Using Email Authentication with DMARC Records
Please use the “Print” function at the bottom of the page to create a PDF.
If you send large volumes of emails from your email accounts, we recommend that you use DMARC in conjunction with DKIM and SPF. Using DMARC along with DKIM and SPF has the following advantages:
You can use DMARC to authenticate emails and receive detailed reports on delivery. You can specify how the recipient should handle email messages and inform you as the domain owner depending on the results of the DKIM and SPF check.
With DKIM (DomainKeys Identified Mail), the recipient can check the authenticity of emails and ensure that they originate from the specified domain and have not been modified during transmission. For this purpose, the sender's email server adds a digital signature to the email, which is checked by the recipient's email server. This process helps to ensure the authenticity of the message and reduce the likelihood of emails being classified as spam.
With the Sender Policy Framework (SPF), you as the domain owner can specify in a DNS entry which servers are allowed to send emails with your domain. This procedure helps mail servers to reduce the likelihood of phishing attempts and improve the deliverability of legitimate emails.
Example Configurations for DMARC Records
With a DMARC record, you specify what the receiving system should do if a received email does not pass either the SPF or the DKIM validation. Some example configurations are listed below:
Neutral configuration - delivery despite failed SPF and DKIM validation
This DMARC record improves the deliverability to the receiving email server. The configuration does not reject any emails and sends an aggregated status report on all emails that do not match the results of the SPF and DKIM check for the domain and all subdomains to the email address postmaster@example.com.
TXT record for the subdomain _dmarc.yourdomain.tld:
v=DMARC1;p=none;rua=mailto:postmaster@example.com
Quarantine - delivery of non-valid emails to the spam folder
This DMARC record treats all emails as spam that neither have a valid DKIM signature nor originate from an authorized server (SPF).
TXT record for the subdomain _dmarc.yourdomain.tld:
v=DMARC1;p=quarantine;ruf=mailto:postmaster@example.com
Rejection - Non-valid emails are rejected
With this DMARC record, emails that neither have a valid DKIM signature (DKIM) nor originate from an authorized server (SPF) are rejected outright by the recipient.
TXT record for the subdomain _dmarc.yourdomain.tld:
v=DMARC1;p=reject;rua=mailto:postmaster@example.com
Configuring a DMARC Record
You can configure DMARC records in your IONOS account. To do this, follow these steps:
- Log in to your IONOS account.
Click on the Domains & SSL tile.
For the desired domain, click on the gear icon under Actions and then on DNS.
Click on Add Record and select the TXT row.
Enter _dmarc in the Host name field.
If your email domain is a subdomain, e.g. For example, abc.example.com, you must also specify the hostname of the subdomain. Separate the two hostnames with a period. So in the abc.example.com example, you would enter _dmarc.abc as the hostname.
In the Value field, enter the desired tags, which you can separate with a semicolon (;).
Example:
v=DMARC1;p=rejectOptional: Select the desired TTL (Time-To-Live).
Click on Save.
Your changes are effective immediately at IONOS. However, it can take up to 1 hour for the change to take effect everywhere due to the decentralized structure of the Domain Name System.
Notes
DMARC, together with SPF and DKIM, should be regarded as a minimum requirement for successful email delivery but not as a guarantee.
Whether and how the email provider of the respective recipient actually implements the policies is up to them. For example, "p=reject" is sometimes treated in the same way as "p=quarantine", or the DMARC status is only included in the subsequent decision of a more complex spam filter.
DMARC does not always override the spam filter at the recipient's end, i.e. even if the policy is "p=none" and SPF or DKIM are valid, the email can still be marked as spam or rejected.
Additional Information
You can find more information about configuring DMARC records in the following article:
Configuring a DMARC record for a domain
You can find more information about configuring SPF and DKIM records in the following articles: