Last updated: July 2026

In short: united-domains controls DMARC conveniently via radio buttons in Email security. After this guide you switch DMARC to enforcing safely — and secure unused domains immediately.

Prerequisites

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) defines how mail servers handle mail that doesn’t meet your security policies: it can “still be delivered (p=none), moved to a spam folder (p=quarantine), or no longer be delivered at all (p=reject)”. Technically it’s a TXT record under _dmarc.

Two paths — depending on whether the domain sends

united-domains cleanly separates two cases:

Domains you send NO mail from (including pure brand-protection domains): here you can “create a DMARC entry with the parameter p=reject directly and without further checking”. That’s the best protection against abuse — and explicitly intended for domains “that they don’t actively use at all and have only reserved for brand-protection reasons”. Do this for every parked domain.

Domains you send from: here you must “not set the DMARC entry directly to p=reject” — first all sending systems must be cleanly authenticated. For that, the staggered path below.

Step-by-step guide (sending domains)

1. Start with p=none

Open the Email security page (on the email overview page via the Security button). In the DMARC Management block, set the radio button to DMARC active (p=none) and save. p=none only collects reports (“recommended for the start”), blocks nothing.

2. Store a rua address and analyze reports

Under the radio buttons, enter one or more rua addresses and save. The aggregated reports go to this address. united-domains offers an integrated DMARC management (partner tool) for this — but in principle any DMARC monitoring solution that analyzes rua reports works, e.g. MARCo. Over the next few days you’ll see which systems send via your domain.

3. Configure sending systems cleanly

For each legitimate system (newsletter tool, CRM, ticketing system) you check whether DKIM and SPF are set correctly. Either identify unknown sources as forgeries or reconfigure them.

4. Switch to p=reject

As soon as all legitimate systems are clean, set the radio button in the DMARC Management block to DMARC active and secure (p=reject) and save. Conceptually that corresponds to:

v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de

Verify the result

Check your configuration with the free MXAudit scanner — it shows you the DMARC policy, SPF, and DKIM at a glance.

Common mistakes

Left parked domains unprotected. Those are exactly what attackers like to abuse. Set non-sending domains straight to p=reject.

Sending domain straight to reject. Without a none phase and report analysis you block legitimate systems.

No rua address. Without reports you never see which sources fail.

DMARC without SPF/DKIM. For sending domains both must be correctly in place.

Further reading