What is a DMARC record?
DMARC, short for Domain-based Message Authentication, Reporting and Conformance, is an email authentication standard defined in RFC 7489. A DMARC record is a single DNS TXT entry, published at the _dmarc host of your domain, that tells receiving mail servers two things: what to do with messages that fail SPF and DKIM, and where to send reports about the mail being sent in your name.
Since 2024, the largest mailbox providers expect bulk senders to publish DMARC alongside SPF and DKIM. Without a record, receivers have no instructions for handling spoofed mail, and anyone can forge your From address with nothing to stop them.
The DMARC tags explained
Every DMARC record begins with v=DMARC1 and is followed by semicolon separated tags. Only v and p are required. These are the tags this generator builds for you.
- p= the domain policy:
nonemonitors only,quarantinesends failing mail to spam, andrejectblocks it entirely. - sp= a separate policy for subdomains. Leave it out and subdomains inherit the domain policy.
- pct= the percentage of failing mail the policy applies to, used to roll out enforcement gradually.
- rua= the address that receives daily aggregate reports, the XML summaries that show you who is sending as your domain.
- ruf= the address that receives forensic failure reports for individual messages, where supported.
- adkim= and aspf= the alignment mode for DKIM and SPF, either
rfor relaxed orsfor strict. - fo= when a forensic report should be generated, and ri= how often aggregate reports are sent, in seconds.
Choosing a policy
The policy is the heart of the record. Start at p=none so nothing about your mail flow changes while you collect reports and confirm every legitimate sender is authenticated. Move to p=quarantine once those reports are clean, which sends failing mail to spam without losing it entirely. Finish at p=reject, the strongest setting, where receivers block failing mail before it reaches the inbox.
DMARC depends on SPF and DKIM, so publish and verify both before you enforce a policy. Alignment is what ties them together: it requires the domain in the visible From header to match the domain that passed SPF or DKIM, which is what stops an attacker from passing authentication on their own domain while spoofing yours.
A safe rollout
Tightening too quickly can drop real mail, so move through the policies in order and let your aggregate reports guide each step.
- Publish p=none with rua. Add an aggregate report address and watch for a few weeks until you can see every service that sends as your domain.
- Authenticate every sender. Make sure each legitimate platform passes SPF or DKIM with alignment before you enforce anything.
- Move to quarantine. Switch to
p=quarantine, optionally with apctbelow 100, and confirm reports stay clean. - Advance to reject. Once quarantine runs clean, set
p=rejectfor full protection against spoofing of your domain.
Where to publish the record
The record is a TXT record whose host is _dmarc, so the full name becomes _dmarc.yourdomain.com. Open your DNS provider, create a new TXT record with that host, paste the generated value, and save. Propagation usually takes a few minutes, though it can run up to 48 hours depending on your TTL.
After you publish, confirm it with the DMARC record checker. DMARC only works on top of authentication, so make sure your SPF record and DKIM signing are in place first.