Last updated: July 2026
In short: After this guide your domain uses either Strato’s default DMARC rule or your own
_dmarcrecord with a policy of your choosing.
Prerequisites
- A Strato package with email
- SPF and DKIM must be in place — at Strato, DKIM is already active for sending via its own servers anyway
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) combines SPF and DKIM into an enforceable policy. The receiving mail server recognizes from the DKIM signature and SPF whether a mail really comes from you — and handles forgeries according to the policy you store in the _dmarc TXT record. Strato rightly warns: “More and more email providers check DMARC strictly and reject messages that fail the check.”
The starting point at Strato
Two peculiarities make Strato special here:
DMARC is already activated at Strato — there’s a default DMARC rule. For many that’s enough. If you want your own policy (e.g. staggered toward reject), you replace it with your own record.
Strato itself sends no DMARC reports. Verbatim: “The STRATO mail server does not send such reports due to German data protection regulations.” But that does not mean reports are pointless for you: the large receivers (Gmail, Outlook & co.) still send aggregated reports to your rua address. A DMARC monitor like MARCo analyzes these — so you still see who sends in your name.
Step-by-step guide
1. Decide: default rule or your own policy
For getting started, Strato’s default rule is often enough. If you want to walk the path to p=reject and analyze reports, you set your own record — here’s how.
2. Set your own DMARC rule
In the DNS settings of your domain, switch to “No STRATO DMARC rule” and then create a TXT record:
- Type:
TXT - Prefix:
_dmarc - Value (start, observation):
v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de
Click “Apply setting”.
3. From none via quarantine to reject
Start with p=none, read the reports from the large receivers, and then tighten. Strato’s documented example value for the middle level:
v=DMARC1; p=quarantine; pct=100
And finally enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de
Only move on when the reports show that all legitimate sources pass SPF/DKIM.
4. Repeat for each domain
The policy applies per domain — set it up for every domain whose mail should be handled this way.
Verify the result
Check your configuration with the free MXAudit scanner — it shows you the DMARC policy, SPF, and DKIM at a glance.
Common mistakes
Duplicate _dmarc record. If you want to go back from your own rule to the Strato default rule, that only works if no TXT records with the prefix _dmarc exist anymore — remove existing ones via “Delete” first.
Straight to p=reject. Without a none phase you block legitimate sources. Observe first, then tighten.
Considered reports pointless. True, Strato itself sends none — but Gmail, Outlook, and others do. Set rua from the start.
DMARC without an SPF/DKIM basis. DMARC only evaluates SPF/DKIM results. Check SPF and DKIM first.
Further reading
- Strato FAQ: Activating DMARC at STRATO (German) (retrieved: July 10, 2026)
- RFC 7489 — DMARC
