Last updated: July 2026

In short: After this guide your domain publishes a DMARC record in the CCP. Since Netcup has no DMARC wizard, you create the _dmarc TXT record yourself — this guide leads you safely from observation to enforcement.

This guide applies to Netcup web hosting (CCP). On vServers with your own mail server (e.g. Mailcow) the same DMARC principle applies, you just enter the record in your respective DNS zone.

Prerequisites

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) combines SPF and DKIM into an enforceable policy: the _dmarc TXT record defines what a recipient should do with unauthenticated mail, and where it sends reports.

The starting point at Netcup

Unlike for SPF and DKIM (where there are ready-made specifications), Netcup doesn’t document DMARC separately — there’s no DMARC wizard. That’s not a problem: via the CCP DNS management you create the _dmarc TXT record yourself. TXT records, according to Netcup, are meant for exactly such “textual information (often for verification or security purposes)”.

Step-by-step guide

1. Open the DNS management in the CCP

Log into the CCP, open Domains, click the magnifying glass icon next to your domain, and switch to the DNS tab.

2. Start with observation (p=none)

Create a TXT record:

  • Host: _dmarc
  • Type: TXT
  • Destination:
v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de

p=none blocks nothing but collects reports. The rua address receives the daily aggregated reports — a DMARC monitor like MARCo is well suited for analysis.

3. Stagger up to reject

When the reports show that all legitimate sources pass SPF/DKIM, tighten in stages:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de

Then enforcement:

v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de

4. Wait until the change is live

DNS changes take time — a few hours depending on caching.

The most important tags

TagMeaning
v=DMARC1version, must be at the start
p=policy: none / quarantine / reject
rua=address for aggregated reports
pct=portion of mail the policy applies to
sp=policy for subdomains
adkim= / aspf=alignment (r relaxed, s strict)

Verify the result

Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.

Common mistakes

Straight to p=reject. Without a none phase you block legitimate sources. Always observe, then tighten.

Host set wrong. The record belongs at _dmarc, not at @.

No rua. Without a report address you never see which sources fail.

DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.

Further reading