DMARC Tags Reference

Version

Identifies the record as a DMARC record. The only valid value is DMARC1. Must be the first tag in the record.

v=DMARC1

Policy

The action receivers should take on mail that fails DMARC.

• none — observation only; no enforcement
• quarantine — mark failing mail as spam
• reject — refuse delivery of failing mail at SMTP

Start at none, progress to quarantine, then reject. See our policy progression guide.

Aggregate Reporting URI

Where to send aggregate reports. Without this, you have no visibility into what's passing or failing.

One or more comma-separated mailto: URIs.

rua=mailto:[email protected]

rua=mailto:[email protected],mailto:[email protected]

Subdomain Policy

Separate enforcement policy for subdomains. Defaults to the value of p= if not specified.

Same as p= — none, quarantine, or reject.

If subdomains have different sender ecosystems than the apex. Common pattern: stricter sp=reject when no legitimate mail comes from subdomains.

SPF Alignment Mode

How strictly the SPF-authenticated domain must match the From domain.

• r (relaxed, default) — subdomain matches count. mail.example.com SPF passing aligns with From example.com.
• s (strict) — exact match required.

Stick with r unless you have a specific need. Strict alignment breaks more legitimate setups than it stops attacks.

DKIM Alignment Mode

How strictly the DKIM signing domain must match the From domain. Same valid values and defaults as aspf=.

Percent

Percentage of failing mail to apply the policy to. The remainder gets p=none treatment.

0–100 (default 100).

During the rollout from p=quarantine to p=reject, ramp pct= from 10 to 100 in stages. Once stable, drop the tag (defaults to 100).

Failure Reporting URI

Where to send per-message failure reports. Most providers don't generate these by default; useful only when paired with fo=.

Same as rua= — one or more mailto: URIs.

Failure Reporting Options

When to generate failure reports. Each option's behaviour stacks if multiple are specified (colon-separated).

• 0 (default) — both SPF and DKIM must fail
• 1 — either SPF or DKIM failing triggers a report
• d — only on DKIM failure
• s — only on SPF failure

fo=1 during early rollout for maximum visibility; drop later.

Failure Report Format

Format for failure reports. Only valid value in practice is afrf (the default — Authentication Failure Reporting Format).

Reporting Interval

How often (in seconds) the receiver should send aggregate reports. Default is 86400 (daily). Most receivers ignore values other than 86400 anyway.

Production-grade DMARC record

Here's a record covering most production needs:

v=DMARC1; p=reject; sp=reject; pct=100; aspf=r; adkim=r; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; ri=86400

• p=reject; sp=reject — full enforcement on apex and subdomains
• pct=100 — every failing message subject to policy (default but explicit)
• aspf=r; adkim=r — relaxed alignment (default but explicit)
• rua + ruf — both reporting endpoints set
• fo=1 — generate failure reports on either SPF or DKIM failure
• ri=86400 — daily aggregate reports (default)

Day-1 record for new DMARC deployment

If you're publishing DMARC for the first time today:

v=DMARC1; p=none; rua=mailto:[email protected]

Three tags. Observation mode. Reports flowing back. That's enough to start. Add complexity only as you progress through the rollout.