Defaults.Exposed › Setup › DMARC

How to set up DMARC on AWS Route 53

Add a DMARC record in your Route 53 hosted zone to tell mail providers what to do with email that fails your checks.

Why this matters to your business

DMARC ties SPF and DKIM together and adds the missing instruction: what should a receiving mail provider do when an email claiming to be from you fails the checks? Without DMARC, each provider guesses. With it, you decide — and you can ask them to send you reports showing who is sending mail in your name.

In plain terms: DMARC is what actually stops criminals from spoofing your domain to scam your customers or staff. It’s the policy on top of the locks SPF and DKIM provide — free, and well worth the few minutes.

Set up SPF and DKIM first

DMARC works by checking the results of SPF and DKIM. If you haven’t added those yet, do them first — a DMARC policy with nothing underneath it has nothing to enforce.

Confirm Route 53 runs your DNS

As with any DNS record, this only works if Route 53 is answering DNS for your domain. Route 53 is your DNS host, not your mailbox provider. In the Route 53 console, open Hosted zones, select your domain, and note the four NS (nameserver) values; those must match the nameservers set at your registrar. If you registered the domain through Route 53 they usually already match; if it’s registered elsewhere — or you have more than one hosted zone for the domain — check carefully. If the live nameservers point elsewhere, add the DMARC record at whichever provider runs your DNS instead.

Step-by-step on Route 53

1. Sign in to the AWS console and open Route 53.
2. In the left menu, choose Hosted zones, then click the name of your domain.
3. Click Create record.
4. If a wizard with routing options appears, switch to the simple form (look for Quick create record).
5. In Record name, enter exactly: _dmarc Do not type your domain name after it — Route 53 appends the domain for you (it shows your domain beside the field).
6. Set Record type to TXT.
7. In Value, start gently with a monitoring-only policy, wrapped in double quotes: "v=DMARC1; p=none; rua=mailto:[email protected]" Replace the address with a mailbox you actually read. This asks providers to email you summary reports without changing how any mail is treated yet.
8. Leave TTL at the default.
9. Click Create records.

Choosing your policy (the p= part)

• p=none — monitor only. Nothing is blocked; you just receive reports. Start here.
• p=quarantine — send failing mail to spam/junk.
• p=reject — refuse failing mail outright (the strongest protection).

Run p=none for a few weeks, read the reports to confirm all your legitimate mail passes, then move up to quarantine and finally reject. Jumping straight to reject before you’ve checked the reports risks blocking your own genuine email.

Route 53 quirks people get wrong

• The value must be in double quotes. Route 53 expects you to type the quotes yourself: "v=DMARC1; p=none; ...". Leaving them off is the most common Route 53 mistake.
• Record name is _dmarc, with the underscore. A common error is dropping the underscore, or typing _dmarc.yourdomain.com — in Route 53 you enter just _dmarc and the zone is appended for you. Typing the full domain creates a broken _dmarc.yourdomain.com.yourdomain.com host that never gets checked.
• One DMARC record only. Like SPF, there must be a single DMARC TXT record at _dmarc. If one exists, edit it rather than adding a second.
• Use a real reporting mailbox. The address after rua=mailto: should be one you genuinely check, or the reports are wasted. It can be on the same domain or a different one. (If you point reports at a domain you don’t control, that domain has to authorise it — but for your own domain you’re fine.)
• Right hosted zone, right account. With several zones or AWS accounts it’s easy to edit the wrong one. Confirm the zone’s four NS values match your live nameservers.
• Give it time. DNS changes can take a few minutes up to a couple of hours to take effect.

Verify it worked

Once saved and propagated, run the free check on this site. It will tell you in plain language whether your DMARC record is in place and what policy you’ve set.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.