Breaking Down the Essential Components in a DMARC Record (And How to Write One That Works)

By

Once you’ve set up SPF and DKIM, the next step is DMARC. DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It tells email servers how to handle messages that fail SPF or DKIM checks and lets you monitor if anyone is misusing your domain for spam or phishing.

Adding a DMARC record helps your emails land in inboxes, protects your domain from abuse, and gives you reports about your email activity. This guide will break down each part of a DMARC record and show you how to create one that works.

What is a DMARC Record?

A DMARC record is a TXT entry in your domain’s DNS (the system that tells the internet how to find your website and email). It tells email servers: “Here’s how to check if messages are really from us, and what to do if something looks suspicious.”

Unlike SPF or DKIM, which focus on verifying the sender, DMARC is policy-based (it defines rules for handling messages that fail authentication). DMARC also gives you reports to help you monitor email activity.

Core Components of a DMARC Record

Here are the main fields you’ll see in a DMARC record:

Version (v)

v=DMARC1

  • Identifies this DNS record as DMARC.
  • Always required and should come first.

Policy (p)

p=none | quarantine | reject

  • Tells servers what to do with messages that fail authentication.
  • none – Just monitor, don’t block (good for starting out).
  • quarantine – Treat suspicious messages as spam.
  • reject – Block suspicious messages entirely.

Aggregate Report Address (rua)

rua=mailto:reports@yourdomain.com

  • Receives summary reports about authentication results.
  • Helps you see how SPF/DKIM alignment is working and spot potential issues.

Forensic Report Address (ruf)

ruf=mailto:failures@yourdomain.com

  • Optional. Sends detailed reports on individual emails that fail DMARC.
  • Useful for troubleshooting problems.

Failure Options (fo)

fo=1 | 0 | d | s

  • Determines which failed emails trigger reports.
  • 1 – Report if SPF or DKIM fails.
  • 0 – Report only if both fail.
  • d – Report if DKIM fails.
  • s – Report if SPF fails.

Subdomain Policy (sp)

sp=none | quarantine | reject

  • Optional. Applies a different DMARC policy to subdomains.
  • Helpful if you have separate email systems for subdomains.

Percent (pct)

pct=100

  • Optional. Tells servers what percentage of your email traffic the DMARC policy should apply to.
  • Example: pct=50 means only half your messages are checked against the DMARC policy, useful for testing.

How to Write a Functional DMARC Record

Step 1: Start With Monitoring

Use a monitor-only policy at first to avoid blocking legitimate emails:

v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; ruf=mailto:failures@yourdomain.com; fo=1

Step 2: Add Reporting Emails

Include addresses for aggregate and forensic reports. Make sure these emails are monitored so you can see any issues quickly.

Step 3: Decide on Enforcement Policy

Once you’ve monitored your emails and confirmed SPF and DKIM are working, update p= to quarantine or reject to enforce stricter protection.

Step 4: Consider Subdomain Policies

If your domain has subdomains sending email (like marketing.yourdomain.com), decide if they should follow the same DMARC policy or a separate sp= rule.

Step 5: Set the Percentage (Optional)

Use pct= to roll out your policy gradually if needed, especially for larger organizations.

Example of a Complete DMARC Record

v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com; ruf=mailto:failures@yourdomain.com; fo=1; sp=quarantine; pct=100

  • Monitors all emails, quarantines failures, and reports activity.
  • Later, you can switch p=quarantine to p=reject for full protection.

Notes and Best Practices

  • Start with monitoring first: Don’t block emails until you know SPF and DKIM are working.
  • Check SPF and DKIM first: DMARC relies on them to verify your emails.
  • Monitor reports regularly: Adjust your policy based on actual email activity.
  • Handle multiple email providers carefully: If you send email from more than one platform, make sure SPF and DKIM are set up correctly for each before enforcing DMARC.

Need Help With DMARC?

DMARC can seem tricky at first, but it’s a major step in protecting your emails and your brand. If you’re unsure how to write your record, add it to DNS, or interpret reports, reach out to us at BetaByte Online. We’ll guide you through the process and make sure your email setup is secure so you can focus on running your business — without worrying about spam or phishing attacks.

Related Posts