A DMARC record is the record where the DMARC rulesets are defined. The DMARC record contains the policy. The DMARC record should be placed in your DNS. The TXT record name should be “_dmarc.example.com.” where “example.com” is replaced with your actual domain name (or subdomain). Common tags used in DMARC TXT records:
| Tag | Default | Translation |
|---|
| v | DMARC 1 | The DMARC version should always be ‘DMARC1’. Note: A wrong, or absent DMARC version tag would cause the entire record to be ignored. |
| p | none | Policy applied to emails that fails the DMARC check. Authorized values: ‘none’, ‘quarantine’, or ‘reject’. ‘none’ is used to collect feedback and gain visibility into email streams without impacting existing flows. “quarantine” allows Mail Receivers to treat email that fails the DMARC check as suspicious. Most of the time, they will end up in your SPAM folder.“reject” outright rejects all emails that fail the DMARC check |
| adkim | r | Specifies ‘Alignment Mode’ for DKIM signatures. Authorized values: ‘r’, ‘s’. ‘r’, or ‘Relaxed Mode’, allows Authenticated DKIM d= domains that share a common Organizational Domain with an email’s “header-From:” domain to pass the DMARC check. ‘s’, or ‘Strict Mode’ requires exact matching between the DKIM d= domain and an email’s “header-From:” domain. |
| aspf | r | Specifies ‘Alignment Mode’ for SPF. Authorized values: ‘r’, ‘s’. ‘r’, or ‘Relaxed Mode’ allows SPF Authenticated domains that share a common Organizational Domain with an email’s ‘header-From:’ domain to pass the DMARC check. ‘s’, or ‘Strict Mode’ requires exact matching between the SPF domain and an email’s “header-From:” domain. |
| sp | p = value | Policy to apply to email from a sub-domain of this DMARC record that fails the DMARC check. Authorized values: ‘none’, ‘quarantine’, or ‘eject’. This tag allows domain owners to explicitly publish a “wildcard” sub-domain policy. |
| fo | 0 | Forensic reporting options. Authorized values: ‘0’, ‘1’, ‘d’, or ‘s’. ‘0’ generates reports if all underlying authentication mechanisms fail to produce a DMARC pass result, ‘1’ generates reports if any mechanisms fail, ‘d’ generates reports if DKIM signature failed to verify, ‘s’ generates reports if SPF failed |
| ruf | none | The list of URIs for receivers to send Forensic reports to. Note: This is not a list of email addresses, as DMARC requires a list of URIs of the form ‘mailto:address@example.org’. |
| rua | none | The list of URIs for receivers to send XML feedback to. Note: This is not a list of email addresses, as DMARC requires a list of URIs of the form ‘mailto:address@example.org’. |
| rf | afrf | The reporting format for individual Forensic reports. Authorized values: ‘afrf’, ‘iodef’. |
| pct | 100 | The percentage tag tells receivers to only apply policy against email that fails the DMARC check x amount of the time. For example, ‘pct=25’ tells receivers to apply the ‘p=’ policy 25% of the time against email that fails the DMARC check. Note: The policy must be ‘quarantine’ or ‘reject’ for the percentage tag to be applied |
| ri | 86400 | The reporting interval for how often you’d like to receive aggregate XML reports. You’ll most likely receive reports once a day regardless of this setting. |
