Last updated: July 2026
In short: After this guide your domain at checkdomain publishes a DMARC record that tells receiving servers what to do with unauthenticated mail — and shows you via reports who sends in your name.
Prerequisites
- A domain at checkdomain with active checkdomain nameservers
- SPF and DKIM must be set up first — checkdomain itself points out that “besides DMARC, a valid SPF entry and a DKIM entry are often needed too”
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) combines SPF and DKIM into an enforceable policy. It’s a TXT record under the subdomain _dmarc (e.g. _dmarc.example.com). In it you define two things: what a recipient should do with mail that fails the check (the p policy), and where it sends you reports (the rua address).
The reports are the clever part: via rua you get daily aggregated reports on which servers send in your name — legitimate and forged alike. That’s exactly what makes the path to safe enforcement.
The starting point at checkdomain
checkdomain does not create DMARC automatically — DMARC entries aren’t created by default. You enter the record yourself as a TXT entry in the Pro settings of the nameserver management (the same place as the SPF record).
The safe path: none → quarantine → reject
You don’t switch DMARC to enforcing right away. The three policy levels are a ramp:
p=none— observe, block nothing. You start here and collect reports.p=quarantine— suspicious mail lands in spam. Optionally withpct=for only a portion, to test carefully.p=reject— unauthenticated mail is rejected. The goal.
Only move on when the reports show that all your legitimate sending sources pass SPF/DKIM. Otherwise you block your own mail.
Step-by-step guide
1. Start with p=none
Begin with the observation record:
v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de
The rua address is the mailbox (or service) that receives the aggregated reports. For analysis, a DMARC monitor like MARCo is worthwhile — it makes the daily XML reports readable and shows you which sources aren’t yet cleanly authenticated.
2. Create the TXT entry in the pro settings
Open the customer area, click Domains, open your domain’s Configuration and then the checkdomain Nameserver area. In the Pro settings, create a TXT entry:
- Name:
_dmarc - Type:
TXT - Value: your DMARC record (without quotation marks, as usual at checkdomain)
checkdomain explicitly warns: “Do not use the example value unchecked.” Use the value that fits your domain and your sending sources.
3. Analyze reports, then tighten
After one or two weeks of p=none, the reports show whether all sources are clean. Then switch to quarantine — feel free to stagger with pct:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
pct=25 applies the policy to 25% of mail — increase step by step to 100.
4. Switch to reject
When quarantine runs cleanly, enforcement follows — optionally with strict alignment and a subdomain policy:
v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de; sp=reject; adkim=s; aspf=s
5. Wait until the change is live
According to checkdomain, the change is saved in seconds; until it’s visible worldwide it can take up to 48 hours.
The most important tags
| Tag | Meaning |
|---|---|
v=DMARC1 | version, must be at the start |
p= | policy: none (observe), quarantine (spam), reject (reject) |
rua= | address for aggregated status reports |
ruf= | address for forensic failure reports |
sp= | separate policy for subdomains |
adkim= / aspf= | alignment (r relaxed, s strict) for DKIM and SPF respectively |
Verify the result
Check your configuration with the free MXAudit scanner — it shows you the DMARC policy, SPF, and DKIM at a glance.
Common mistakes
Straight to p=reject. Without a prior none phase you almost certainly block legitimate sources (newsletter, CRM, invoicing tool) that aren’t yet cleanly authenticated. Always start with p=none and read the reports.
No rua set. Without a report address you’re flying blind — you never see which sources fail. rua belongs in from the start.
DMARC without SPF/DKIM. DMARC checks the results of SPF and DKIM. If both are missing, no mail passes the check. First SPF and DKIM, then DMARC.
Wrong hostname. The record belongs at _dmarc — not at @ or the bare domain.
Further reading
- checkdomain support: How do I set a DMARC entry? (German) (retrieved: July 10, 2026)
- RFC 7489 — DMARC
