D
DMARC Creator

How to Set Up DMARC in DigitalOcean DNS: Step-by-Step Guide

Add a DMARC record to DigitalOcean DNS. Step-by-step guide covering domain management, TXT record creation, and verification.

Last updated: 2026-05-27

DigitalOcean's DNS management is a solid option if you already host droplets, Kubernetes clusters, or App Platform projects there. Adding a DMARC record through DigitalOcean's networking panel takes about two minutes, and it works identically whether your domain fronts a single droplet or an entire load-balanced infrastructure.

This guide covers the full process: prerequisites, record creation, DigitalOcean-specific quirks, and verification. If you need help deciding on a DMARC policy before you start, read our how to create a DMARC record guide first.

Prerequisites

Before you touch the DNS panel, make sure these are in place.

Your domain must be added to DigitalOcean's networking panel. Go to the Networking section in the DigitalOcean control panel and confirm your domain is listed. If it is not, add it there first.

Your domain's nameservers must point to DigitalOcean. DigitalOcean uses ns1.digitalocean.com, ns2.digitalocean.com, and ns3.digitalocean.com. You set these at your domain registrar (Namecheap, GoDaddy, Porkbun, etc.). If your nameservers point somewhere else, any DNS records you add in DigitalOcean will be ignored. You can verify active nameservers with a tool like dig NS yourdomain.com or any online NS lookup.

SPF and DKIM should already be configured. DMARC relies on both protocols to authenticate email. SPF defines which servers are allowed to send on behalf of your domain. DKIM attaches a cryptographic signature so receivers can verify message integrity. Set these up with spfcreator.com and dkimcreator.com if you have not already.

Have your DMARC record value ready. A standard monitoring-only record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;

Starting with p=none lets you collect aggregate reports without affecting mail delivery. You can move to p=quarantine or p=reject once you have reviewed the data. Our DMARC policy levels guide explains the differences.

If you manage multiple domains across droplets or App Platform projects, you need a separate DMARC record for each domain. DigitalOcean's DNS panel is per-domain, so repeat this process for every domain you want to protect.

Step-by-Step: Adding a DMARC Record in DigitalOcean

1

Log in to the DigitalOcean control panel

Go to cloud.digitalocean.com and sign in to your account.

2

Open the Networking section

In the left sidebar, click Networking. Then click the Domains tab. You will see a list of all domains you have added to DigitalOcean DNS.

3

Select your domain

Click on the domain name you want to add a DMARC record to. This opens the DNS records management page for that domain, where you can see all existing A, AAAA, CNAME, MX, TXT, NS, and SRV records.

4

Select TXT from the record type tabs

Near the top of the records page, you will see tabs for different record types. Click TXT. The form below the tabs will update to show fields specific to TXT records.

5

Enter _dmarc as the hostname

In the Hostname field, type _dmarc. DigitalOcean automatically appends your domain name, so the full record will resolve at _dmarc.yourdomain.com. Do not enter the full domain — just _dmarc with the leading underscore.

6

Paste your DMARC value

In the Value field, paste your complete DMARC record string. For example: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;. Do not wrap it in quotes — DigitalOcean handles the quoting for TXT records internally.

7

Set the TTL

The TTL field defaults to 1800 seconds (30 minutes). This is a reasonable default. If you want faster propagation during initial setup or testing, you can lower it to 300 seconds (5 minutes). You can increase it later once the record is stable.

8

Click Create Record

Click the Create Record button. The new TXT record will appear in the records list below. Confirm that the hostname shows _dmarc and the value matches what you pasted.

Create your DMARC record

Use our free DMARC generator to build a valid record for your domain.

Generate DMARC Record

DigitalOcean-Specific Details

Hostname Field Behavior

DigitalOcean's hostname field works like most DNS providers: you enter the subdomain portion and DigitalOcean appends the root domain. If your domain is example.com and you type _dmarc, the resulting record lives at _dmarc.example.com. If you accidentally enter _dmarc.example.com in the hostname field, you will end up with a record at _dmarc.example.com.example.com, which is wrong and will not be found by receiving mail servers.

TTL Options

DigitalOcean supports TTL values as low as 30 seconds, though anything below 300 is aggressive for a DMARC record. During initial deployment, 300 to 1800 seconds is practical. Once your DMARC policy is stable and you are not making frequent changes, bump it up to 3600 (1 hour) or higher to reduce DNS query volume.

The @ Symbol for Root Records

If you ever need to add a TXT record at the root of your domain (not under _dmarc), you enter @ in the hostname field. For DMARC, you always use _dmarc — but this is useful to know when adding SPF records, which live at the root.

If You Use a Third-Party Email Service

DigitalOcean does not provide email hosting. If your domain sends email, you are using a third-party provider — Google Workspace, Microsoft 365, Zoho, Postmark, SendGrid, or something similar. Your DMARC record in DigitalOcean DNS protects the domain regardless of which service sends on its behalf, but you need to make sure SPF and DKIM are correctly configured for each sending service.

If your droplets or App Platform apps send transactional email through an API (SendGrid, Postmark, Amazon SES, Mailgun), each of those services requires its own SPF include and DKIM keys added to DigitalOcean DNS. Check the relevant setup guides:

Domains that never send email

If a domain on DigitalOcean is purely for hosting a web app and never sends email, publish a strict DMARC record: v=DMARC1; p=reject;. This tells the world to reject any email claiming to come from that domain, preventing spoofing.

Verifying Your DMARC Record

After creating the record, give it a few minutes to propagate. DigitalOcean DNS propagation is typically fast, but it depends on TTL values and resolver caching.

Check your record at dmarcrecordchecker.com. Verify that:

  • The record starts with v=DMARC1
  • Your policy tag (p=none, p=quarantine, or p=reject) is present and correct
  • The rua address is valid if you included one
  • Only one DMARC record exists (no duplicates)

You can also verify from the command line, which DigitalOcean users will likely appreciate:

dig TXT _dmarc.yourdomain.com +short

This should return your DMARC string. If it returns nothing, the record has not propagated yet or there is a configuration issue.

Common Mistakes

Entering the full domain in the hostname field. Type _dmarc, not _dmarc.yourdomain.com. DigitalOcean appends the domain automatically.

Forgetting the underscore. The hostname is _dmarc with a leading underscore. Without it, the record lives at dmarc.yourdomain.com, which is not where receiving servers look.

Wrapping the value in quotes. DigitalOcean handles TXT record quoting. If you add quotes around the value, they become part of the record content and break DMARC validation.

Creating multiple DMARC records. You can only have one TXT record at _dmarc. If you have duplicates, delete the extra one. Multiple DMARC records cause a permanent validation failure — see our multiple DMARC records guide for details.

Nameservers not pointing to DigitalOcean. If you added your domain to the networking panel but forgot to update nameservers at your registrar, none of your DigitalOcean DNS records will resolve. This is the most common reason a record "does not work." For more on propagation timing, see DMARC propagation time.

After Setup

Once your DMARC record is live, receiving mail servers begin evaluating it immediately. If you included a rua tag, expect aggregate reports within 24 to 48 hours. These XML reports show which IP addresses sent email using your domain and whether messages passed SPF and DKIM alignment.

Review reports for the first few weeks while on p=none. Look for legitimate sending services that fail alignment and fix their SPF or DKIM configuration. When everything looks clean, move to p=quarantine with a low pct value, then gradually increase to full enforcement with p=reject. For a detailed walkthrough of this progression, see our DMARC setup guide.

Complete your email authentication stack

DMARC is one piece of the puzzle. Make sure SPF and DKIM are also properly configured. Use spfcreator.com for SPF and dkimcreator.com for DKIM. All three should be in place before you enforce a quarantine or reject policy.

Related Articles

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring