Last updated: July 2026
In short: By publishing a DMARC record in your DNS, you instruct receiving servers how to handle emails claiming to come from your domain that fail authentication. This guide shows how to configure the record in CloudPit or oneHome and build your enforcement ramp safely.
Prerequisites
- An active dogado web hosting plan with control panel access (CloudPit or oneHome)
- SPF and DKIM must be set up beforehand — DMARC builds technically on both mechanisms:
DMARC ist ein Validierungssystem, das in Verbindung mit SPF und DKIM dazu beiträgt, Betrug durch E-Mail-Imitationen oder Spoofing zu verhindern(“DMARC is a validation system that, in conjunction with SPF and DKIM, helps prevent fraud via email impersonation or spoofing”).
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) links your SPF and DKIM authentication results to an enforceable rule for receiving mail platforms. When attackers attempt to forge your domain name, DMARC tells receiving servers whether those messages should be accepted, sent to spam, or rejected immediately.
At the same time, DMARC provides a comprehensive reporting engine: diagnostic feedback reports reveal exactly which servers and IP addresses worldwide transmit email on behalf of your domain.
The recommended ramp: none → quarantine → reject
As dogado recommends in their official guidelines, rollout should happen in gradual steps: Normalerweise beginnt man bei der Auswahl der Richtlinien mit none, dann quarantine und schließlich reject (“Normally you begin selecting policies with none, then quarantine, and finally reject”).
The three policy tiers explained:
none(Monitoring mode):none: dient der Überwachung und dem Sammeln von Ergebnissen, ohne dass Maßnahmen ergriffen werden; E-Mails werden wie gewohnt zugestellt(“none: serves for monitoring and gathering results without taking action; emails are delivered as usual”). Always start here to verify through reports that all legitimate tools sign properly.quarantine(Quarantine):quarantine: Nachrichten, die die DMARC Prüfung nicht bestehen, werden in einen Spam-Ordner, oder Ähnliches, verschoben(“quarantine: messages failing DMARC evaluation are moved to a spam folder or similar”). If you want to enable active filtering right away, dogado notes:Wenn Sie DMARC nur aktivieren möchten, empfehlen wir die Option quarantine(“If you just want to activate DMARC, we recommend the quarantine option”).reject(Rejection): The highest enforcement level:reject: E-Mails, die die DMARC Prüfung nicht bestehen, werden gar nicht erst zugestellt(“reject: emails failing DMARC evaluation are not delivered at all”).
Step-by-step guide
1. Start with the monitoring record (p=none)
Prepare your initial TXT record for monitoring:
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Replace dmarc@example.com with the email address where you want to receive daily diagnostic summaries.
2. Open DNS management inside CloudPit or oneHome
Open your domain’s DNS management area in your dogado customer portal: Anschließend können Sie den Eintrag gemäß unserer DNS-Anleitung setzen (“You can then create the record according to our DNS guide”). Navigate to CloudPit via Webhosting → Actions → DNS Management, or in oneHome via the domain’s DNS settings tile.
3. Add the TXT record for _dmarc
Add a new entry inside your DNS table:
- Name / Hostname:
_dmarc(this applies the record to the_dmarc.example.comsubdomain) - Type: TXT
- Value / Text:
v=DMARC1; p=none; rua=mailto:dmarc@example.com - TTL: Keep the default setting (e.g., 600 seconds)
Save your new DNS record.
4. Analyze RUA and RUF reports and escalate to quarantine/reject
Once active, receiving mail platforms send daily RUA summaries: RUA-Berichte werden täglich versandt und enthalten eine Übersicht aller von Ihrer Domain versendeten E-Mails, einschließlich der IP-Adressen (“RUA reports are sent daily and contain an overview of all emails sent from your domain, including IP addresses”).
In addition, DMARC supports immediate forensic failure notifications via the ruf= tag: RUF-Berichte werden nur gesendet, wenn eine E-Mail die DMARC Prüfung nicht besteht (“RUF reports are sent only when an email fails DMARC validation”).
Once your reports confirm that all legitimate senders pass checks, escalate your policy to quarantine:
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
And eventually to full rejection:
v=DMARC1; p=reject; rua=mailto:dmarc@example.com
Key DMARC tags explained
| Tag | Meaning |
|---|---|
v=DMARC1 | Protocol version tag (must strictly appear at the very start of the TXT string) |
p= | Main enforcement policy (none, quarantine, or reject) |
rua=mailto:... | Target URI where daily aggregated XML reports are sent |
ruf=mailto:... | Target URI for immediate forensic failure reports |
Verify the result
Once saved, audit your domain using the free MXAudit scanner to verify that your DMARC record resolves correctly and inspect alignment with your SPF and DKIM records.
You can also query your terminal to check that nameservers are serving your new record:
dig TXT _dmarc.example.com +short
The output must begin with v=DMARC1;.
Common mistakes
Jumping directly to p=reject. Disregarding the monitoring phase and jumping straight to rejection will inevitably block legitimate third-party tools (such as newsletters, CRM software, or billing systems). Always use none or at least quarantine initially.
Placing the record on root (@) instead of _dmarc. A DMARC record must be created exactly on the _dmarc hostname. If placed on the root domain (@), receiving platforms will not find your policy.
Omitting the reporting tag (rua). Without an RUA destination, you operate blind without any feedback regarding delivery errors or active spoofing attempts.
