A DMARC record is a single TXT record at _dmarc.yourdomain.com that tells receivers how to
handle mail that fails authentication, and where to send reports. Here’s every tag.
v=DMARC1; p=quarantine; sp=reject; pct=100; rua=mailto:you@yourdomain.com; adkim=s; aspf=s
Paste any record into the explainer to decode it instantly.
The tags
| Tag | Meaning | Notes |
|---|---|---|
v | Version | Must be DMARC1. Required. |
p | Policy | none (monitor), quarantine (spam), reject (block). The main lever. |
sp | Subdomain policy | Overrides p for subdomains. |
pct | Percentage | Apply the policy to this % of mail. pct<100 means most mail skips enforcement. |
rua | Aggregate reports | mailto: address for daily XML summaries. Always set this. |
ruf | Forensic reports | Per-failure reports; few receivers send them. |
adkim | DKIM alignment | r relaxed (default) or s strict. |
aspf | SPF alignment | r relaxed (default) or s strict. |
fo | Failure options | When to generate forensic reports. |
ri | Report interval | Seconds between aggregate reports (default 86400). |
What to actually set
- Start:
v=DMARC1; p=none; rua=mailto:you@yourdomain.com - Goal:
v=DMARC1; p=reject; rua=mailto:you@yourdomain.com
The only required tags are v and p; rua is strongly recommended so you can see who’s
sending. Build one with the DMARC generator and migrate to enforcement
with the none → reject guide.