Last updated: July 2026

In short: After this guide your domain publishes a DMARC TXT record in the Route 53 hosted zone — safely staggered from observation to enforcement.

Prerequisites

  • A public hosted zone in Amazon Route 53
  • SPF and DKIM must be in place — DMARC builds on them

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM and specifies how receiving mail servers should handle emails that fail these checks. It also lets you receive reports on failed checks. You configure it via a single TXT record at the _dmarc subdomain of your zone.

The policies

There are three enforcement levels, and this is the order in which you switch DMARC on:

  • none — deliver as usual and only collect reports (observe)
  • quarantine — failing mail may be treated as spam
  • reject — failing mail is rejected outright

Step-by-step guide

1. Start with observation

Open your hosted zone in the Route 53 console and choose Create record:

FieldValue
Record name_dmarc
Record typeTXT
Value"v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de"

As with the SPF record, the Route 53 rule applies: the value goes in double quotes (“A TXT record contains one or more strings that are enclosed in double quotation marks”). The record itself, in DNS terms, reads:

v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de

You best analyze the rua reports with a DMARC monitoring service.

2. Read reports, clean up sources

After one or two weeks the reports show which sources don’t yet pass SPF/DKIM. Only once all legitimate senders are clean do you tighten.

3. Stagger up to reject

Edit the same _dmarc record — first to a partial quarantine:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de

then, once reports stay clean, to full rejection:

v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de

(Enter the value in double quotes again in the Route 53 Value box.)

4. Wait until the change is live

Per the AWS docs, “Changes generally propagate to all Route 53 name servers within 60 seconds” — resolver caches follow once the TTL expires.

The most important tags

TagMeaning
v=DMARC1version, must be at the start
p=policy: none / quarantine / reject
rua=address for aggregated reports
pct=portion of mail the policy applies to
sp=policy for subdomains
adkim= / aspf=alignment (r relaxed, s strict)

Verify the result

Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.

Common mistakes

Forgot the quotation marks. In the Route 53 Value box the TXT value goes in double quotes.

Straight to reject. Without a none phase you block legitimate sources.

No rua. Without a report address you’re flying blind.

DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.

Further reading