diff --git a/CHANGES b/CHANGES
index 6f50d74ea..2bd16dbe4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2206,4 +2206,5 @@
 * firewall: fix issue where script errored when having more than 15 wl/bl ports
 * If groups are used, do not allow app installation without choosing the access settings
 * tls addon
+* Do not overwrite existing DMARC record
 
diff --git a/src/mail.js b/src/mail.js
index 637509556..e79fea46e 100644
--- a/src/mail.js
+++ b/src/mail.js
@@ -875,37 +875,40 @@ function upsertDnsRecords(domain, mailFqdn, callback) {
 
         if (process.env.BOX_ENV === 'test') return callback();
 
-        var dkimKey = readDkimPublicKeySync(domain);
+        const dkimKey = readDkimPublicKeySync(domain);
         if (!dkimKey) return callback(new BoxError(BoxError.FS_ERROR, 'Failed to read dkim public key'));
 
         // t=s limits the domainkey to this domain and not it's subdomains
-        var dkimRecord = { subdomain: `${mailDomain.dkimSelector}._domainkey`, domain: domain, type: 'TXT', values: [ '"v=DKIM1; t=s; p=' + dkimKey + '"' ] };
+        const dkimRecord = { subdomain: `${mailDomain.dkimSelector}._domainkey`, domain: domain, type: 'TXT', values: [ `"v=DKIM1; t=s; p=${dkimKey}"` ] };
 
-        var records = [ ];
+        let records = [];
         records.push(dkimRecord);
-        if (mailDomain.enabled) {
-            records.push({ subdomain: '_dmarc', domain: domain, type: 'TXT', values: [ '"v=DMARC1; p=reject; pct=100"' ] });
-            records.push({ subdomain: '', domain: domain, type: 'MX', values: [ '10 ' + mailFqdn + '.' ] });
-        }
+        if (mailDomain.enabled) records.push({ subdomain: '', domain: domain, type: 'MX', values: [ '10 ' + mailFqdn + '.' ] });
 
         txtRecordsWithSpf(domain, mailFqdn, function (error, txtRecords) {
             if (error) return callback(error);
 
             if (txtRecords) records.push({ subdomain: '', domain: domain, type: 'TXT', values: txtRecords });
 
-            debug('upsertDnsRecords: will update %j', records);
+            domains.getDnsRecords('_dmarc', domain, 'TXT', function (error, dmarcRecords) { // only update dmarc if absent. this allows user to set email for reporting
+                if (error) return callback(error);
 
-            async.mapSeries(records, function (record, iteratorCallback) {
-                domains.upsertDnsRecords(record.subdomain, record.domain, record.type, record.values, iteratorCallback);
-            }, function (error, changeIds) {
-                if (error) {
-                    debug(`upsertDnsRecords: failed to update: ${error}`);
-                    return callback(error);
-                }
+                if (dmarcRecords.length === 0) records.push({ subdomain: '_dmarc', domain: domain, type: 'TXT', values: [ '"v=DMARC1; p=reject; pct=100"' ] });
 
-                debug('upsertDnsRecords: records %j added with changeIds %j', records, changeIds);
+                debug('upsertDnsRecords: will update %j', records);
 
-                callback(null);
+                async.mapSeries(records, function (record, iteratorCallback) {
+                    domains.upsertDnsRecords(record.subdomain, record.domain, record.type, record.values, iteratorCallback);
+                }, function (error, changeIds) {
+                    if (error) {
+                        debug(`upsertDnsRecords: failed to update: ${error}`);
+                        return callback(error);
+                    }
+
+                    debug('upsertDnsRecords: records %j added with changeIds %j', records, changeIds);
+
+                    callback(null);
+                });
             });
         });
     });