DMARC Record Email Auth

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It tells receiving servers what to do when authentication fails and provides reporting so you can monitor who's sending email using your domain.

Look Up DMARC Records

Check DMARC records for any domain using our free DNS lookup tool.

Look Up DMARC Records →

What Is a DMARC Record?

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that:

  • Defines policy — What should happen to emails that fail authentication (none, quarantine, reject)
  • Enables reporting — Where to send aggregate and forensic reports about email authentication
  • Specifies alignment — How strictly the From: domain must match SPF/DKIM domains

DMARC Record Format

DMARC records are always placed at _dmarc.domain.com:

Example DMARC Record

_dmarc.example.com.    3600    IN    TXT    "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"

This record tells receivers to reject emails failing authentication and send aggregate reports to [email protected].

DMARC Tags

Tag Required Description
v=DMARC1 Yes DMARC version (must be "DMARC1")
p= Yes Policy: none, quarantine, or reject
rua= No Aggregate report destination (mailto: URI)
ruf= No Forensic report destination (mailto: URI)
pct= No Percentage of messages to apply policy (default: 100)
sp= No Subdomain policy (defaults to p= value)
adkim= No DKIM alignment: r=relaxed (default), s=strict
aspf= No SPF alignment: r=relaxed (default), s=strict
fo= No Forensic report options (0, 1, d, s)
ri= No Aggregate report interval in seconds (default: 86400)

DMARC Policies

The p= tag defines what to do with failing emails:

p=none Monitor Only

Take no action on failing emails, but send reports. Use this to start monitoring before enforcement.

v=DMARC1; p=none; rua=mailto:[email protected]

p=quarantine Mark as Spam

Failing emails should be treated as suspicious (typically moved to spam folder).

v=DMARC1; p=quarantine; rua=mailto:[email protected]

p=reject Block Completely

Failing emails should be rejected outright. Maximum protection but requires careful testing first.

v=DMARC1; p=reject; rua=mailto:[email protected]

Start with p=none

Always start with p=none and analyze reports before moving to quarantine or reject. Jumping straight to reject can block legitimate email from misconfigured services.

How DMARC Authentication Works

For an email to pass DMARC, it must pass either SPF or DKIM with alignment:

  1. SPF Check — Is the sending IP authorized by the domain's SPF record?
  2. SPF Alignment — Does the envelope-from domain match the header From: domain?
  3. DKIM Check — Is the DKIM signature valid?
  4. DKIM Alignment — Does the DKIM signing domain match the header From: domain?

If either (SPF + alignment) OR (DKIM + alignment) passes, DMARC passes.

DMARC Alignment

Mode Requirement Example
Relaxed (r) Domains must share organizational domain mail.example.com aligns with example.com
Strict (s) Domains must match exactly example.com must match example.com

Common DMARC Configurations

1. Monitoring Mode (Start Here)

v=DMARC1; p=none; rua=mailto:[email protected]

2. Gradual Rollout (25% Quarantine)

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

3. Full Quarantine

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]

4. Full Reject (Maximum Protection)

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]

5. Strict Alignment

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:[email protected]

Understanding DMARC Reports

Aggregate Reports (rua)

Daily XML reports showing authentication results for all emails claiming to be from your domain. These reports help you identify:

  • Legitimate services you forgot to authorize
  • Misconfigured email systems
  • Spoofing attempts against your domain

Forensic Reports (ruf)

Individual reports for each failed email. These contain more detail but raise privacy concerns and many receivers don't send them. Use carefully.

DMARC Best Practices

  • Implement SPF and DKIM first — DMARC builds on these protocols. Get them working before adding DMARC.
  • Start with p=none — Monitor for several weeks before enforcing.
  • Use a DMARC reporting service — Raw XML reports are hard to read. Use a service to parse and visualize them.
  • Gradually increase enforcement — Move from none → quarantine (25%) → quarantine (100%) → reject.
  • Set subdomain policy — Use sp= to control subdomains, or they inherit the main policy.
  • Enable reports for all receiving domains — If using external report addresses, configure DMARC authorization records.

External Report Destinations

To send DMARC reports to an address outside your domain, the destination domain must authorize it: 

<!-- If your DMARC has: rua=mailto:[email protected] -->
<!-- analyzer.com must have: -->
example.com._report._dmarc.analyzer.com.    TXT    "v=DMARC1"

Troubleshooting DMARC

Common issues and solutions:

  • Legitimate email failing DMARC — Check that all sending services are in your SPF and have DKIM configured.
  • Forwarded emails failing — Email forwarding breaks SPF. DKIM should still pass if the message isn't modified.
  • Mailing lists failing — Many mailing lists rewrite the From: header, breaking alignment. ARC helps with this.
  • Not receiving reports — Verify the rua address is valid and check spam folders. Some receivers don't send reports.
  • Policy not applied — Ensure the record is at _dmarc.yourdomain.com, not the root domain.

Check Your DMARC Record

Use our DNS Record Finder to look up and validate DMARC records for any domain.

Look Up DMARC Records →

Related Record Types