Last updated: July 2026
In short: DMARC ties together your SPF and DKIM authentication to protect your domain against spoofing. You configure the policy by publishing a TXT record on the
_dmarcsubdomain inside your webgo DNS management area.
Prerequisites
- A webgo web hosting, server, or email package with an active domain
- Access to the webgo customer portal (
https://login.webgo.de) or Webspace-Admin - Active and working SPF and DKIM records deployed on your domain
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) informs receiving mail servers (such as Gmail, Outlook, or Yahoo) what action to take when an incoming message claiming to be from your domain fails SPF or DKIM alignment checks.
As webgo explains regarding resource records and email behavior:
Der TXT-Eintrag erlaubt das Speichern von beliebigen Textinformationen. Häufig wird er verwendet, um Domains bei Diensten zu verifizieren oder das E-Mail-Verhalten zu verbessern (SPF, DKIM, DMARC).
By adjusting the policy parameter (p=) in your DMARC record, you control receiver enforcement:
p=none: Monitoring mode. Emails are delivered normally, and receiving servers deliver daily XML reports for analysis.p=quarantine: Messages failing authentication are routed to the recipient’s spam or quarantine folder.p=reject: Strict block. Unauthenticated emails are rejected outright during the initial SMTP handshake.
The starting point at webgo
You configure your DMARC policy directly inside your domain’s DNS settings (Der TXT-Eintrag erlaubt das Speichern von beliebigen Textinformationen. Häufig wird er verwendet, um Domains bei Diensten zu verifizieren oder das E-Mail-Verhalten zu verbessern (SPF, DKIM, DMARC).).
The entry is published as a TXT record attached to the reserved subdomain _dmarc. For an initial safe deployment, use:
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Step-by-step guide
1. Check whether a DMARC policy is already published
Check via terminal if your domain currently publishes a DMARC record:
dig TXT _dmarc.example.com +short
If the returned output starts with v=DMARC1, a policy is active. If the response is blank, proceed to create a new record.
2. Open DNS management at webgo
Log in to the webgo customer portal (login.webgo.de), choose your contract, and open DNS-Verwaltung (DNS management inside your customer portal or in Webspace-Admin under Domain / DNS).
3. Add the TXT record for _dmarc
In your domain’s DNS management table, add a new entry with the following values:
- Type: TXT
- Subdomain / Host:
_dmarc - Text value / Content:
v=DMARC1; p=none; rua=mailto:dmarc@example.com
(Replace dmarc@example.com with the actual email address where you wish to receive daily XML diagnostic reports).
Save your DNS entry.
4. Progressively tighten your policy
After monitoring XML reports for several weeks and verifying that all legitimate corporate sending sources pass SPF and DKIM alignment, upgrade your policy from p=none to p=quarantine, and eventually to strict p=reject (Der TXT-Eintrag erlaubt das Speichern von beliebigen Textinformationen. Häufig wird er verwendet, um Domains bei Diensten zu verifizieren oder das E-Mail-Verhalten zu verbessern (SPF, DKIM, DMARC).).
The components of the DMARC record
| Component | Meaning |
|---|---|
_dmarc | Dedicated technical subdomain queried by receiving mail servers for your DMARC policy |
v=DMARC1 | Protocol version tag (must strictly be placed first in the TXT value string) |
p=none | Enforcement directive (none for observation, quarantine for spam, reject for outright rejection) |
rua=mailto:... | Target URI and email address where daily aggregated XML reports are delivered |
Verification
After saving the record inside webgo’s DNS settings, immediately test your setup using the free MXAudit scanner — check your DMARC syntax and ensure domain alignment.
You can also use your terminal to confirm that nameservers are serving the updated policy:
dig TXT _dmarc.example.com +short
The output should show exactly "v=DMARC1; p=none; rua=mailto:dmarc@example.com".
Common mistakes
- Creating the record on root (
@): Placing the TXT record on your root domain instead of the_dmarcsubdomain prevents receiving servers from finding your DMARC policy. - Omitting the
mailto:scheme: Therua=attribute requires themailto:scheme directly before your email address (Der TXT-Eintrag erlaubt das Speichern von beliebigen Textinformationen. Häufig wird er verwendet, um Domains bei Diensten zu verifizieren oder das E-Mail-Verhalten zu verbessern (SPF, DKIM, DMARC).). - Switching directly to
p=reject: Enabling strict rejection without an observation period (p=none) risks blocking legitimate corporate emails sent from unconfigured third-party tools.
