Skip to main content
New AI-powered DMARC analysis + open REST API See how → →
Email Authentication

What is a DMARC record?

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that tells receiving mail servers what to do when SPF or DKIM authentication fails. It specifies your policy (none, quarantine, or reject), alignment requirements, and where to send aggregate and forensic reports.

Defined in RFC 7489 — required by Google, Yahoo, Microsoft, and PCI DSS v4.0.

Check Your DMARC Record See All Tags
Anatomy

What does a DMARC record look like?

A complete DMARC record with all common tags, broken down tag by tag.

_dmarc.example.com TXT 
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; adkim=s; aspf=r; pct=100; sp=reject
v=DMARC1 Version (required)
p=reject Policy: block failures
rua= Aggregate report address
ruf= Forensic report address
adkim=s Strict DKIM alignment
aspf=r Relaxed SPF alignment
pct=100 Apply to 100% of failures
sp=reject Subdomain policy: reject
Reference

All DMARC record tags

Every tag defined in the DMARC specification with accepted values, descriptions, and common mistakes to avoid.

v= Required

Version

Protocol version identifier. Must be the first tag in every DMARC record. The only valid value is DMARC1.

Values
DMARC1
Example
v=DMARC1
Placing v= anywhere other than the start of the record causes a PermError.
p= Required

Policy

Tells receivers what to do with messages that fail DMARC authentication. Start with none for monitoring, progress through quarantine to reject.

Values
none | quarantine | reject
Example
p=reject
Jumping straight to p=reject without monitoring causes legitimate email to be blocked.
rua= Optional

Aggregate Report URI

Where receivers send daily aggregate (XML) reports summarizing authentication results for all messages from your domain.

Values
mailto:address
Example
rua=mailto:dmarc@example.com
Omitting rua= means you get no visibility. Always set a reporting address.
ruf= Optional

Forensic Report URI

Where receivers send per-message forensic reports with failure details. Not all receivers support RUF.

Values
mailto:address
Example
ruf=mailto:forensic@example.com
Expecting all receivers to send forensic reports. Many (Google, Microsoft) do not.
sp= Optional

Subdomain Policy

Overrides the main policy for subdomains. If omitted, subdomains inherit the p= value.

Values
none | quarantine | reject
Example
sp=reject
Forgetting sp= when subdomains need a different policy than the main domain.
adkim= Optional

DKIM Alignment

Controls whether the DKIM signing domain must exactly match (strict) or can be a subdomain of (relaxed) the From header domain. Default: relaxed.

Values
r (relaxed) | s (strict)
Example
adkim=r
Setting strict alignment before confirming all senders sign with the organizational domain.
aspf= Optional

SPF Alignment

Controls whether the SPF-authenticated domain must exactly match (strict) or can be a subdomain of (relaxed) the From header domain. Default: relaxed.

Values
r (relaxed) | s (strict)
Example
aspf=r
Setting aspf=s when third-party senders use their own Return-Path subdomain.
pct= Optional

Percentage

Percentage of failing messages the policy applies to. Use for gradual enforcement rollout. Default: 100.

Values
1-100
Example
pct=25
Forgetting to increase pct= after initial rollout, leaving most mail unenforced.
fo= Optional

Forensic Options

Controls when forensic reports are generated. 0=both SPF and DKIM fail, 1=either fails, d=DKIM fails, s=SPF fails.

Values
0 | 1 | d | s
Example
fo=1
Leaving fo= at default (0), which only reports when both SPF and DKIM fail.
Syntax

DMARC record structure rules

A valid DMARC record must follow these rules. Violating any of them causes receivers to ignore the record entirely.

1

One record per domain

A domain must have exactly one DMARC TXT record. Multiple records cause a PermError and receivers ignore all of them.

2

Published at _dmarc subdomain

The record must be a TXT record at _dmarc.yourdomain.com — not at the root domain, not at _dmarc.www.yourdomain.com.

3

Must start with v=DMARC1

The v= tag must be the first tag in the record. Any other tag appearing first makes the record invalid.

4

Tags separated by semicolons

Each tag is separated by a semicolon and optional whitespace: v=DMARC1; p=reject; rua=mailto:...

5

Case-insensitive tag names

Tag names (p=, rua=, adkim=) are case-insensitive, but values are case-sensitive for some tags.

Examples

DMARC record examples by phase

Three records for the three phases of DMARC deployment. Each phase requires a minimum of 90 days of monitoring. The full journey to p=reject typically takes 9 to 18 months.

Monitoring Only Phase 1 — Collect data before enforcing 
v=DMARC1; p=none; rua=mailto:dmarc@example.com; fo=1

Start here. Receivers deliver all email normally but send you daily aggregate reports. The fo=1 tag generates forensic reports when either SPF or DKIM fails, giving maximum visibility.

Gradual Enforcement Phase 2 — Quarantine 25% of failures 
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; adkim=r; aspf=r

After 90+ days of monitoring with p=none, move to quarantine with pct=25. Only 25% of failing messages go to spam. Increase pct= gradually (50, 75, 100) over several weeks as you confirm legitimate mail passes.

Full Reject Phase 3 — Maximum protection 
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; adkim=s; aspf=s; sp=reject

The end goal. All messages that fail DMARC are rejected at the SMTP level. Strict alignment ensures exact domain matching. sp=reject extends protection to all subdomains. Reaching this stage typically takes 9 to 18 months.

Validate

How do you check a DMARC record?

Use a DMARC checker tool to query the DNS TXT record at _dmarc.yourdomain.com and validate that the syntax, tags, and values are correct.

  • Validates record syntax and tag order
  • Checks for multiple conflicting records
  • Verifies rua= and ruf= addresses are reachable
  • Confirms alignment mode and policy settings
Check Your DMARC Record
DMARC Checker — example.com
Record Found
_dmarc.example.com
pass
Policy
p=reject
pass
Aggregate Reporting
rua=mailto:dmarc@example.com
pass
DKIM Alignment
adkim=s (strict)
pass
SPF Alignment
aspf=r (relaxed)
pass
Subdomain Policy
sp=reject
pass
Generate

How do you create a DMARC record?

Use our free DMARC Record Generator to create a valid record in seconds — choose your policy, enter your reporting address, and copy the TXT record into your DNS.

Generate Your DMARC Record
Or follow our step-by-step guide →
FAQ

Frequently asked questions about DMARC records

Can I have multiple DMARC records for one domain?

No. A domain must have exactly one DMARC TXT record at _dmarc.yourdomain.com. If multiple records exist, receivers return a PermError and ignore all of them. To send reports to multiple addresses, list them comma-separated in the rua= tag: rua=mailto:addr1@example.com,mailto:addr2@example.com.

Where do I add my DMARC record in DNS?

Add a TXT record with the host/name set to _dmarc (your DNS provider adds the domain automatically). The record type is TXT and the value is your DMARC policy string starting with v=DMARC1. Changes propagate within minutes to 48 hours depending on TTL settings.

What is the minimum valid DMARC record?

The minimum valid DMARC record is v=DMARC1; p=none — just the version and policy tags. However, without rua= you receive no reports and have no visibility. The practical minimum is v=DMARC1; p=none; rua=mailto:your-address@example.com.

What happens if my DMARC record has a syntax error?

Receivers that detect a syntax error will treat the record as if no DMARC record exists. Messages are delivered based on SPF and DKIM results alone, without DMARC policy enforcement. Use a DMARC checker to validate your record syntax before publishing.

How long does it take for a DMARC record to take effect?

DMARC records take effect as soon as DNS propagation completes, typically within minutes to 48 hours. However, aggregate reports start arriving 24 to 72 hours after publishing because receivers batch reports daily. Allow a full week before concluding that reports are not being generated.

Do subdomains need their own DMARC records?

Subdomains inherit the parent domain DMARC policy automatically. You only need a separate subdomain DMARC record if the subdomain requires a different policy. The sp= tag on the parent record can also set a subdomain-specific policy without creating separate records.

Check your DMARC record now

Validate your record syntax, tags, and reporting configuration in seconds with our free DMARC Checker.

Check DMARC Record

Trusted by Security Teams Worldwide

G2 Leader — DMARC

Rated 4.8/5 on G2 · 469 verified reviews

G2 Momentum Leader — DMARC
DG

Dave G.

Owner

5/5

"DMARC Report has been invaluable in fixing email deliverability issues for our clients"

DMARC Report dashboard allows us to see easily what is compliant and what isn't compliant so we can quickly fix issues.

9/27/2022 Verified on G2
ZK

Zunaid K.

Director

5/5

"Essential tool for email delivery"

This tool helps us to implement DMARC reporting for our domains in an easy to use manner.

8/8/2024 Verified on G2
VU

Verified User in Information Technology and Services

5/5

"Best security tool for your own domains"

The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.

8/31/2022 Verified on G2
Read all 469 reviews on G2 →