A DMARC record is a single line of text in your DNS that controls how email providers handle messages that fail authentication. Every character matters — here’s a complete reference for every tag and value.
The Full Record
Here’s a DMARC record using every available tag:
v=DMARC1; p=quarantine; sp=none; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; adkim=r; aspf=r; pct=100; fo=1; ri=86400; rf=afrf
This record lives as a TXT record at:
Required Tags
Every DMARC record must include these two tags:
v=DMARC1 — Version
Identifies the record as DMARC version 1. Must be the first tag in the record.
DMARC1 (only version that exists)p= — Policy (required)
Tells receiving servers what to do with emails that fail DMARC checks.
none |
Take no action — just collect reports. Use this first. |
quarantine |
Send failing emails to spam/junk folder. |
reject |
Block failing emails entirely. Maximum protection. |
See DMARC Policies Explained for a deep dive on when to use each.
Reporting Tags
rua= — Aggregate Report Address
Where to send daily aggregate reports (XML summaries of authentication results).
rua=mailto:dmarc@example.com
Multiple addresses: rua=mailto:a@example.com,mailto:b@example.com
External domain: requires a _dmarc-report._dmarc.external.com DNS record to authorise.
ruf= — Forensic Report Address
Where to send forensic (failure) reports — detailed info about individual failing emails.
ri= — Report Interval
Requested interval between aggregate reports, in seconds.
86400 |
Every 24 hours (default — most common) |
43200 |
Every 12 hours |
3600 |
Every hour (most providers won’t honor this) |
fo= — Failure Reporting Options
Controls when forensic reports are generated.
0 |
Generate if all checks fail (default) |
1 |
Generate if any check fails (recommended for debugging) |
d |
Generate if DKIM fails (regardless of SPF) |
s |
Generate if SPF fails (regardless of DKIM) |
rf= — Report Format
Format for forensic reports. Only afrf (Authentication Failure Reporting Format) exists. You can omit this tag.
Alignment Tags
adkim= — DKIM Alignment Mode
How strictly the DKIM d= domain must match the From: domain.
r |
Relaxed (default) — Organisational domain must match. mail.example.com aligns with example.com. |
s |
Strict — Exact domain match required. mail.example.com does NOT align with example.com. |
💡 Use relaxed unless you have a specific reason for strict. Most third-party services sign with a subdomain.
aspf= — SPF Alignment Mode
How strictly the SPF-verified domain (Return-Path) must match the From: domain.
r |
Relaxed (default) — Organisational domain must match. |
s |
Strict — Exact domain match required. |
Policy Tags
sp= — Subdomain Policy
Policy for subdomains (e.g., mail.example.com, marketing.example.com). If omitted, subdomains inherit the main p= policy.
none |
Monitor subdomains (even if main policy is reject) |
quarantine |
Quarantine subdomain failures |
reject |
Reject subdomain failures |
💡 Common pattern: p=reject; sp=reject to protect the main domain AND prevent subdomain spoofing.
pct= — Percentage
Percentage of failing messages the policy applies to. The rest are treated as p=none.
Range: 1-100 (default: 100)
💡 Use this for gradual rollout: start with pct=10, then 25, 50, 100. This limits the blast radius if something goes wrong.
Common Record Examples
🔰 Monitoring (new deployment)
v=DMARC1; p=none; rua=mailto:dmarc@example.com
⚡ Gradual enforcement
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com
🔒 Full enforcement
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s
🏢 Enterprise (full reporting + strict)
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; fo=1; adkim=s; aspf=s; ri=43200
Build your record
Use our generator to create a DMARC record with all the right tags for your needs.