Last updated: July 2026
In short: After this guide your domain publishes a DMARC TXT record in Gandi’s LiveDNS — safely staggered from observation to enforcement.
Prerequisites
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM and, as Gandi’s docs put it, “provides a recommendation about what should be done with an email that fails these checks.” It also lets you receive reports on failed checks. You configure it via a TXT record under the _dmarc subdomain.
The policies
Gandi names the three levels concisely and correctly:
none— “no action should be taken, but you will still receive reports” (observe)quarantine— “the email should be treated as suspicious, which means it may be placed in a spam folder or otherwise marked as not trustworthy”reject— “the email should be rejected and not delivered”
This is also the order in which you switch DMARC to enforcing. Gandi’s own example jumps straight to p=reject — safer is to start at none.
Step-by-step guide
1. Start with observation
In LiveDNS, open your domain’s DNS Records tab and click the green Add button above the table to add a new record. Create a _dmarc TXT record with a report address:
| Field | Value |
|---|---|
| Type | TXT |
| Name | _dmarc |
| Value | v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de |
Replace the address with “the email address where you would like to receive reports from receiving mail servers.” You best analyze the rua reports with a DMARC monitor.
2. Read reports, clean up sources
After one or two weeks the reports show which sources don’t yet pass SPF/DKIM. Only once all legitimate senders are clean do you tighten.
3. Stagger up to reject
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de
Watch out with reject: Gandi warns that “you risk that forwarded mail may not be delivered” — a mailing list or a forwarding rule can trip over a strict policy. Move to reject only once your reports are clean.
4. Wait until the change is live
In LiveDNS a new record applies in real time, but propagation can take up to 72 hours everywhere.
The most important tags
| Tag | Meaning |
|---|---|
v=DMARC1 | version, must be at the start |
p= | policy: none / quarantine / reject |
rua= | address for aggregated reports |
pct= | portion of mail the policy applies to |
sp= | policy for subdomains |
adkim= / aspf= | alignment (r relaxed, s strict) |
Verify the result
Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.
Common mistakes
Straight to reject. Gandi’s example uses p=reject, but without a none phase you block legitimate sources. Stagger.
No rua. Without a report address you’re flying blind.
DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.
Wrong name. The record’s name is _dmarc, not the bare domain — a DMARC record at @ does nothing.
Further reading
- Gandi Docs: How To Protect Your Email Against Being Spoofed (retrieved: July 10, 2026)
- RFC 7489 — DMARC
