DMARC record reference
Reference for every DMARC TXT record tag: v=, p=, sp=, rua=, ruf=, adkim=, aspf=, fo=, pct=, ri=, and what each value controls.
A DMARC record is a TXT record published at _dmarc.yourdomain.com. It tells receivers what policy to apply to mail that fails authentication, where to send reports, and how strictly to evaluate alignment. This page covers every tag.
A minimal valid record looks like:
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:reports@yourdomain.com"Tag reference
v= (version)
Required. Must be DMARC1. No other value is valid.
v=DMARC1p= (policy)
Required. What receivers should do with mail that fails DMARC.
| Value | Behavior |
|---|---|
none | Deliver normally; collect and send reports only |
quarantine | Send to spam/junk folder |
reject | Refuse delivery entirely |
Start with p=none while you're monitoring. See when to move from p=none to enforcement for the readiness checklist.
sp= (subdomain policy)
Optional. Policy to apply to subdomains of your domain. If omitted, the p= policy applies to subdomains as well.
sp=noneUseful if you want to enforce on your apex domain (yourdomain.com) while keeping subdomains in monitoring mode, or vice versa. A common pattern: enforce on yourdomain.com with p=reject while leaving sp=none for subdomain senders you haven't fully audited yet.
rua= (aggregate report address)
Optional but strongly recommended. Where receivers send aggregate reports. One or more mailto: URIs, comma-separated.
rua=mailto:reports@yourdomain.com
rua=mailto:d-abc123@in.dmarcdrift.com
rua=mailto:reports@yourdomain.com,mailto:d-abc123@in.dmarcdrift.comReports are sent as gzipped XML attachments, typically once per day. Without rua=, you receive no data about who's sending on behalf of your domain.
To add DMARCdrift without removing an existing rua= address, append it with a comma — receivers send reports to all listed addresses.
adkim= (DKIM alignment mode)
Optional. How strictly the DKIM signing domain must match your From domain.
| Value | Behavior |
|---|---|
r | Relaxed: organizational domain match (default) |
s | Strict: exact domain match required |
Default is r (relaxed) if omitted. See relaxed vs strict alignment for when strict makes sense.
aspf= (SPF alignment mode)
Optional. How strictly the SPF envelope sender domain must match your From domain.
| Value | Behavior |
|---|---|
r | Relaxed: organizational domain match (default) |
s | Strict: exact domain match required |
Default is r (relaxed) if omitted. Mirrors adkim= but applies to SPF.
fo= (failure reporting options)
Optional. Controls what triggers a failure report (used with ruf= forensic reporting, which most receivers no longer support).
| Value | Behavior |
|---|---|
0 | Report if all authentication mechanisms fail (default) |
1 | Report if any mechanism fails |
d | Report if DKIM fails |
s | Report if SPF fails |
Forensic/failure reports (ruf=) are largely deprecated — most major receivers stopped sending them due to privacy concerns. For practical purposes, fo= can be omitted.
ri= (report interval)
Optional. Requested interval between aggregate reports, in seconds. Default is 86400 (24 hours).
ri=86400Receivers are not required to honor this. Most send once per day regardless of the ri= value. Setting a shorter interval won't reliably give you more frequent reports.
pct= (percentage)
Optional. Percentage of messages the policy applies to, as an integer from 0–100. Default is 100.
pct=50pct=50 means the policy applies to 50% of messages that fail DMARC; the other 50% are treated as if p=none. Intended as a gradual rollout mechanism, but receivers interpret it inconsistently. Prefer moving between none, quarantine, and reject directly rather than using pct= as an intermediate step.
ruf= (forensic report address)
Optional. Where to send forensic (failure) reports containing individual message data.
ruf=mailto:forensic@yourdomain.comForensic reports are rarely sent by modern receivers. Google, Yahoo, and most large providers stopped sending ruf= reports due to privacy concerns. Don't rely on them for monitoring.
A complete example
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; sp=quarantine; adkim=r; aspf=r; rua=mailto:d-abc123@in.dmarcdrift.com; ri=86400"This record applies p=reject to the apex domain, p=quarantine to subdomains, relaxed alignment for both DKIM and SPF, and sends daily aggregate reports to DMARCdrift.
Notes on deprecated and ignored tags
The rf= (report format) and rp= (reporting policy) tags were specified in early DMARC drafts but are not part of RFC 7489 and are ignored by receivers. Do not include them.
The pct= tag is technically valid but unreliable in practice (see above).
See also: When to move from p=none to enforcement: the readiness checklist before changing your policy. Relaxed vs strict DMARC alignment: when adkim=s or aspf=s makes sense.