How to Create a DMARC Record
Learn how to create a DMARC record for your domain. Understand every tag, build your record step by step, and publish it in DNS.
A DMARC record is a TXT record in your DNS that tells email providers how to handle messages that fail authentication. Creating one takes a few minutes once you understand the format.
DMARC Record Format
Every DMARC record follows this structure:
v=DMARC1; p=<policy>; [optional tags]
The record lives at _dmarc.yourdomain.com as a TXT record. Let's break down every tag you can use.
Required Tags
v (Version)
Always v=DMARC1. Must be the first tag. There's only one version.
v=DMARC1
p (Policy)
Tells receivers what to do with emails that fail DMARC:
| Value | Meaning |
|---|---|
| `none` | Deliver normally, but send reports |
| `quarantine` | Send to spam/junk folder |
| `reject` | Block the email entirely |
v=DMARC1; p=none
Start with p=none
Always start with p=none to collect data before enforcing. Jumping to reject without monitoring can block your own legitimate email.
Optional Tags
rua (Aggregate Reports)
Where to send daily aggregate reports. These XML reports show who's sending email as your domain and whether they pass or fail authentication.
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
You can send reports to multiple addresses:
rua=mailto:dmarc@yourdomain.com,mailto:dmarc@thirdparty.com
ruf (Forensic Reports)
Where to send detailed failure reports for individual messages. Not all providers send these.
ruf=mailto:dmarc-forensic@yourdomain.com
sp (Subdomain Policy)
Sets a different policy for subdomains. If omitted, subdomains inherit the main p= policy.
v=DMARC1; p=reject; sp=quarantine
pct (Percentage)
Apply the policy to only a percentage of failing messages. Useful for gradual rollout.
v=DMARC1; p=quarantine; pct=25
This quarantines only 25% of failing emails. Increase gradually to 100%.
adkim (DKIM Alignment)
How strictly DKIM domains must align with the From domain.
| Value | Meaning |
|---|---|
| `r` (relaxed) | Organizational domain match (default) |
| `s` (strict) | Exact domain match required |
aspf (SPF Alignment)
How strictly SPF domains must align with the From domain. Same values as adkim.
fo (Failure Reporting Options)
Controls when forensic reports are generated:
| Value | Meaning |
|---|---|
| `0` | Report if both SPF and DKIM fail (default) |
| `1` | Report if either SPF or DKIM fails |
| `d` | Report if DKIM fails |
| `s` | Report if SPF fails |
ri (Report Interval)
How often aggregate reports are sent, in seconds. Default is 86400 (24 hours).
ri=86400
Building Your Record Step by Step
Step 1: Start with Monitoring
Begin with a basic monitoring record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
This delivers all email normally but sends you reports about who's using your domain.
Step 2: Review Reports (2-4 Weeks)
After collecting reports, you'll see:
- Which services send email as your domain
- Whether they pass SPF and DKIM
- Any unauthorized senders
Step 3: Move to Quarantine
Once you've confirmed all legitimate senders pass authentication:
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com
Start at 25%, increase to 50%, then 100%.
Step 4: Move to Reject
After quarantine runs smoothly:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
Your domain is now fully protected against spoofing.
Example Records
Basic Monitoring
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Quarantine with Reports
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensic@example.com; fo=1
Full Enforcement
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc@example.com
Gradual Rollout
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.com
Use DMARC Creator
If you'd rather not build the record by hand, DMARC Creator generates valid DMARC records with an interactive form. Select your options, copy the record, and add it to your DNS.
Publishing Your Record
Once you've built your record, add it to your DNS provider:
- Go to your DNS management panel
- Add a new TXT record
- Set the name/host to
_dmarc - Paste your DMARC record as the value
- Save and wait for propagation
For provider-specific instructions, see our guides for Cloudflare, GoDaddy, and Namecheap.
Verify Your Record
After publishing, verify it's working:
Common Mistakes
Missing v=DMARC1
The version tag must come first. Without it, the record is invalid.
Multiple DMARC Records
You can only have one DMARC record per domain. Multiple records cause unpredictable behavior.
Wrong DNS Location
The record must be at _dmarc.yourdomain.com, not at the root domain.
Skipping p=none
Going straight to p=reject without monitoring first risks blocking your own email.
Monitor Your DMARC Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring