What are the key elements of DMARC syntax?

What are the key elements of DMARC syntax and how do you implement them correctly?
DMARC (Domain‑based Message Authentication, Reporting, and Conformance) is the protocol that protects your brand from email impersonation. The real power – and the biggest source of confusion – lies in the DMARC record’s syntax. Get the syntax right and you’ll have a solid line of defense; get it wrong and attackers can slip through.
The basics of DMARC syntax
A DMARC record lives as a TXT entry in your DNS under the name _dmarc.yourdomain.com. It’s a semi‑colon‑separated list of tag‑value pairs. The record always starts with v=DMARC1 and then includes tags such as p, rua, sp, pct, and many more.
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
Each tag tells receiving mail servers how to treat messages that claim to be from your domain and where to send reports.
Tag‑by‑tag breakdown
- v= – Version tag. Must be
DMARC1. - p= – Policy tag. Options:
none(monitor only),quarantine(send to spam),reject(reject outright). - sp= – Subdomain policy. Inherits
pif omitted. - pct= – Percentage of mail to which the policy applies (0‑100).
- rua= – Aggregate report URI (usually
mailto:). - ruf= – Forensic report URI.
- adkim= – DKIM alignment mode (
rrelaxed,sstrict). - aspf= – SPF alignment mode (
rrelaxed,sstrict). - fo= – Failure reporting options (0,1,d,s).
- ri= – Reporting interval in seconds (default 86400).
- rf= – Reporting format (default
afrf).
Common DMARC record examples
Basic monitoring record – start with no enforcement:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Enforcement record – reject all failing mail:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
Full‑featured record – strict alignment, subdomain policy, daily reports:
v=DMARC1; p=quarantine; sp=reject; adkim=s; aspf=s; pct=100; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:forensic@yourdomain.com; fo=1; ri=86400
How to validate your DMARC syntax
Even seasoned engineers make typos. Use a DMARC syntax checker to catch errors before they affect delivery. Our free tool not only validates the record but also gives you a full security score and highlights SPF/DKIM alignment issues. 👉 https://www.palisade.email/tools/email-security-score
Quick Takeaways
- Every DMARC record must start with
v=DMARC1. - Use
p=noneto monitor before moving toquarantineorreject. - Include
rua=mailto:…to receive aggregate reports. - Set
spif you have subdomains that also send mail. - Align DKIM and SPF with
adkim=sandaspf=sfor stricter security. - Gradually roll out enforcement with the
pcttag. - Validate your record regularly with a DMARC checker.
FAQs
- How do I create a DMARC record for a multi‑domain environment? Use a single
_dmarcTXT entry per domain and consider a wildcard subdomain policy (sp=reject) to protect all sub‑domains. - What is the difference between
p=quarantineandp=reject?quarantinesends suspicious mail to the recipient’s spam folder, whilerejecttells the receiver to bounce the message outright. - Can I test DMARC enforcement on only a portion of my traffic? Yes, set
pct=10to apply the policy to 10 % of messages, then increase the percentage as you gain confidence. - Do I need both
ruaandruftags?ruaprovides aggregate daily reports;rufgives forensic details for individual failures. Start withruaand addrufonce you need deeper insight. - How often should I review my DMARC record? Review monthly during the monitoring phase, then quarterly once you’re in enforcement mode.