Last updated: July 2026
In short: After this guide your domain publishes a DMARC TXT record in the Hetzner DNS zone — safely staggered from observation to enforcement.
Prerequisites
- A DNS zone at Hetzner (Hetzner Console) or konsoleH web hosting
- SPF and DKIM must be in place — DMARC builds on them
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds, as Hetzner’s docs cleanly put it, on SPF and DKIM “and specifies how receiving mail servers should handle emails that fail these checks”. It also lets you receive reports on failed checks. You configure it via a TXT record in your DNS zone.
The policies
Hetzner names the three levels concisely and correctly:
none— “delivers the email and only performs an evaluation” (observe)quarantine— “may treat the email as spam”reject— “rejects the email”
This is also the order in which you switch DMARC to enforcing.
Step-by-step guide
1. Start with observation
Hetzner’s typical example record reads _dmarc.example.com IN TXT "v=DMARC1; p=none". To get started, you add a report address. In your DNS zone, create:
| Field | Value |
|---|---|
| Type | TXT |
| Name | _dmarc |
| Value | "v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de" |
As with the SPF record, the Hetzner quirk applies: the TXT value must be in quotation marks. You best analyze the rua reports with a DMARC monitor like MARCo.
2. Read reports, clean up sources
After one or two weeks the reports show which sources don’t yet pass SPF/DKIM. Only once all legitimate senders are clean do you tighten.
3. Stagger up to reject
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de
(Enter in quotation marks again in the Hetzner Console.)
4. Wait until the change is live
DNS changes take time — a few hours depending on caching.
The most important tags
| Tag | Meaning |
|---|---|
v=DMARC1 | version, must be at the start |
p= | policy: none / quarantine / reject |
rua= | address for aggregated reports |
pct= | portion of mail the policy applies to |
sp= | policy for subdomains |
adkim= / aspf= | alignment (r relaxed, s strict) |
Verify the result
Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.
Common mistakes
Forgot the quotation marks. In the Hetzner Console the TXT value goes in quotation marks.
Straight to reject. Without a none phase you block legitimate sources.
No rua. Without a report address you’re flying blind.
DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.
Further reading
- Hetzner Docs: Email security with DKIM, SPF, and DMARC (retrieved: July 10, 2026)
- RFC 7489 — DMARC
