How to set up DMARC on Squarespace

Add a DMARC record in your Squarespace DNS to tell mail providers what to do with email that fails your checks.

Why this matters to your business

DMARC ties SPF and DKIM together and adds the missing instruction: what should a receiving mail provider do when an email claiming to be from you fails the checks? Without DMARC, each provider guesses. With it, you decide — and you can ask them to send you reports showing who is sending mail in your name.

In plain terms: DMARC is what actually stops criminals from spoofing your domain to scam your customers or staff. It’s the policy on top of the locks SPF and DKIM provide — free, and well worth the few minutes.

Set up SPF and DKIM first

DMARC works by checking the results of SPF and DKIM. If you haven’t added those yet, do them first — a DMARC policy with nothing underneath it has nothing to enforce.

A quick note on what Squarespace does here

Squarespace is your DNS host for this record — the place that holds the note. It is not your email provider; your mailboxes run through a separate service. DMARC itself is a single DNS record, so unlike SPF and DKIM there’s no value to fetch from your mail provider — you write it yourself, below.

Confirm Squarespace runs your DNS

As with any DNS record, this only works if Squarespace is answering DNS for your domain — that is, your domain’s nameservers point to Squarespace. This is the case if you registered the domain with Squarespace, or connected an outside domain and chose to let Squarespace manage its DNS. If your nameservers point to another company, add the DMARC record at whichever provider runs your DNS instead. Check the domain’s DNS / nameserver settings in your Squarespace account if you’re unsure.

Step-by-step in Squarespace

Sign in to Squarespace and open your Domains area.
Click the domain you want to set up.
Open its DNS settings (look for DNS / DNS Settings / Advanced DNS / Custom Records).
Add a new custom DNS record and set the Type to TXT.
In the Host field (sometimes labelled Name), enter exactly: _dmarc Do not type your domain name after it — Squarespace appends the domain for you.
In the Data / Value field, start gently with a monitoring-only policy: v=DMARC1; p=none; rua=mailto:[email protected] Replace the address with a mailbox you actually read. This asks providers to email you summary reports without changing how any mail is treated yet.
Save the record.

Choosing your policy (the `p=` part)

p=none — monitor only. Nothing is blocked; you just receive reports. Start here.
p=quarantine — send failing mail to spam/junk.
p=reject — refuse failing mail outright (the strongest protection).

Run p=none for a few weeks, read the reports to confirm all your legitimate mail passes, then move up to quarantine and finally reject. Jumping straight to reject before you’ve checked the reports risks blocking your own genuine email.

Squarespace quirks people get wrong

Host is _dmarc, with the underscore. A common mistake is leaving the underscore off, or typing _dmarc.yourdomain.com — in Squarespace you enter just _dmarc. The leading underscore is required; don’t drop it.
Don’t add your own quotes. Paste the plain value beginning v=DMARC1;. Squarespace handles the quoting; manual " marks can break the record.
One DMARC record only. Like SPF, there must be a single DMARC TXT record. If one already exists, edit it rather than adding a second.
Use a real reporting mailbox. The address after rua=mailto: should be one you genuinely check, or the reports are wasted. It can be on the same domain or a different one.
Give it time. DNS changes can take a few minutes up to a couple of hours to take effect.

Verify it worked

Once saved and propagated, run the free check on this site. It will tell you in plain language whether your DMARC record is in place and what policy you’ve set. Your data is processed in the EU.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.