How do I create a DMARC record?

DMARC helps protect your domain against misuse, such as spoofing and phishing. It works together with SPF and DKIM to ensure emails sent from your domain are legitimate. This improves overall deliverability, which can be very useful when sending newsletters, for example.

This guide shows you how to add a basic DMARC record in your DNS settings and explains which policy to choose.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving mail servers how to handle emails that fail SPF and DKIM checks. It helps prevent others from sending emails pretending to be from your domain.

DMARC also allows you to receive reports about your domain’s email activity, so you can monitor and improve your email security.

  • SPF verifies if an email was sent using approved servers.
  • DKIM adds a digital signature to emails, allowing receiving mail servers to verify the email.
  • DMARC defines a policy for handling emails that fail SPF or DKIM checks.

For DMARC to work correctly, your domain should already have:

  • An SPF record
  • DKIM enabled for your email service

DKIM is enabled by default for emails sent from our servers, and you can check our guide on enabling SPF.

Note: DMARC only has effect when sending email. It doesn't affect the spam emails you receive in your own inbox. However, if all email accounts implement these validation methods, in theory, spoofing would no longer be possible.

DMARC policies explained

A DMARC policy controls what happens to email that fail the DMARC check. When you create the DMARC record, you need to choose a policy:

  • none - Monitoring only. No emails are blocked. 
  • quarantine - Failed emails are marked as suspicious and often moved to spam.
  • reject - Failed emails are completely blocked.

You can change your DMARC policy at any time. A common approach is to start with 'none', then move to 'quarantine', and finally to 'reject'. This allows you to first monitor how your domain is used, then test the impact of filtering, and only block unauthenticated emails once everything works as expected.

If you want to follow this process, we strongly recommend using an external (paid) reporting service to help analyse the reports, such as Dmarcian, EasyDMARC, or DMARCLY.

If you just want to enable DMARC without analysing reports, we recommend setting the policy to 'quarantine'. This marks unauthenticated emails as suspicious or sends them to the spam folder, significantly improving your email security.

Note: .ch domain do not allow the DMARC policy to be set to 'none'.

DMARC email reports

When you create a DMARC record, you also need to enter an email address to receive DMARC reports. These reports are sent in XML format and contain an overview of all email traffic claiming to come from your domain, including which emails pass or fail the DMARC check.

There are two types of reports:

  • RUA reports - Sent daily and contain a summary of all email activity for your domain, including IP addresses and authentication results.
  • RUF reports - Sent only when an email fails DMARC. They include detailed information such as the message header and parts of the original email.

Most users benefit from receiving only RUA reports, as they contain all the information needed for monitoring. RUF reports are optional and mainly useful for advanced troubleshooting.

Note: Not all email providers send DMARC reports, so it's normal if some emails do not appear in your data.

Create a DMARC record on your domain

Before you start

We recommend creating an email account on your domain dedicated to receiving these reports, for example: dmarc-reports@yourdomain.com. This keeps your reports separate and easier to manage.


Add the DMARC record

This activates DMARC in monitoring mode and sends you daily RUA reports with an overview of email activity from your domain.
  1. Log in to your one.com Control Panel.
  2. Go to the Advanced settings tile and click DNS settings.
  3. Go to DNS records and click Create new record
  4. Choose TXT as the record type.
  5. Enter the following values:
    - Hostname: _dmarc
    - Value: Enter the text below and replace policy name with the policy of your choice and an-email-address with the email address of your choice:
    v=DMARC1; p=policy name; rua=mailto:an-email-address
    - TTL: Leave this field empty to use the default value of 3600 seconds, unless you need a specific value.
  6. Click Create record to save your settings.
    Changes usually take effect within a few minutes.

To check if the record is set up correctly, you can use a DMARC record checker.

Optional: Add RUF to your DMARC record

If you want more detailed reports on individual emails that fail DMARC, you can add the optional ruf tag. These “forensic” reports may include message headers and, in some cases, parts of the original email. They are mainly useful for advanced troubleshooting.

If you choose to add RUF, we recommend using the same dedicated mailbox:

v=DMARC1; p=policy name; rua=mailto:an-email-address; ruf=mailto:an-email-address


Strengthen your policy

After reviewing your reports and confirming that the legitimate email is correctly authenticated, you can gradually tighten your DMARC policy. 

Start with p=none, then switch to p=quarantine, and finally to p=reject.

Example

In this example, we're setting up DMARC on the domain one-example.com. We've chosen quarantine as the policy and entered dmarc-reports@one-example.com as the email address for RUA and RUF reports.

The screenshot shows an example of adding a TXT record for DMARC in the DNS Administration.

Related articles:

Was this article helpful?

Can’t find what you are looking for?

Start a chat

It's the quickest way to get in touch, every day of the year.

Start chat

Give us a call

Available on weekdays from 10am to 2pm (UTC).

Call +44 20 8106 0910