Last updated: July 2026
In short: After this guide your domain publishes a DMARC record in the CCP. Since Netcup has no DMARC wizard, you create the
_dmarcTXT record yourself — this guide leads you safely from observation to enforcement.
This guide applies to Netcup web hosting (CCP). On vServers with your own mail server (e.g. Mailcow) the same DMARC principle applies, you just enter the record in your respective DNS zone.
Prerequisites
- A Netcup web hosting package
- Access to the Customer Control Panel (CCP)
- SPF and DKIM must be in place — DMARC only evaluates their results
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) combines SPF and DKIM into an enforceable policy: the _dmarc TXT record defines what a recipient should do with unauthenticated mail, and where it sends reports.
The starting point at Netcup
Unlike for SPF and DKIM (where there are ready-made specifications), Netcup doesn’t document DMARC separately — there’s no DMARC wizard. That’s not a problem: via the CCP DNS management you create the _dmarc TXT record yourself. TXT records, according to Netcup, are meant for exactly such “textual information (often for verification or security purposes)”.
Step-by-step guide
1. Open the DNS management in the CCP
Log into the CCP, open Domains, click the magnifying glass icon next to your domain, and switch to the DNS tab.
2. Start with observation (p=none)
Create a TXT record:
- Host:
_dmarc - Type:
TXT - Destination:
v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de
p=none blocks nothing but collects reports. The rua address receives the daily aggregated reports — a DMARC monitor like MARCo is well suited for analysis.
3. Stagger up to reject
When the reports show that all legitimate sources pass SPF/DKIM, tighten in stages:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
Then enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de
4. Wait until the change is live
DNS changes take time — a few hours depending on caching.
The most important tags
| Tag | Meaning |
|---|---|
v=DMARC1 | version, must be at the start |
p= | policy: none / quarantine / reject |
rua= | address for aggregated reports |
pct= | portion of mail the policy applies to |
sp= | policy for subdomains |
adkim= / aspf= | alignment (r relaxed, s strict) |
Verify the result
Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.
Common mistakes
Straight to p=reject. Without a none phase you block legitimate sources. Always observe, then tighten.
Host set wrong. The record belongs at _dmarc, not at @.
No rua. Without a report address you never see which sources fail.
DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.
Further reading
- Netcup Helpcenter: DNS Records (web hosting) (retrieved: July 10, 2026)
- RFC 7489 — DMARC
