Last updated: July 2026

In short: After this guide your domain publishes a DMARC TXT record in the Hetzner DNS zone — safely staggered from observation to enforcement.

Prerequisites

  • A DNS zone at Hetzner (Hetzner Console) or konsoleH web hosting
  • SPF and DKIM must be in place — DMARC builds on them

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds, as Hetzner’s docs cleanly put it, on SPF and DKIM “and specifies how receiving mail servers should handle emails that fail these checks”. It also lets you receive reports on failed checks. You configure it via a TXT record in your DNS zone.

The policies

Hetzner names the three levels concisely and correctly:

  • none — “delivers the email and only performs an evaluation” (observe)
  • quarantine — “may treat the email as spam”
  • reject — “rejects the email”

This is also the order in which you switch DMARC to enforcing.

Step-by-step guide

1. Start with observation

Hetzner’s typical example record reads _dmarc.example.com IN TXT "v=DMARC1; p=none". To get started, you add a report address. In your DNS zone, create:

FieldValue
TypeTXT
Name_dmarc
Value"v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de"

As with the SPF record, the Hetzner quirk applies: the TXT value must be in quotation marks. You best analyze the rua reports with a DMARC monitor like MARCo.

2. Read reports, clean up sources

After one or two weeks the reports show which sources don’t yet pass SPF/DKIM. Only once all legitimate senders are clean do you tighten.

3. Stagger up to reject

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de

(Enter in quotation marks again in the Hetzner Console.)

4. Wait until the change is live

DNS changes take time — a few hours depending on caching.

The most important tags

TagMeaning
v=DMARC1version, must be at the start
p=policy: none / quarantine / reject
rua=address for aggregated reports
pct=portion of mail the policy applies to
sp=policy for subdomains
adkim= / aspf=alignment (r relaxed, s strict)

Verify the result

Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.

Common mistakes

Forgot the quotation marks. In the Hetzner Console the TXT value goes in quotation marks.

Straight to reject. Without a none phase you block legitimate sources.

No rua. Without a report address you’re flying blind.

DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.

Further reading