Reference

DMARC Record Syntax:
All Tags at a Glance

A DMARC record consists of tag-value pairs separated by semicolons. Two tags are mandatory, all others optional. This page explains every tag according to RFC 9989 (DMARCbis) – the current DMARC standard that has replaced RFC 7489.

v=DMARC1; p=quarantine; rua=mailto:reports@example.com; adkim=r; aspf=r
Mandatory tagsRecommendedOptional

Tags

v Versionp Policysp Subpolicynp Non-exist.t Testingrua RUAruf RUFadkim DKIMaspf SPFfo Forensicpsd PSDpct ⚠ deprecatedri ⚠ deprecatedrf ⚠ deprecated
vVersionMandatory
Must appear first in the recordOnly valid value: DMARC1

The version tag identifies the DNS TXT entry as a DMARC record. Without this tag, receiving mail servers do not recognize the entry as DMARC and ignore it entirely.

Examplev=DMARC1
pPolicyMandatory
Must appear second in the recordDetermines what happens to non-authenticated emails

The most important tag in the DMARC record. It defines what receiving mail servers should do when an email fails the DMARC check – i.e. is not correctly aligned via either SPF or DKIM.

ValueBehavior
noneEmails are delivered normally, regardless of the DMARC result. Provides no spoofing protection. ⚠ For the monitoring phase only
quarantineNon-authenticated emails are moved to the spam folder.
rejectNon-authenticated emails are rejected entirely and never arrive. Maximum protection.
Examplep=quarantine
spSubdomain Policy (Subpolicy)Optional
Without sp , the main policy p also applies to subdomainsAllows subdomains to be treated more strictly or more leniently

Defines what should happen to emails from subdomains that have no DMARC record of their own. Useful when subdomains are used by third-party providers that are not yet fully configured.

ValueBehavior
noneNo action for subdomain emails that fail the check.
quarantineNon-authenticated subdomain emails land in spam.
rejectNon-authenticated subdomain emails are rejected.
Examplesp=reject
npNon-existent Subdomain PolicyOptionalNew · RFC 9989
New in RFC 9989 (DMARCbis) – complements sp for non-existent subdomainsWithout np: spapplies first, otherwise p
New in RFC 9989: The nptag addresses an abuse vector that RFC 7489 did not cover: emails from subdomains that do not exist at all (e.g. xyz123.example.com). Such domains are frequently used for phishing, since a missing DNS entry does not trigger a DMARC check. np closes this gap.

Defines the policy for emails from subdomains that have no DNS entry. The difference to sp: sp applies to existing subdomains without their own DMARC record, np applies to non-existent subdomains (NXDOMAIN). For maximum protection, np=reject.

ValueBehavior
noneNo action for emails from non-existent subdomains.
quarantineEmails from non-existent subdomains land in spam.
rejectEmails from non-existent subdomains are rejected. Recommended.
Examplenp=reject
tTesting ModeOptionalNew · RFC 9989
New in RFC 9989 – replaces the deprecated pcttagDefault: no testing mode (policy is fully applied)
New in RFC 9989: The ttag is the clean replacement for pct. Instead of a percentage, there is now only a binary flag: either the policy is active (t=n, default behavior) or the record is explicitly in testing mode (t=y) – in which case emails are delivered but reports are still sent.

Allows a DMARC record to be activated without the policy being enforced immediately. In testing mode, all emails are delivered normally – regardless of the configured policy. Reports still come in, however, so the configuration can be observed before enforcement is activated.

ValueBehavior
yTesting active: Policy is not enforced. Emails are delivered normally, reports are still sent. Equivalent to the old pct=0.
nTesting inactive (default behavior): Policy is fully enforced.
Examplet=y
ruaAggregate Reports (Reporting URI)Optional
Without rua you receive no DMARC reportsMultiple addresses separated by commas, maximum of 2 recommendedOnly mailto:URIs are guaranteed to be processed

Mailbox providers send daily aggregate reports in XML format to the specified address. These contain statistical data: IP addresses of sending servers, volume, SPF and DKIM results. Without an RUA address, you are blind to the email traffic under your domain.

External domain: If the RUA address belongs to a different domain than your DMARC record, that external domain must explicitly allow receipt – via the DNS entry yourdomain.com._report._dmarc.externaldomain.com with the value v=DMARC1.
Examplerua=mailto:dmarc@example.com
rufForensic Reports (Failure Reports)Optional
Reports arrive per failed email – not aggregated dailyMany mailbox providers no longer send RUF reports for privacy reasonsOnly mailto:URIs; external-domain rule as with RUA

Forensic reports contain details about the individual email that failed the DMARC check – partly including headers and subject. Since these reports may contain personal data, many large mailbox providers have stopped sending them. In practice, RUF reports rarely arrive today.

Exampleruf=mailto:forensic@example.com
adkimDKIM Alignment ModeOptional
Default: r (relaxed)Determines how strictly the DKIM signature domain must match the From-header domain

DKIM alignment checks whether the domain of the DKIM signature matches the domain in the From header. In relaxedmode it is sufficient for both to belong to the same organizational domain (subdomains allowed). In strictmode they must match exactly.

ValueBehavior
rRelaxed: DKIM signature domain and From domain must belong to the same organizational domain. Subdomains are allowed (e.g. mail.example.com for example.com).
sStrict: DKIM signature domain and From domain must be exactly identical. Subdomains are not allowed.
Exampleadkim=r
aspfSPF Alignment ModeOptional
Default: r (relaxed)Determines how strictly the SPF domain must match the From-header domain

SPF alignment checks whether the domain that SPF authenticated (Return-Path / MAIL FROM) matches the From-header domain. In relaxedmode the same organizational domain is sufficient. In strictmode it must match exactly. Forwarding can break the SPF check – DKIM is more stable in this respect.

RFC 9989: For SPF alignment, DMARC evaluates exclusively the MAIL FROMpath. The previously possible fallback to HELO/EHLO is explicitly no longer provided for in DMARCbis.
ValueBehavior
rRelaxed: SPF-authenticated domain and From domain must belong to the same organizational domain. Subdomains allowed.
sStrict: SPF-authenticated domain and From domain must be exactly identical. No subdomains.
Exampleaspf=s
psdPublic Suffix DomainOptionalNew · RFC 9989
New in RFC 9989 – relevant only for registries and public suffix domainsNot required for normal corporate domains
New in RFC 9989: Replaces the dependency on the Public Suffix List (PSL). Instead of an externally maintained list, DMARC now determines the organizational domain via DNS Tree Walk. The psdtag allows registries (e.g. operators of .co.uk, .com.br) to explicitly declare their DMARC record as a public suffix domain.

Declares a domain as a public suffix domain. This makes it possible to set a DMARC policy even at the level of top-level domains or country-code domains. For standard corporate domains (e.g. example.com), this tag is not relevant.

ValueBehavior
yThis domain is a public suffix domain. DMARC treats it accordingly.
nThis domain is not a public suffix domain (default behavior).
Examplepsd=y
pctCoverageDeprecated · RFC 9989
Removed in RFC 9989 (DMARCbis): The pcttag has been dropped from the standard. Its purpose (controlled rollout without full enforcement) is taken over by the new t=ytag. In existing records, pct is ignored by RFC-9989-compliant recipients.
Was: value 1–100; percentage of emails the policy is applied toReplacement: t=y for testing mode

Previously allowed the DMARC policy to be activated gradually. A value of 50 meant: the policy was applied to only half of the affected emails. In practice this was imprecise and frequently misused. RFC 9989 removed this tag in favor of the clearer ttag.

Oldpct=100→ today: t=n (default) or omit
foForensic OptionsOptional
Default: 0Multiple options separated by colons (:)Only effective if a ruftag is defined

Determines under which conditions forensic reports are generated. Since many mailbox providers no longer send RUF reports, this tag has little significance in practice.

ValueCondition
0Failure report when both DKIM and SPF fail to return pass .
1Failure report when DKIM or SPF fails to return pass .
dDKIM failure report, regardless of the alignment result.
sSPF failure report, regardless of the alignment result.
Examplefo=1:d
riAggregate IntervalDeprecated · RFC 9989
Removed in RFC 9989 (DMARCbis): The ritag was removed because it was ineffective in practice – no mailbox provider delivered an interval other than 24 hours. The reporting interval is therefore no longer configurable.

Previously specified the desired reporting interval for aggregate reports in seconds. In practice, all mailbox providers sent once a day as a rule, regardless of the configured value. RFC 9989 therefore simply removed the tag.

Oldri=86400
rfForensic Report FormatDeprecated · RFC 9989
Removed in RFC 9989 (DMARCbis): The rftag was removed because afrf was the only format ever implemented and there was no real choice. RFC 9989 anchored the format firmly in the associated RFC 9991 (Failure Reporting).

Previously defined the format for forensic reports. Since only afrf (Authentication Failure Reporting Format) was ever implemented, the tag was meaningless. RFC 9989 removed it from the standard accordingly.

Oldrf=afrf

Want to know whether your current DMARC record is configured correctly? The Analyser checks syntax, policy and alignment directly in the browser.

DMARC Record Analyser   Record Generator