The short answer
There is no DMARC setting in Webflow, and there never will be. Webflow does not provide DNS hosting. Their words: "Webflow does not provide its own nameservers."
So your DNS lives at your registrar, at Cloudflare, or with another provider. That is where DMARC goes. It is a TXT record at _dmarc.yourdomain.com, and your Webflow plan is irrelevant to it.
Do SPF first
DMARC does not work on its own. It tells inboxes what to do when a message fails your other email authentication checks, so those checks need to exist first.
If you have not set up your SPF record yet, start there and come back. DMARC on top of nothing is just a record that reports nothing useful.
The record to start with
Start in monitoring mode. This is officially endorsed, not a cautious hedge. You publish a policy that asks inboxes to report what they see, without changing how any mail is handled.
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]Replace the address with one you actually read. v=DMARC1 must come first in the value. If p is missing from an otherwise valid record it is treated as p=none anyway.
The mistake nearly everyone makes
This is the number one DMARC support ticket, and it has nothing to do with DMARC.
Most registrar interfaces take a relative name and automatically append your domain. So if you type _dmarc.yoursite.com into the host field, you create a record at _dmarc.yoursite.com.yoursite.com. That never resolves. Your DMARC silently does nothing and you have no idea why.
Enter just _dmarc. Nothing else.
The exception is AWS Route 53, which takes a fully qualified name and does not auto-append. If you are on Route 53, type the full _dmarc.yoursite.com. Everywhere else, the short version. Namecheap says it outright: "The domain name itself should not be included in the Host field."
Why most DMARC guides you find are now wrong
This is worth your attention, because the internet has not caught up yet.
DMARCbis was published in May 2026. RFC 9989 is the new core spec, with RFC 9990 for aggregate reporting and RFC 9991 for failure reporting. They are Standards Track, and they obsolete RFC 7489, the spec nearly every DMARC guide online still reflects.
The change you will notice: the pct tag has been removed. If a guide tells you to publish pct=100, that guide is out of date. Do not include it. This one detail is a quick way to tell whether a DMARC article has been touched since May 2026, and most have not.
The valid tags in RFC 9989 are: v, p, sp, np, rua, ruf, adkim, aspf, fo, psd and t. You will not need most of them.
The reports go nowhere trick
Here is the usual reason for "I set up DMARC but I never get reports".
If your rua address is on a different domain from the one the policy protects, the receiving domain has to authorise it. Point DMARC for yoursite.com at [email protected] and, without that authorisation, the reports simply are not sent.
The receiving domain must publish a record at your-domain._report._dmarc.their-domain containing at minimum v=DMARC1, with v=DMARC1 appearing first. A vendor happy to receive reports for any domain can publish a wildcard instead.
If your rua points at an address on the same domain, no authorisation record is needed. That is the simplest setup and we would start there.
Working up to enforcement
DMARC is a ladder, not a switch. Climbing it too fast is how a company loses its own invoices.
- 1.p=none. Monitoring mode. Nothing changes for your mail. Reports start arriving. Stay here until you recognise every sender in them, including the forgotten CRM and the invoicing tool nobody mentioned.
- 2.p=quarantine. Failing mail goes to spam rather than the inbox. Recoverable if you missed something. Watch reports again.
- 3.p=reject. Failing mail is refused outright. This is the goal, and this is what actually stops people spoofing your domain. Only get here once your reports show all legitimate mail passing.
Check it worked
Give DNS time to propagate, then test. Our free safety check reports whether your DMARC record is published and readable, along with SPF, SSL and other signals your visitors would notice.
If it says nothing found, check your host field first. It is almost always the auto-append problem.
Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.
Run a free checkFrequently asked questions
Where do I add a DMARC record for a Webflow site?
At your DNS host, not in Webflow. Webflow does not provide DNS hosting and states that it does not provide its own nameservers. Your DNS is at your registrar, Cloudflare, or another provider. Add a TXT record with the host _dmarc there.
Why is my DMARC record not being detected?
Almost always the host field. Most registrars auto-append your domain, so typing _dmarc.yoursite.com creates _dmarc.yoursite.com.yoursite.com, which never resolves. Enter just _dmarc. The exception is AWS Route 53, which takes the fully qualified name.
Should I include pct=100 in my DMARC record?
No. The pct tag was removed in RFC 9989, published in May 2026 as part of DMARCbis, which obsoletes RFC 7489. Most DMARC guides online still show pct= because they have not been updated. Leave it out.
Can I start with p=reject?
You can, but we would not. Start at p=none and read your aggregate reports until you recognise every legitimate sender. Then move to p=quarantine, then p=reject. Monitoring first is the officially endorsed path. Jumping straight to reject is how companies stop receiving their own mail.
I set up DMARC but get no reports. Why?
If your rua address is on a different domain from the one the policy protects, that receiving domain must publish an authorisation record at your-domain._report._dmarc.their-domain containing v=DMARC1. Without it, reports are not sent. If rua points at an address on the same domain, no authorisation is needed.
Do I need SPF before DMARC?
Yes. DMARC tells inboxes what to do when authentication fails, so there needs to be authentication in place first. Set up your SPF record, then add DMARC on top.