Last updated: July 2026
In short: After following this guide your domain at one.com publishes a DMARC record instructing receiving mail servers how to treat unauthenticated messages, while collecting daily RUA reports detailing your global email ecosystem.
Prerequisites
- A one.com Control Panel with administrative access to your domain
- SPF and DKIM must be set up beforehand — DMARC evaluates their authentication results and cannot function without this foundation
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) unifies your SPF and DKIM configurations into an enforceable policy. By publishing a DMARC record in your domain’s DNS, you instruct receiving mail platforms (such as Gmail, Microsoft 365, or Yahoo) what action to take when messages fail SPF or DKIM alignment.
At the same time, DMARC provides comprehensive visibility: receiving platforms send you daily reports outlining every server worldwide sending email on behalf of your domain — covering both authorized business tools and unauthorized spoofing attempts.
The recommended ramp: none → quarantine → reject
As one.com emphasizes in their official documentation, you should never deploy strict enforcement immediately: Start with p=none, then switch to p=quarantine, and finally to p=reject.
The three policy levels form a staged implementation ramp:
p=none(Monitoring mode): No email is rejected or filtered into spam. You use this phase exclusively to collect RUA reports and ensure all legitimate sending tools are correctly authenticated.p=quarantine(Quarantine): Messages failing DMARC evaluation are marked as suspicious by receiving servers and routed to the recipient’s spam or junk folder.p=reject(Rejection): The highest enforcement level. Unauthenticated messages are outright rejected during the initial SMTP connection.
Step-by-step guide
1. Start with the monitoring record (p=none)
Begin your DMARC deployment by preparing the initial monitoring record:
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Replace dmarc@example.com with the email address where you want to receive diagnostic summaries. As one.com notes regarding report selection: Most users benefit from receiving only RUA reports, as they contain all the information needed for monitoring. To prevent inbox clutter, one.com recommends using a dedicated address: creating an email account on your domain dedicated to receiving these reports.
2. Open DNS settings in your Control Panel
Navigate to your domain’s DNS management area in one.com: Go to the Advanced settings tile and click DNS settings.
3. Create the TXT record for _dmarc
In your DNS settings table, choose TXT as the record type and enter the following values:
- Hostname:
_dmarc(one.com specifiesHostname: _dmarcexplicitly in their documentation) - Value / Text: Enter your DMARC string, such as the template provided by one.com:
(For your initial setup, replacev=DMARC1; p=policy name; rua=mailto:an-email-addresspolicy namewithnoneandan-email-addresswith your designated reporting mailbox, forming a record structured likev=DMARC1; p=none; rua=mailto:dmarc@example.com). - TTL: Keep the field blank (
Leave this field empty to use the default value of 3600 seconds).
Click Save to apply your new DMARC entry.
4. Analyze RUA reports and escalate enforcement
The incoming RUA reports arrive daily: RUA reports - Sent daily and contain a summary of all email activity for your domain, including IP addresses and authentication results.
Once your RUA reports confirm that all legitimate services (such as your CRM, newsletter platform, or billing system) pass SPF and DKIM checks, update your TXT record in Control Panel and escalate your p= parameter first to quarantine and eventually to reject.
Key DMARC tags explained
| Tag | Meaning |
|---|---|
v=DMARC1 | Protocol version tag; must strictly be placed at the very start of the TXT string |
p= | Main policy enforced on your domain (none, quarantine, or reject) |
rua=mailto:... | Target URI where daily aggregated XML reports are sent |
ruf=mailto:... | Optional: Target URI for forensic failure reports (documented in one.com’s template v=DMARC1; p=policy name; rua=mailto:an-email-address; ruf=mailto:an-email-address, though rarely required) |
Verify the result
Right after saving your record, verify your setup using the free MXAudit scanner. MXAudit validates your DMARC syntax instantly and verifies alignment across your SPF and DKIM configurations.
You can also check your DNS record directly via terminal:
dig TXT _dmarc.example.com +short
The returned output must begin with v=DMARC1;.
Common mistakes
Jumping directly to p=reject. Disregarding one.com’s staged rollout recommendation and jumping straight to rejection will inevitably block legitimate third-party services. Always follow the none → quarantine → reject ramp.
Omitting the reporting tag (rua). Without an RUA destination, you operate blind without any feedback regarding whether legitimate messages fail or if third parties spoof your domain.
Placing the record on the root domain (@). A DMARC record must be created exactly on the _dmarc hostname. If placed on the root domain (@), mail platforms will not find your policy.
Enforcing DMARC before configuring SPF and DKIM. DMARC depends entirely on the alignment of SPF and DKIM. Always verify your underlying authentication methods before creating a DMARC record.
