Last updated: July 2026
In short: All-Inkl creates a
p=noneDMARC record by default. After this guide you adjust it in the KAS — safely staggered up top=reject, including correctly authorized report addresses.
Prerequisites
- An All-Inkl package with access to the KAS
- SPF and DKIM must be in place — DMARC only evaluates their results
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) gives receiving servers a recommendation on “how a recipient server should handle an email in the event of SPF and DKIM violations” — and keeps you informed via reports. It’s a TXT record named _dmarc.
The starting point at All-Inkl
Handy: All-Inkl already creates a DMARC entry by default — namely v=DMARC1; p=none;. It only observes and blocks nothing. Your job is to tighten it step by step and add a report address.
Step-by-step guide
1. Open the DNS settings in the KAS
Log into the KAS, click Tools → DNS settings and edit the desired domain. Click Edit on the existing DMARC entry (or create new DNS entry if none exists). The Name is always _dmarc, the Type TXT.
2. Start with observation
Add a report address to the existing p=none entry:
v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de
The rua address receives the daily aggregated reports. For analysis, a DMARC monitor like MARCo is well suited, making the XML reports readable.
3. Stagger up to reject
After the observation phase, tighten in stages — pct controls the portion:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
And finally, with strict alignment, enforcement. All-Inkl’s own detailed example record shows the form:
v=DMARC1; p=reject; rua=mailto:mail@ihre-domain.de; ruf=mailto:mail@ihre-domain.de; adkim=s; aspf=r
On the syntax: parameter and value with no space around the =, separated by ;.
4. Important with external report addresses
If your rua or ruf address points to a different domain than the one the DMARC record applies to (e.g. a monitoring service), that other domain needs an authorization record — otherwise the report sender ignores the address. All-Inkl’s example: if DMARC applies to example.com and the report address is on ihre-domain.de, then this record must be at ihre-domain.de:
example.com._report._dmarc.ihre-domain.de TXT "v=DMARC1"
Almost everyone forgets this step — it’s the reason reports sometimes never arrive.
The most important tags
| Tag | Meaning |
|---|---|
p= | policy: none / quarantine / reject |
sp= | policy for subdomains |
pct= | portion of mail in percent (default 100) |
rua= | addresses for aggregated reports |
ruf= | addresses for forensic reports |
adkim= / aspf= | alignment mode (r relaxed, s strict) |
fo= | when a forensic report is generated |
Verify the result
Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.
Common mistakes
External report address without authorization. Reports to a foreign domain only arrive if that domain publishes the _report._dmarc authorization record.
Leaving it at p=none. The default entry only observes — it doesn’t protect. After the test phase, tighten to quarantine/reject.
Straight to reject. Without a none phase you block legitimate sources.
Spaces around the =. Parameter and value right against each other, separated with ;.
Further reading
- All-Inkl guide: DNS tools — DMARC (retrieved: July 10, 2026)
- RFC 7489 — DMARC
