Last updated: July 2026

In short: After this guide your domain publishes a DMARC TXT record in Gandi’s LiveDNS — safely staggered from observation to enforcement.

Prerequisites

  • A domain at Gandi using Gandi LiveDNS
  • SPF and DKIM must be in place — DMARC builds on them

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM and, as Gandi’s docs put it, “provides a recommendation about what should be done with an email that fails these checks.” It also lets you receive reports on failed checks. You configure it via a TXT record under the _dmarc subdomain.

The policies

Gandi names the three levels concisely and correctly:

  • none — “no action should be taken, but you will still receive reports” (observe)
  • quarantine — “the email should be treated as suspicious, which means it may be placed in a spam folder or otherwise marked as not trustworthy”
  • reject — “the email should be rejected and not delivered”

This is also the order in which you switch DMARC to enforcing. Gandi’s own example jumps straight to p=reject — safer is to start at none.

Step-by-step guide

1. Start with observation

In LiveDNS, open your domain’s DNS Records tab and click the green Add button above the table to add a new record. Create a _dmarc TXT record with a report address:

FieldValue
TypeTXT
Name_dmarc
Valuev=DMARC1; p=none; rua=mailto:dmarc@beispiel.de

Replace the address with “the email address where you would like to receive reports from receiving mail servers.” You best analyze the rua reports with a DMARC monitor.

2. Read reports, clean up sources

After one or two weeks the reports show which sources don’t yet pass SPF/DKIM. Only once all legitimate senders are clean do you tighten.

3. Stagger up to reject

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de

Watch out with reject: Gandi warns that “you risk that forwarded mail may not be delivered” — a mailing list or a forwarding rule can trip over a strict policy. Move to reject only once your reports are clean.

4. Wait until the change is live

In LiveDNS a new record applies in real time, but propagation can take up to 72 hours everywhere.

The most important tags

TagMeaning
v=DMARC1version, must be at the start
p=policy: none / quarantine / reject
rua=address for aggregated reports
pct=portion of mail the policy applies to
sp=policy for subdomains
adkim= / aspf=alignment (r relaxed, s strict)

Verify the result

Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.

Common mistakes

Straight to reject. Gandi’s example uses p=reject, but without a none phase you block legitimate sources. Stagger.

No rua. Without a report address you’re flying blind.

DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.

Wrong name. The record’s name is _dmarc, not the bare domain — a DMARC record at @ does nothing.

Further reading