Last updated: July 2026

In short: All-Inkl creates a p=none DMARC record by default. After this guide you adjust it in the KAS — safely staggered up to p=reject, including correctly authorized report addresses.

Prerequisites

  • An All-Inkl package with access to the KAS
  • SPF and DKIM must be in place — DMARC only evaluates their results

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) gives receiving servers a recommendation on “how a recipient server should handle an email in the event of SPF and DKIM violations” — and keeps you informed via reports. It’s a TXT record named _dmarc.

The starting point at All-Inkl

Handy: All-Inkl already creates a DMARC entry by default — namely v=DMARC1; p=none;. It only observes and blocks nothing. Your job is to tighten it step by step and add a report address.

Step-by-step guide

1. Open the DNS settings in the KAS

Log into the KAS, click ToolsDNS settings and edit the desired domain. Click Edit on the existing DMARC entry (or create new DNS entry if none exists). The Name is always _dmarc, the Type TXT.

2. Start with observation

Add a report address to the existing p=none entry:

v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de

The rua address receives the daily aggregated reports. For analysis, a DMARC monitor like MARCo is well suited, making the XML reports readable.

3. Stagger up to reject

After the observation phase, tighten in stages — pct controls the portion:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de

And finally, with strict alignment, enforcement. All-Inkl’s own detailed example record shows the form:

v=DMARC1; p=reject; rua=mailto:mail@ihre-domain.de; ruf=mailto:mail@ihre-domain.de; adkim=s; aspf=r

On the syntax: parameter and value with no space around the =, separated by ;.

4. Important with external report addresses

If your rua or ruf address points to a different domain than the one the DMARC record applies to (e.g. a monitoring service), that other domain needs an authorization record — otherwise the report sender ignores the address. All-Inkl’s example: if DMARC applies to example.com and the report address is on ihre-domain.de, then this record must be at ihre-domain.de:

example.com._report._dmarc.ihre-domain.de TXT "v=DMARC1"

Almost everyone forgets this step — it’s the reason reports sometimes never arrive.

The most important tags

TagMeaning
p=policy: none / quarantine / reject
sp=policy for subdomains
pct=portion of mail in percent (default 100)
rua=addresses for aggregated reports
ruf=addresses for forensic reports
adkim= / aspf=alignment mode (r relaxed, s strict)
fo=when a forensic report is generated

Verify the result

Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.

Common mistakes

External report address without authorization. Reports to a foreign domain only arrive if that domain publishes the _report._dmarc authorization record.

Leaving it at p=none. The default entry only observes — it doesn’t protect. After the test phase, tighten to quarantine/reject.

Straight to reject. Without a none phase you block legitimate sources.

Spaces around the =. Parameter and value right against each other, separated with ;.

Further reading