What Is a DMARC Record?

TL;DR
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS TXT record that tells receiving mail servers what to do when an email fails SPF and DKIM authentication.
It also enables reporting — you get daily digests showing who is sending email that claims to be from your domain, whether legitimate or fraudulent.
DMARC is the final piece of the email authentication stack, on top of SPF and DKIM.

Look up TXT records

Enter a domain name to lookup TXT records

View full DNS lookup tool with advanced options →

How DMARC Works

You publish a DMARC record at _dmarc.yourdomain.com.
An email arrives claiming to be from [email protected].
The receiving server runs SPF and DKIM checks.
DMARC checks alignment: does the domain in the passing check match the From: header?
If alignment passes (either SPF or DKIM), DMARC passes — the email is delivered normally.
If alignment fails, the receiving server applies your policy: none, quarantine, or reject.
Aggregate reports are sent to your rua address summarizing authentication results.

Alignment is what makes DMARC powerful. SPF and DKIM can pass on a forged email if the forger uses their own domain for the envelope. DMARC requires the authenticated domain to match the visible From: header — the one users actually see.

Where DMARC Records Live

DMARC records are always published at:

_dmarc.{yourdomain.com}

For example:

_dmarc.example.com.  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]"

DMARC Record Format

_dmarc.example.com.  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]"

Tag	Required	Values	Description
`v=DMARC1`	Yes	—	Version — always `DMARC1`
`p=`	Yes	`none`, `quarantine`, `reject`	Policy for the root domain
`sp=`	No	`none`, `quarantine`, `reject`	Policy for subdomains (inherits `p` if omitted)
`pct=`	No	`0`–`100`	Percentage of failing mail to apply policy to (default: 100)
`rua=`	No	`mailto:addr`	Where to send aggregate (daily summary) reports
`ruf=`	No	`mailto:addr`	Where to send forensic (per-message failure) reports
`adkim=`	No	`r`, `s`	DKIM alignment mode — `r` relaxed (default), `s` strict
`aspf=`	No	`r`, `s`	SPF alignment mode — `r` relaxed (default), `s` strict
`fo=`	No	`0`, `1`, `d`, `s`	Forensic report options
`rf=`	No	`afrf`	Report format (default: `afrf`)
`ri=`	No	seconds	Reporting interval (default: `86400` = 24 hours)

The Three DMARC Policies

`p=none` — Monitor mode

_dmarc.example.com.  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]"

No action is taken on failing emails — they're delivered normally. Reports are still sent. Use this to audit your email sources before enforcing anything. Start here.

`p=quarantine` — Soft enforcement

_dmarc.example.com.  TXT  "v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]"

Failing emails are moved to the spam/junk folder. Use this once your aggregate reports show only legitimate sources are sending on your behalf.

`p=reject` — Full enforcement

_dmarc.example.com.  TXT  "v=DMARC1; p=reject; rua=mailto:[email protected]"

Failing emails are rejected outright — they never reach the inbox. This is the goal. Fully blocks spoofing of your domain. Only move here after confirming all legitimate senders pass authentication.

Recommended Rollout Path

DMARC enforcement should be gradual. Jumping straight to p=reject risks blocking legitimate mail if your SPF or DKIM setup has gaps.

Week 1–2: Deploy with p=none

_dmarc.example.com.  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]"

Collect reports. Identify all sources sending on your behalf.

Week 3–4: Fix authentication gaps
Ensure every legitimate sender has SPF include: entries and DKIM configured. Check aggregate reports for failures.

Week 5–6: Move to p=quarantine at low pct

_dmarc.example.com.  TXT  "v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]"

Ramp pct up over time as you gain confidence.

Final: Full p=reject

_dmarc.example.com.  TXT  "v=DMARC1; p=reject; rua=mailto:[email protected]"

DMARC Alignment

Relaxed alignment (default, adkim=r / aspf=r): The organizational domain must match. mail.example.com aligns with example.com.

Strict alignment (adkim=s / aspf=s): The domains must match exactly. mail.example.com does not align with example.com under strict mode.

Most domains should use relaxed alignment (the default). Strict is only needed in high-security environments.

Understanding Aggregate Reports

When you set rua=, you receive daily XML reports from every major mail provider. Each report shows:

Which IPs sent mail claiming to be from your domain
How many messages each IP sent
Whether SPF and DKIM passed for each IP
Which policy was applied

These reports are invaluable for discovering:

Forgotten email services you didn't add to SPF
Forged emails from other IPs
DKIM misconfiguration on specific sending services

Use a DMARC report analyzer (many are free) to parse the XML into readable summaries.

How to Look Up a DMARC Record

dig _dmarc.example.com TXT

nslookup -type=TXT _dmarc.example.com

DMARC for Subdomains

By default, subdomains inherit the root domain's policy. To override:

_dmarc.example.com.  TXT  "v=DMARC1; p=reject; sp=none; rua=mailto:[email protected]"

Here p=reject applies to example.com, but sp=none applies to sub.example.com — useful when subdomains have less-controlled email sending.

SPF vs DKIM vs DMARC

Feature	SPF	DKIM	DMARC
What it authenticates	Sending server IP	Message cryptographic signature	From: header alignment
Required for DMARC	Yes (one of the two)	Yes (one of the two)	—
Survives forwarding	No	Yes	Depends on DKIM
Provides reporting	No	No	Yes
Stops spoofing	Partially	Partially	Yes (p=reject)

DMARC requires at least one of SPF or DKIM to pass with alignment. If both fail alignment, the policy applies regardless.

→ See also: SPF Record, DKIM Record, TXT Record

Frequently Asked Questions

Do I need both SPF and DKIM for DMARC to work?

No — DMARC passes if either SPF or DKIM passes with alignment. But you should configure both. SPF breaks on forwarded email; DKIM doesn't. Having both means forwarded email can still pass DMARC via DKIM.

What if I don't set up DMARC at all?

Without DMARC, receiving mail servers apply their own policies to SPF/DKIM results — usually less strict ones. More importantly, anyone can spoof your From: address. Google and Yahoo now require DMARC for bulk senders.

Can DMARC break my email?

Yes, if you jump straight to p=reject without verifying all your senders are authenticated. Always start with p=none, review aggregate reports, fix gaps, then gradually move to quarantine and reject.

What is a DMARC aggregate report vs a forensic report?

Aggregate reports (rua=) are daily XML summaries of all mail flows — which IPs sent mail, how many passed or failed. Forensic reports (ruf=) are per-failure reports containing message headers. Many providers have stopped sending forensic reports for privacy reasons. Aggregate reports are the more valuable and reliable of the two.

Can subdomains send email if I have p=reject on the root?

Yes, as long as they have their own SPF and DKIM setup and pass DMARC alignment. Subdomains inherit the root policy unless you set sp= explicitly. If a subdomain doesn't send email, you can set sp=reject to block spoofing of subdomains too.

Does DMARC apply to the Reply-To header?

No. DMARC only aligns against the From: header. The Reply-To header is not part of DMARC authentication.

Why are Google and Yahoo requiring DMARC?

In 2024, Google and Yahoo mandated SPF, DKIM, and DMARC for bulk senders (sending over 5,000 messages/day). Without DMARC, emails to Gmail and Yahoo inboxes are increasingly likely to be rejected or junked.

References

RFC 7489

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

RFC 7208

Sender Policy Framework (SPF)

RFC 6376

DomainKeys Identified Mail (DKIM) Signatures

Related: SPF Record · DKIM Record · MX Record · TXT Record