What does a DMARC record look like?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. Here's a complete monitoring record that most domains should start with:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com
And here's a more complete enforcement record:
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r
Let's break the common tags down:
v=DMARC1 . Required. Identifies this as a DMARC record. Always first, always exactly this value.
p= . Required. Your policy: none, quarantine, or reject. This is the main decision.
rua= . Where to send aggregate reports (daily XML summaries of authentication results). Without this, you're flying blind. You won't get the data that tells you whether your legitimate mail is passing DMARC. Use a real address, or a DMARC reporting service that processes these for you.
ruf= . Where to send forensic reports (individual failure samples). Optional and increasingly limited by privacy-focused providers.
pct= . What percentage of failing mail the policy applies to. Default is 100. Setting it to something lower (like 25) lets you roll out enforcement gradually. Only applies at p=quarantine or p=reject.
adkim= / aspf= . Alignment mode for DKIM and SPF respectively. r is relaxed (subdomains pass), s is strict (only exact matches pass). Default is relaxed, which is right for most senders.
You can check whether your DMARC record is valid with our free DMARC parser, or generate a new one with our policy guide. For the full tag reference including sp= (subdomain policy) and fo= (failure reporting options), see the DMARC specification. You can also explore how to start implementing DMARC for the recommended progression from monitoring to enforcement.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.