Sign In
DMARC setup

Create a DMARC record –step by step.

The DMARC entry is a single TXT record in DNS. Here you build it correctly, understand every tag and enforce up to p=reject without delivery failures.

Try Conbool for freeContinue with DMARC

A DMARC record is published as a TXT entry under the host name _dmarc.your-domain.com. It defines how receiving servers treat unauthenticated email – and where reports are sent. Valid SPF and DKIM records are a prerequisite.

Anatomy of a DMARC record

A minimal, valid record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@your-domain.com; pct=100

The most important tags

v
Protocol version, always v=DMARC1. Must come first.
p
Policy for the main domain: none (monitor only), quarantine (to spam) or reject.
rua
Address for aggregate reports (daily, XML format). Required for meaningful monitoring.
ruf
Address for forensic per-message reports. Mind privacy; not every provider sends them.
pct
Percentage of mail the policy applies to. Ideal for a staged rollout.
sp
Separate policy for subdomains. Without sp the p value also applies to subdomains.
adkim
DKIM alignment: r (relaxed) or s (strict).
aspf
SPF alignment: r (relaxed) or s (strict).

Four steps to active DMARC

  1. 1

    Check SPF & DKIM

    Make sure both sign and align validly for all legitimate sending sources.

  2. 2

    Publish with p=none

    Start in monitoring mode and collect reports via rua for several weeks.

  3. 3

    Analyse the reports

    Identify all legitimate sources that don't yet authenticate correctly – exactly where Conbool DMARC helps automatically.

  4. 4

    Ramp up to p=reject

    Move from quarantine to reject gradually via pct and sp until spoofing is reliably blocked.

The safe path: none → quarantine → reject

p=none

Pure observation. No impact on delivery – the ideal start.

p=quarantine

Unauthenticated mail goes to spam. Ramp slowly with pct=10/25/50.

p=reject

Spoofing is hard-rejected. Only enable once the reports are clean.

Common mistakes

  • Starting straight at p=reject – legitimate mail can be lost.
  • No rua set – without reports DMARC stays blind.
  • Forgetting subdomains – without sp they inherit the main domain policy unintentionally.
  • Multiple DMARC records per domain – only a single TXT entry is valid.

Continue with DMARC

Record in place – now evaluate and enforce automatically.

DMARC E-Mail-Authentifizierung

SPF, DKIM und DMARC korrekt ausrichten — Schritt für Schritt zu p=reject.

Learn more

EasyDMARC-Alternative

DMARC-Auswertung aus der EU, ohne US-Cloud und mit Aktivschutz.

Learn more

dmarcian vs. EasyDMARC

Die gängigen DMARC-Tools im Vergleich — und wo Conbool DMARC steht.

Learn more

Phishing- & Spoofing-Schutz

DMARC stoppt Domain-Spoofing — kombiniert mit aktiver Phishing-Abwehr.

Learn more

CEO-Fraud-Schutz

Gefälschte Absenderdomains bei BEC und CEO-Fraud zuverlässig blocken.

Learn more

Conbool MailGuard

Aktiver Inbound-Schutz, der DMARC-Erkenntnisse direkt durchsetzt.

Learn more

FAQ

Where is the DMARC record published?
As a TXT record under _dmarc.your-domain.com in your domain's DNS zone.
Do I strictly need SPF and DKIM?
Yes. DMARC relies on SPF and/or DKIM alignment; without at least one of them the check fails.
How long should I stay on p=none?
Typically 2–4 weeks, until all legitimate sending sources authenticate cleanly in the reports.
Record in place – now evaluate and enforce automatically.