DMARC Record — Email Policy Enforcement

Q: What is a TXT record in DNS?

## What Is a DMARC Record? DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy published as a DNS TXT record at _dmarc.yourdomain.com. It tells receiving mail servers what to do with messages that fail SPF and DKIM authentication checks. ### BIND Zone File Syntax dns ; Monitoring mode (recommended starting point) _dmarc.example.com. 3600 IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com" ; Quarantine failed messag

Learn how to configure DMARC DNS records to protect your domain from email spoofing. Understand policies, alignment modes, and aggregate reporting setup.

TXTSecurity

Zone File Entry

_dmarc.example.com.    IN    TXT    "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; adkim=s; aspf=s"

Detailed Explanation

What Is a DMARC Record?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy published as a DNS TXT record at _dmarc.yourdomain.com. It tells receiving mail servers what to do with messages that fail SPF and DKIM authentication checks.

BIND Zone File Syntax

; Monitoring mode (recommended starting point)
_dmarc.example.com.    3600    IN    TXT    "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

; Quarantine failed messages
_dmarc.example.com.    3600    IN    TXT    "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; pct=50"

; Reject failed messages (full enforcement)
_dmarc.example.com.    3600    IN    TXT    "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic@example.com; adkim=s; aspf=s"

DMARC Tags Explained

Tag	Description	Values
`v`	Version (required)	`DMARC1`
`p`	Policy for the domain (required)	`none`, `quarantine`, `reject`
`sp`	Policy for subdomains	`none`, `quarantine`, `reject`
`rua`	Aggregate report recipients	`mailto:address`
`ruf`	Forensic report recipients	`mailto:address`
`adkim`	DKIM alignment mode	`r` (relaxed), `s` (strict)
`aspf`	SPF alignment mode	`r` (relaxed), `s` (strict)
`pct`	Percentage of messages to apply policy	`0` to `100`

The Three Policies

p=none — Monitor only. No action is taken on failing messages, but you receive reports. Start here.
p=quarantine — Failing messages are sent to the spam/junk folder.
p=reject — Failing messages are rejected outright and not delivered.

Alignment Modes

DMARC requires that either SPF or DKIM aligns with the domain in the From: header:

Relaxed (r): Organizational domain match is sufficient (mail.example.com aligns with example.com)
Strict (s): Exact domain match is required

Recommended Deployment Path

Start with p=none and rua=mailto:... to collect reports
Analyze aggregate reports for 2-4 weeks to identify all legitimate senders
Add all legitimate senders to your SPF record and configure DKIM for each
Move to p=quarantine; pct=25 and gradually increase the percentage
Finally, deploy p=reject once you are confident all legitimate mail passes

Aggregate Reports (rua)

Aggregate reports are XML files sent daily by receiving servers. They contain statistics about how many messages passed and failed DMARC evaluation. Use a DMARC reporting service to parse and visualize these reports — the raw XML is not human-friendly.

Subdomain Policy

The sp tag lets you set a separate policy for subdomains. If omitted, subdomains inherit the main domain policy. Setting sp=reject even when p=none can protect unused subdomains from spoofing.

Use Case

Deploy a DMARC record to instruct receiving mail servers on how to handle emails that fail SPF and DKIM checks, reducing phishing and spoofing attacks using your domain name.

Try It — DNS Record Generator

Open full tool →