What are the key elements of DMARC syntax and how do you implement them correctly?

DMARC (Domain‑based Message Authentication, Reporting, and Conformance) is the protocol that protects your brand from email impersonation. The real power – and the biggest source of confusion – lies in the DMARC record’s syntax. Get the syntax right and you’ll have a solid line of defense; get it wrong and attackers can slip through.

The basics of DMARC syntax

A DMARC record lives as a TXT entry in your DNS under the name _dmarc.yourdomain.com. It’s a semi‑colon‑separated list of tag‑value pairs. The record always starts with v=DMARC1 and then includes tags such as p, rua, sp, pct, and many more.

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

Each tag tells receiving mail servers how to treat messages that claim to be from your domain and where to send reports.

Tag‑by‑tag breakdown

• v= – Version tag. Must be DMARC1.
• p= – Policy tag. Options: none (monitor only), quarantine (send to spam), reject (reject outright).
• sp= – Subdomain policy. Inherits p if omitted.
• pct= – Percentage of mail to which the policy applies (0‑100).
• rua= – Aggregate report URI (usually mailto:).
• ruf= – Forensic report URI.
• adkim= – DKIM alignment mode (r relaxed, s strict).
• aspf= – SPF alignment mode (r relaxed, s strict).
• fo= – Failure reporting options (0,1,d,s).
• ri= – Reporting interval in seconds (default 86400).
• rf= – Reporting format (default afrf).

Common DMARC record examples

Basic monitoring record – start with no enforcement:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Enforcement record – reject all failing mail:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

Full‑featured record – strict alignment, subdomain policy, daily reports:

v=DMARC1; p=quarantine; sp=reject; adkim=s; aspf=s; pct=100; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:forensic@yourdomain.com; fo=1; ri=86400

How to validate your DMARC syntax

Even seasoned engineers make typos. Use a DMARC syntax checker to catch errors before they affect delivery. Our free tool not only validates the record but also gives you a full security score and highlights SPF/DKIM alignment issues. 👉 https://www.palisade.email/tools/email-security-score

Quick Takeaways

• Every DMARC record must start with v=DMARC1.
• Use p=none to monitor before moving to quarantine or reject.
• Include rua=mailto:… to receive aggregate reports.
• Set sp if you have subdomains that also send mail.
• Align DKIM and SPF with adkim=s and aspf=s for stricter security.
• Gradually roll out enforcement with the pct tag.
• Validate your record regularly with a DMARC checker.

FAQs

1. How do I create a DMARC record for a multi‑domain environment? Use a single _dmarc TXT entry per domain and consider a wildcard subdomain policy (sp=reject) to protect all sub‑domains.
2. What is the difference between p=quarantine and p=reject? quarantine sends suspicious mail to the recipient’s spam folder, while reject tells the receiver to bounce the message outright.
3. Can I test DMARC enforcement on only a portion of my traffic? Yes, set pct=10 to apply the policy to 10 % of messages, then increase the percentage as you gain confidence.
4. Do I need both rua and ruf tags? rua provides aggregate daily reports; ruf gives forensic details for individual failures. Start with rua and add ruf once you need deeper insight.
5. How often should I review my DMARC record? Review monthly during the monitoring phase, then quarterly once you’re in enforcement mode.

Ready to get a complete picture of your email security? Explore Palisade’s blog for deeper email authentication guides.