Reference DMARC GoDaddy

What GoDaddy's Default DMARC Record Actually Does

Q: Where do GoDaddy's DMARC reports go?

By default they go to GoDaddy. The rua tag in GoDaddy's auto-published record is set to dmarc_rua@onsecureserver.net, which is a GoDaddy address, not yours. Receiving mail servers send their daily aggregate reports there, so GoDaddy receives the data and you have no window into your own authentication results unless you change the record to point the rua at a mailbox or DMARC service you control.

Q: How do I change GoDaddy's default DMARC record?

Edit the TXT record at _dmarc.yourdomain.com in GoDaddy's DNS management. You can do three things: change the policy (for example raise or lower the p= value), redirect the rua to a report address you control so the data comes to you, or remove the record entirely. Do not jump straight to p=reject. First point the rua at yourself, watch the reports for a couple of weeks to confirm every legitimate sender (Mailchimp, HubSpot, Microsoft 365, and so on) is passing, then tighten the policy in stages.

Since April 2025 GoDaddy auto-publishes a p=quarantine DMARC record on new domains, but the reports go to GoDaddy, not you. Here is how to fix it.

Since April 2025, GoDaddy automatically publishes a DMARC record on new domains that have no existing mail setup, with a default policy of p=quarantine. The catch is that the default report address points at a GoDaddy-controlled mailbox, so you get the policy but none of the visibility into who is sending mail as your domain, until you change the record yourself.

What GoDaddy added, and when

Starting in April 2025, GoDaddy began auto-publishing email-authentication records on new domains bought through, or transferred into, GoDaddy that have no existing mail configuration. The headline change is a DMARC record at _dmarc.yourdomain.com with the policy set to p=quarantine. This rolled out quietly: there is no requirement that GoDaddy notify you when it injects the record, so plenty of owners are running an enforcement policy they never knew was there.

DMARC is not the only thing GoDaddy adds. On those same post-April-2025 domains it also publishes a DKIM record, and when you use GoDaddy Professional Email it adds an SPF record too. Together that is a reasonable starter posture, and it is genuinely better than the bare, unauthenticated domains that were the registrar default for years. But a record is not the same as protection, and the gap is in where the data goes.

One important qualifier: GoDaddy describes this as targeting domains with no existing mail setup. That is the stated intent, not a cast-iron guarantee about every domain in every edge case, so do not assume your domain was skipped just because you already had MX records. The only reliable answer is to look at your own DNS. New to DMARC entirely? Start with what DMARC actually does first.

What `p=quarantine` means

DMARC has three policy levels. At p=none the receiver takes no action and only reports. At p=quarantine, the GoDaddy default, a receiving server that gets a message claiming to be from your domain but failing both SPF and DKIM alignment is told to treat it as suspicious, typically by dropping it into the spam or junk folder. At p=reject, the receiver refuses the message outright and it bounces.

So GoDaddy's default is a middle setting: it actively spam-folders spoofed mail rather than just watching, which is real protection against impersonation. The trade-off is that quarantine also catches your own legitimate senders if they are not properly authenticated. If you connect a marketing platform or a help desk and never set up its DKIM, its mail can start landing in spam, and at the default you have no reports coming to you to explain why.

Where the reports go: the visibility gap

This is the part most owners miss. A DMARC record has an rua tag that tells receivers where to send the daily aggregate reports, the data that shows every IP sending mail as your domain and whether it passed. In GoDaddy's default record, that address is:

rua=mailto:dmarc_rua@onsecureserver.net

onsecureserver.net is a GoDaddy-controlled domain. In other words, GoDaddy receives your DMARC reports, not you. You are running an enforcement policy on your own domain while being completely blind to the results. You cannot see who is spoofing you, you cannot see which of your legitimate senders are failing alignment, and you have no data to tell you whether it is safe to move toward p=reject. The policy is yours; the visibility is GoDaddy's.

That is not necessarily malicious, a registrar may use the aggregate signal operationally, but it is not protection for you. The reports are the entire point of DMARC's reporting layer, and by default they are going somewhere you cannot read them.

How to check your own record

Two ways. The quick manual check is a DNS TXT lookup on the _dmarc subdomain. On macOS or Linux:

dig +short TXT _dmarc.yourdomain.com

If you see a record beginning with v=DMARC1; p=quarantine and an rua pointing at onsecureserver.net, that is the GoDaddy default and the reports are going to GoDaddy. The easier path is to grade your domain, which reads your live DMARC, SPF, DKIM, MX, and TLS posture in one pass and shows you exactly what GoDaddy did and did not set up, plus a lookalike scan. No signup and no asserted values, it renders your actual record. You can also use the DMARC checker for just the record.

How to redirect the reports to yourself

You are in control of this record. In GoDaddy's DNS management, open the TXT record at _dmarc.yourdomain.com and change the rua tag to a mailbox or DMARC service you own. A monitoring-first record looks like this:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; fo=1

You have three options on this record overall: change the policy, redirect the rua so the data comes to you, or remove the record entirely. For almost everyone the right first move is the middle one: keep the policy, point the reports at yourself, and start collecting data. Raw DMARC reports are XML and painful to read by hand, so most owners pipe the rua at a service that parses them; PhishFence ingests your reports and attributes every sender for you. Need to build the record from scratch? The DMARC generator produces a correct one with your own rua.

The safe path from quarantine to reject

It is tempting to jump straight to p=reject for the strongest protection. Do not do it blind. DMARC enforcement is a one-way ratchet: once a major receiver caches a reject policy, every legitimate sender that is not properly authenticated starts bouncing immediately. If you run Mailchimp, HubSpot, or Microsoft 365 and have not set up their DKIM alignment, going to reject can silently break real customer mail.

The disciplined ramp is: redirect the rua to yourself, watch the reports for a couple of weeks, and confirm every legitimate sending source is passing and aligned. Fix the gaps (usually by enabling each platform's DKIM), then tighten the policy in stages once the data backs the move. The full sequence is in the DMARC rollout playbook. The whole reason to redirect the reports first is so you have the data to make this safe.

What it does not cover: lookalike domains

DMARC, even at full enforcement, only protects your exact domain. It does nothing about the other half of impersonation: lookalike and cousin domains. An attacker who registers a swapped-letter, different-TLD, or added-word version of your name does not need to spoof your domain at all, because they own a different one. Your DMARC policy never sees that traffic, and your registrar will not tell you when someone registers next to you.

Catching those requires watching for new registrations and certificate issuance as they happen, for example via Certificate Transparency log monitoring, then risk-scoring and reporting the malicious ones. That is a separate discipline from DMARC and the part GoDaddy's defaults leave entirely open. PhishFence covers both sides: it monitors your own DMARC reports and watches CT logs for lookalikes targeting your brand.

GoDaddy default DMARC FAQ

Does GoDaddy add DMARC automatically?▾

Yes, in many cases. Since April 2025, GoDaddy automatically publishes a DMARC record on new domains bought through (or transferred into) GoDaddy that have no existing mail setup. The default policy is p=quarantine. GoDaddy also auto-adds a DKIM record on those post-April-2025 domains, and adds SPF when you use GoDaddy Professional Email. You did not have to ask for any of it, and GoDaddy does not necessarily tell you it happened, so the only reliable way to know is to check your own DNS.

Is GoDaddy's default DMARC enough?▾

It is a real start, but it is not the whole job. The default record sets a p=quarantine policy, which tells receivers to spam-folder mail that fails authentication. The catch is that the default report address (rua) points to dmarc_rua@onsecureserver.net, a GoDaddy-controlled mailbox, so you get the policy without the visibility. You cannot see who is sending mail as your domain, which legitimate senders are failing, or whether you can safely move to p=reject. It also does nothing about lookalike or cousin domains that other people register next to yours.

Where do GoDaddy's DMARC reports go?▾

By default they go to GoDaddy. The rua tag in GoDaddy's auto-published record is set to dmarc_rua@onsecureserver.net, which is a GoDaddy address, not yours. Receiving mail servers send their daily aggregate reports there, so GoDaddy receives the data and you have no window into your own authentication results unless you change the record to point the rua at a mailbox or DMARC service you control.

How do I change GoDaddy's default DMARC record?▾

Edit the TXT record at _dmarc.yourdomain.com in GoDaddy's DNS management. You can do three things: change the policy (for example raise or lower the p= value), redirect the rua to a report address you control so the data comes to you, or remove the record entirely. Do not jump straight to p=reject. First point the rua at yourself, watch the reports for a couple of weeks to confirm every legitimate sender (Mailchimp, HubSpot, Microsoft 365, and so on) is passing, then tighten the policy in stages.