DMARC record

Per RFC 7489

Phased rollout from p=none through quarantine to reject; with Mailcheck as the RUA address.

What is this, and when do I need it?

What is this?

DMARC (Domain-based Message Authentication, Reporting & Conformance, RFC 7489) is the bracket around SPF and DKIM. It tells receiving mail servers what to do when a message claims to come from your domain but neither SPF nor DKIM confirms it: deliver, move to spam, or reject.

Additionally, DMARC requires the signing domain to match the visible sender domain (alignment). That eliminates an entire class of phishing tricks where attackers sign their own domain and spoof the From line.

When do I need it?

As soon as you send mail at all - that means every company with its own domain, from a sole proprietor to a GmbH. Without DMARC, anyone can send phishing mail using your domain as the sender, and your recipients have no signal that it did not come from you.

Rollout works in three steps, 4-8 weeks each: p=none (observe only, no blocking), p=quarantine (spam folder), p=reject (block entirely). Only advance when the reports show that all your sending sources sign cleanly.

Should already be in place

Failure reporting options (fo)
  • p=none ist nur für die Beobachtungsphase gedacht. Innerhalb von 4-8 Wochen auf quarantine oder reject erhöhen, sonst wirkt der Record nicht.
DNS TXT record per RFC 7489
_dmarc.example.com.	TXT	"v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; fo=0;"

Kostenlos, ohne Gewähr (Best-Effort). Erzeugte wie geprüfte Angaben sind unverbindlich; für fehlerhafte oder unvollständige Ergebnisse und Konfigurationen übernehmen wir keine Haftung. Anwendung und Prüfung erfolgen in eigener Verantwortung, vor dem Produktiveinsatz bitte testen.

Free, no warranty (best effort). Generated and inspected values are non-binding; we accept no liability for erroneous or incomplete results or configurations. Use and verification are your own responsibility; please test before production use.

Publish the record at _dmarc.example.com. Recommended rollout: p=none with rua for 4-8 weeks, then quarantine, then reject.

How to add this record at your DNS provider

The record generated above has three parts: the record type (typically TXT, occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual payload in quotes). Every DNS provider asks for these same three fields - only the menu wording differs.

INWX (Dernium default for new customers)
  1. Sign in at www.inwx.de.
  2. Tab Nameserver → pick the domain → Nameserver-Sets verwaltenDNS-Einträge.
  3. Button Neuen Eintrag anlegen.
  4. Pick a type (e.g. TXT), enter the host (empty for the root domain, otherwise e.g. _dmarc), paste the value, leave TTL at 3600.
  5. Save. Propagation typically within 5-15 minutes.
Strato
  1. Sign in to the Strato customer area.
  2. Menu Domains → pick the domain → Verwalten.
  3. Section DNS-VerwaltungNameserver/DNS-Einstellungen anpassen.
  4. Under Eigene DNS-Verwaltung pick the right record type (TXT records have their own block), enter host and value.
  5. Save. Strato typically propagates within 30-60 minutes.
Hetzner DNS Console
  1. Sign in at dns.hetzner.com.
  2. Click on the zone of your domain.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value.
  4. Save. Propagation typically under 5 minutes.
IONOS (1&1)
  1. Sign in to the IONOS customer center.
  2. Menu Domains & SSL → click the domain → DNS.
  3. Button Eintrag hinzufügen → pick a type, enter the host, paste the value into the content field.
  4. Save. Propagation typically 15-60 minutes.
Cloudflare
  1. Sign in to Cloudflare, pick the domain.
  2. Tab DNSRecords.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
  4. Save. Propagation typically under 2 minutes.

Note: If your DNS provider is not listed, you usually find the right place under headings like "DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps; the paths shown here are vendor-specific and can shift slightly with redesigns.

Inspect an existing DMARC record

Reads _dmarc.<domain> and validates tags against RFC 7489.

Try with:

Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.