Every DMARC tag, explained
A DMARC record is a TXT record at _dmarc.example.com containing semicolon-separated tags. Only two are required: v=DMARC1 (must come first) and p= (the policy — none, quarantine, or reject). Everything else is optional. In practice you also want rua=, because without it you get no reports and are flying blind.
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected]; adkim=r; aspf=r"
The tags
| Tag | Required | What it does |
|---|---|---|
v | Yes | Must be DMARC1 and must be the first tag. Anything else and the record is not a DMARC record. |
p | Yes | Policy for the organizational domain: none, quarantine, or reject. |
rua | No, but yes | Where aggregate (XML) reports are sent. Technically optional; omitting it means you have deployed DMARC and blindfolded yourself. |
sp | No | Policy for subdomains. Defaults to whatever p is. This is the tag that lets you enforce on the parent while a lagging subdomain catches up. |
adkim | No | DKIM alignment: r relaxed (default) or s strict. |
aspf | No | SPF alignment: r relaxed (default) or s strict. |
ruf | No | Forensic/failure reports. Most large receivers do not send these, for privacy reasons. Do not build a process that depends on them. |
fo | No | Controls when failure reports are generated. Only meaningful alongside ruf, which is to say: rarely meaningful. |
t | No | t=y marks the domain as being in testing, per RFC 9989. |
pct | — | Removed from the spec by RFC 9989. Ignored by parsers; no longer stages a rollout. |
Records that do what you probably want
# Stage 1 — watch, don't touch. Start here. Always. v=DMARC1; p=none; rua=mailto:[email protected] # Stage 2 — enforce on the parent, keep a lagging subdomain permissive v=DMARC1; p=quarantine; sp=none; rua=mailto:[email protected] # Stage 3 — full enforcement v=DMARC1; p=reject; rua=mailto:[email protected]
example.com instead of _dmarc.example.com — it will simply never be
found. And setting aspf=s or adkim=s because "strict sounds more
secure", which breaks every subdomain sender you have. Relaxed is the default for a reason.
Parse your live record
We resolve _dmarc.<domain> and report every tag, including ones no longer in the spec.
Frequently asked
What is the minimum valid DMARC record?
v=DMARC1; p=none — the version tag and a policy. That is syntactically complete, but without a rua= tag you receive no aggregate reports, which means you cannot see who is sending as your domain and cannot safely move to enforcement.
What is the difference between adkim and aspf?
They set alignment strictness for DKIM and SPF respectively. r (relaxed, the default) means the organizational domain must match, so mail.example.com aligns with example.com. s (strict) requires an exact match. Relaxed is right for almost everyone; strict breaks subdomain senders.
Where does the DMARC record go?
In a TXT record at the _dmarc subdomain of the domain you are protecting — so _dmarc.example.com for example.com. This trips people up: it is not a TXT record at the root like SPF.
Is the pct tag still valid in DMARC?
No. RFC 9989 removed pct from the specification in May 2026. Parsers ignore unknown tags so an existing record will not break, but pct no longer stages your rollout and should not be used.
Related
- DMARC has a new RFC — and pct is gone — RFC 9989 (May 2026) obsoletes RFC 7489 and RFC 9091.
- What p=none actually does — p=none asks receivers not to change message handling.
- DMARC aggregate reports, and how to actually read one — The rua tag gets you XML reports from receivers showing who is sending as your domain.
- SPF vs DKIM vs DMARC — Three records, three different jobs.
Automate this → — free tier, public pricing, API key emailed in about thirty seconds. No call with anyone.