Last updated: July 2026
In short: After this guide your domain publishes a DMARC TXT record in the Route 53 hosted zone — safely staggered from observation to enforcement.
Prerequisites
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM and specifies how receiving mail servers should handle emails that fail these checks. It also lets you receive reports on failed checks. You configure it via a single TXT record at the _dmarc subdomain of your zone.
The policies
There are three enforcement levels, and this is the order in which you switch DMARC on:
none— deliver as usual and only collect reports (observe)quarantine— failing mail may be treated as spamreject— failing mail is rejected outright
Step-by-step guide
1. Start with observation
Open your hosted zone in the Route 53 console and choose Create record:
| Field | Value |
|---|---|
| Record name | _dmarc |
| Record type | TXT |
| Value | "v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de" |
As with the SPF record, the Route 53 rule applies: the value goes in double quotes (“A TXT record contains one or more strings that are enclosed in double quotation marks”). The record itself, in DNS terms, reads:
v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de
You best analyze the rua reports with a DMARC monitoring service.
2. Read reports, clean up sources
After one or two weeks the reports show which sources don’t yet pass SPF/DKIM. Only once all legitimate senders are clean do you tighten.
3. Stagger up to reject
Edit the same _dmarc record — first to a partial quarantine:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
then, once reports stay clean, to full rejection:
v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de
(Enter the value in double quotes again in the Route 53 Value box.)
4. Wait until the change is live
Per the AWS docs, “Changes generally propagate to all Route 53 name servers within 60 seconds” — resolver caches follow once the TTL expires.
The most important tags
| Tag | Meaning |
|---|---|
v=DMARC1 | version, must be at the start |
p= | policy: none / quarantine / reject |
rua= | address for aggregated reports |
pct= | portion of mail the policy applies to |
sp= | policy for subdomains |
adkim= / aspf= | alignment (r relaxed, s strict) |
Verify the result
Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.
Common mistakes
Forgot the quotation marks. In the Route 53 Value box the TXT value goes in double quotes.
Straight to reject. Without a none phase you block legitimate sources.
No rua. Without a report address you’re flying blind.
DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.
Further reading
- Amazon Route 53 Developer Guide: Supported DNS record types (retrieved: July 10, 2026)
- Amazon Route 53 Developer Guide: Creating records using the console (retrieved: July 10, 2026)
- RFC 7489 — DMARC
