Every DMARC tag, explained

A DMARC record is a TXT record at _dmarc.example.com containing semicolon-separated tags. Only two are required: v=DMARC1 (must come first) and p= (the policy — none, quarantine, or reject). Everything else is optional. In practice you also want rua=, because without it you get no reports and are flying blind.

Updated July 14, 2026 · DMARC

_dmarc.example.com.  IN TXT  "v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected]; adkim=r; aspf=r"

The tags

TagRequiredWhat it does
vYesMust be DMARC1 and must be the first tag. Anything else and the record is not a DMARC record.
pYesPolicy for the organizational domain: none, quarantine, or reject.
ruaNo, but yesWhere aggregate (XML) reports are sent. Technically optional; omitting it means you have deployed DMARC and blindfolded yourself.
spNoPolicy for subdomains. Defaults to whatever p is. This is the tag that lets you enforce on the parent while a lagging subdomain catches up.
adkimNoDKIM alignment: r relaxed (default) or s strict.
aspfNoSPF alignment: r relaxed (default) or s strict.
rufNoForensic/failure reports. Most large receivers do not send these, for privacy reasons. Do not build a process that depends on them.
foNoControls when failure reports are generated. Only meaningful alongside ruf, which is to say: rarely meaningful.
tNot=y marks the domain as being in testing, per RFC 9989.
pctRemoved from the spec by RFC 9989. Ignored by parsers; no longer stages a rollout.

Records that do what you probably want

# Stage 1 — watch, don't touch. Start here. Always.
v=DMARC1; p=none; rua=mailto:[email protected]

# Stage 2 — enforce on the parent, keep a lagging subdomain permissive
v=DMARC1; p=quarantine; sp=none; rua=mailto:[email protected]

# Stage 3 — full enforcement
v=DMARC1; p=reject; rua=mailto:[email protected]
The two errors that cost people the most. Putting the record at example.com instead of _dmarc.example.com — it will simply never be found. And setting aspf=s or adkim=s because "strict sounds more secure", which breaks every subdomain sender you have. Relaxed is the default for a reason.

Parse your live record

We resolve _dmarc.<domain> and report every tag, including ones no longer in the spec.

Frequently asked

What is the minimum valid DMARC record?

v=DMARC1; p=none — the version tag and a policy. That is syntactically complete, but without a rua= tag you receive no aggregate reports, which means you cannot see who is sending as your domain and cannot safely move to enforcement.

What is the difference between adkim and aspf?

They set alignment strictness for DKIM and SPF respectively. r (relaxed, the default) means the organizational domain must match, so mail.example.com aligns with example.com. s (strict) requires an exact match. Relaxed is right for almost everyone; strict breaks subdomain senders.

Where does the DMARC record go?

In a TXT record at the _dmarc subdomain of the domain you are protecting — so _dmarc.example.com for example.com. This trips people up: it is not a TXT record at the root like SPF.

Is the pct tag still valid in DMARC?

No. RFC 9989 removed pct from the specification in May 2026. Parsers ignore unknown tags so an existing record will not break, but pct no longer stages your rollout and should not be used.

Related

Automate this → — free tier, public pricing, API key emailed in about thirty seconds. No call with anyone.