarantine or reject those fraudulent messages.

This is not a theoretical risk. Business email compromise — where attackers impersonate a company's email to redirect payments, steal credentials, or defraud customers — is one of the most financially damaging cyber crimes affecting Irish SMEs. The NCSC Ireland lists email authentication as a baseline control for all organisations, and the Digital Trust Mark flags a missing DMARC record as a failing check.

Let us fix it.

What You Need Before You Start

Before adding a DMARC record, you should already have SPF and DKIM configured for your domain. DMARC builds on both — it tells receiving servers what to do when an email fails those checks. If you have not set up SPF and DKIM yet, read our guide to SPF, DKIM and DMARC for Irish businesses first, then come back here.

You will also need access to your domain's DNS settings. This is typically managed through your domain registrar (the company you registered your domain with — common ones for Irish businesses include Blacknight, Hosting Ireland, or 123-reg) or through a DNS provider like Cloudflare. If you are not sure who manages your DNS, ask your IT support or check your domain registrar account.

Understanding the DMARC Record

A DMARC record is a TXT record added to your DNS. It lives at a specific subdomain: _dmarc.yourdomain.ie. The record tells receiving mail servers three things: what policy to apply to failing emails, where to send reports about those failures, and how strictly to apply the policy._

A basic DMARC record looks like this:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

The key fields are:

A note on policy levels: There are three options — none (monitor only, take no action), quarantine (send failing emails to spam), and reject (block failing emails entirely). Start with quarantine rather than jumping straight to reject. This gives you a safety net while you verify that your legitimate email is correctly authenticated. After a few weeks of reviewing reports and confirming everything is working, move to reject.

Step-by-Step: Adding the DMARC Record

The process is the same regardless of your email provider — you are adding a DNS record, not changing anything in your email system.

Step 1: Log in to your DNS provider

Go to wherever you manage your domain's DNS records. For most Irish businesses this will be one of the following:

• Cloudflare: dash.cloudflare.com → select your domain → DNS → Records
• Blacknight: cp.blacknight.com → Domains → DNS Management
• Hosting Ireland: Control panel → DNS Zone Editor
• 123-reg: Control panel → Manage DNS
• GoDaddy: My Products → DNS → Manage

If your domain is managed by your web developer or IT support, ask them to add the record for you using the values below.

Step 2: Create a new TXT record

In your DNS management interface, look for an option to add a new record. Select TXT as the record type.

Fill in the fields as follows:

Replace yourdomain.ie with your actual domain name, and replace [email protected] with an email address you control where you want to receive DMARC aggregate reports. This can be any email address — your regular business email is fine to start with.

Step 3: Save the record

Click Save (or Add Record, or Update — the button label varies by provider). DNS changes typically propagate within a few minutes, though some providers can take up to an hour.

Step 4: Verify the record is live

Once you have saved the record, you can verify it is working using a free online tool. Go to MXToolbox DMARC Lookup and enter your domain name. It should return your new DMARC record and confirm it is valid.

Alternatively, you can check from the command line:

dig TXT _dmarc.yourdomain.ie

dig TXT _dmarc.yourdomain.ie

You should see your DMARC record returned in the results.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

Microsoft 365 Users: One Extra Step

If you use Microsoft 365 (Outlook) for your business email, Microsoft has its own DMARC reporting and DKIM configuration tools. Once your DMARC record is live, it is worth enabling DMARC reporting in the Microsoft Defender portal so you can see how your email is performing.

To check your current DMARC status in Microsoft 365:

1. Go to the Microsoft Defender portal
2. Navigate to Email & Collaboration → Policies & Rules → Threat Policies → Email Authentication Settings
3. Select the DMARC tab to see the current status for your domain

Microsoft will show you whether your DMARC record is detected and whether it is in enforcement mode. If you have not yet enabled DKIM signing in Microsoft 365, this is also the place to do it — go to the DKIM tab and enable signing for your domain.

Google Workspace Users: Check Your DKIM First

If you use Google Workspace (Gmail) for your business email, Google generates a DKIM key for your domain that you need to publish in DNS before DMARC will work correctly.

To check and enable DKIM in Google Workspace:

1. Go to the Google Admin console
2. Navigate to Apps → Google Workspace → Gmail → Authenticate email
3. Select your domain and click Generate new record if no key exists, or Start authentication if a key is already generated but not yet active
4. Copy the TXT record value and add it to your DNS as a TXT record with the name google._domainkey.yourdomain.ie_

Once DKIM is active, your DMARC record will be able to enforce policy against emails that fail both SPF and DKIM alignment.

Understanding Your DMARC Reports

Once your DMARC record is live, you will start receiving aggregate reports (sent to the rua= address you specified) from major email providers — Google, Microsoft, Yahoo, and others. These reports arrive as XML files attached to emails, usually once per day.

The reports show you every mail server that sent email claiming to be from your domain, and whether those emails passed or failed SPF and DKIM authentication. This is genuinely useful information — it tells you whether your legitimate email is correctly authenticated, and it will flag any servers that are attempting to spoof your domain.

Reading raw XML reports is not practical for most business owners. If you want to make sense of them, free tools like DMARC Analyser or Postmark's DMARC tool will parse the reports and present them in a readable format.

Moving to a Reject Policy

After two to four weeks of monitoring your DMARC reports, you should have a clear picture of all the legitimate mail servers sending email on behalf of your domain. If everything looks correct — your own email, any marketing tools, CRM systems, or automated notifications — you are ready to tighten the policy.

Change p=quarantine to p=reject in your DMARC record:

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

With p=reject, receiving servers will block any email that fails DMARC authentication outright — it will not even reach the spam folder. This is the strongest protection against email spoofing and the setting recommended by the NCSC Ireland for organisations that have confirmed their legitimate email is correctly authenticated.

What DMARC Does Not Protect Against

It is important to be clear about what DMARC does and does not do. DMARC prevents attackers from spoofing your exact domain — sending emails that appear to come from [email protected] when they are not. It does not prevent:

• Look-alike domain attacks — where an attacker registers yourcompany-ie.com or yourcompany.co and sends email from that domain. These require separate monitoring.
• Phishing emails sent to your staff — DMARC protects your outbound reputation; it does not filter inbound phishing emails targeting your employees.
• Compromised accounts — if an attacker gains access to a legitimate email account in your organisation, DMARC will not flag those emails as fraudulent.

For a complete picture of your email security posture, read our Website Security Checklist, which covers both the technical controls (including DMARC) and the business-level controls — staff awareness, MFA, and incident response — that protect against the full range of email-based threats.

The Five-Minute Summary

If you have read this far and want the shortest possible version:

1. Log in to your DNS provider
2. Add a TXT record: Name = _dmarc, Value = v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100
3. Save and wait a few minutes
4. Verify at MXToolbox
5. After 2–4 weeks of monitoring reports, change p=quarantine to p=reject_

That is it. You have just closed one of the most commonly exploited gaps in Irish business email security — and you have done it without spending a penny.

Want a Full Email Security Review?

DMARC is one piece of a complete email security posture. If you want to understand how your full email configuration — SPF, DKIM, DMARC, security headers, and staff awareness — stacks up against current best practice, we can help.

Book a free 20-minute strategy call with our vCISO team. We work with small and medium businesses across Ireland — no jargon, no scare tactics, just clear actionable advice.

Book Your Free Strategy Call