Last updated: July 2026

In short: DMARC ties together your SPF and DKIM authentication to protect your domain against spoofing. You configure the policy by publishing a TXT record on the _dmarc subdomain inside your webgo DNS management area.

Prerequisites

  • A webgo web hosting, server, or email package with an active domain
  • Access to the webgo customer portal (https://login.webgo.de) or Webspace-Admin
  • Active and working SPF and DKIM records deployed on your domain

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) informs receiving mail servers (such as Gmail, Outlook, or Yahoo) what action to take when an incoming message claiming to be from your domain fails SPF or DKIM alignment checks.

As webgo explains regarding resource records and email behavior: Der TXT-Eintrag erlaubt das Speichern von beliebigen Textinformationen. Häufig wird er verwendet, um Domains bei Diensten zu verifizieren oder das E-Mail-Verhalten zu verbessern (SPF, DKIM, DMARC).

By adjusting the policy parameter (p=) in your DMARC record, you control receiver enforcement:

  • p=none: Monitoring mode. Emails are delivered normally, and receiving servers deliver daily XML reports for analysis.
  • p=quarantine: Messages failing authentication are routed to the recipient’s spam or quarantine folder.
  • p=reject: Strict block. Unauthenticated emails are rejected outright during the initial SMTP handshake.

The starting point at webgo

You configure your DMARC policy directly inside your domain’s DNS settings (Der TXT-Eintrag erlaubt das Speichern von beliebigen Textinformationen. Häufig wird er verwendet, um Domains bei Diensten zu verifizieren oder das E-Mail-Verhalten zu verbessern (SPF, DKIM, DMARC).).

The entry is published as a TXT record attached to the reserved subdomain _dmarc. For an initial safe deployment, use:

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Step-by-step guide

1. Check whether a DMARC policy is already published

Check via terminal if your domain currently publishes a DMARC record:

dig TXT _dmarc.example.com +short

If the returned output starts with v=DMARC1, a policy is active. If the response is blank, proceed to create a new record.

2. Open DNS management at webgo

Log in to the webgo customer portal (login.webgo.de), choose your contract, and open DNS-Verwaltung (DNS management inside your customer portal or in Webspace-Admin under Domain / DNS).

3. Add the TXT record for _dmarc

In your domain’s DNS management table, add a new entry with the following values:

  • Type: TXT
  • Subdomain / Host: _dmarc
  • Text value / Content:
    v=DMARC1; p=none; rua=mailto:dmarc@example.com

(Replace dmarc@example.com with the actual email address where you wish to receive daily XML diagnostic reports).

Save your DNS entry.

4. Progressively tighten your policy

After monitoring XML reports for several weeks and verifying that all legitimate corporate sending sources pass SPF and DKIM alignment, upgrade your policy from p=none to p=quarantine, and eventually to strict p=reject (Der TXT-Eintrag erlaubt das Speichern von beliebigen Textinformationen. Häufig wird er verwendet, um Domains bei Diensten zu verifizieren oder das E-Mail-Verhalten zu verbessern (SPF, DKIM, DMARC).).

The components of the DMARC record

ComponentMeaning
_dmarcDedicated technical subdomain queried by receiving mail servers for your DMARC policy
v=DMARC1Protocol version tag (must strictly be placed first in the TXT value string)
p=noneEnforcement directive (none for observation, quarantine for spam, reject for outright rejection)
rua=mailto:...Target URI and email address where daily aggregated XML reports are delivered

Verification

After saving the record inside webgo’s DNS settings, immediately test your setup using the free MXAudit scanner — check your DMARC syntax and ensure domain alignment.

You can also use your terminal to confirm that nameservers are serving the updated policy:

dig TXT _dmarc.example.com +short

The output should show exactly "v=DMARC1; p=none; rua=mailto:dmarc@example.com".

Common mistakes

  • Creating the record on root (@): Placing the TXT record on your root domain instead of the _dmarc subdomain prevents receiving servers from finding your DMARC policy.
  • Omitting the mailto: scheme: The rua= attribute requires the mailto: scheme directly before your email address (Der TXT-Eintrag erlaubt das Speichern von beliebigen Textinformationen. Häufig wird er verwendet, um Domains bei Diensten zu verifizieren oder das E-Mail-Verhalten zu verbessern (SPF, DKIM, DMARC).).
  • Switching directly to p=reject: Enabling strict rejection without an observation period (p=none) risks blocking legitimate corporate emails sent from unconfigured third-party tools.

Further reading