DMARC record examples: What a DMARC record looks like

Explore DMARC record examples from basic to advanced. Learn how to read, create, and optimize your DMARC records for better email authentication.
dmarc record example

Ever stared at a DMARC record and felt like you were trying to decipher a foreign language? You’re not alone. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is non-negotiable for email security, but those strings of characters can look pretty intimidating to the untrained eye.

But don’t worry—we’re here to be your DMARC record decoder. In this article, we’re going to walk you through a variety of DMARC record examples, breaking them down piece by piece. Whether you’re looking to set up your first DMARC record or fine-tune an existing one, these examples will give you the know-how and insights you need.

Here’s what we’ll cover:

  • A quick refresher on what DMARC records are 
  • The anatomy of a DMARC record—what all those letters and symbols mean
  • Real-world examples of DMARC records, from basic to advanced
  • How to interpret different DMARC record examples
  • Common mistakes to avoid when creating your own DMARC record

What is a DMARC record?

Before we dive into the nitty-gritty of DMARC record examples, let’s quickly recap what a DMARC record actually is. Think of it as a set of instructions you leave for mailbox providers about how to handle emails that claim to be from your domain.

A DMARC record is a specific type of DNS TXT record that lives in your domain’s DNS. It’s a tiny text file that contains a series of tags and values. Each tag-value pair gives email receivers specific instructions on how to treat messages from your domain.

Here’s what a basic DMARC record example looks like:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com

Don’t worry if this looks like gibberish right now—we’ll break it down soon. But for now, notice how it’s just a string of text with some semicolons and equal signs.

Where do these records live? In your domain’s DNS, usually as a subdomain starting with _dmarc. So if your domain is example.com, your DMARC record would typically be published at _dmarc.example.com.

When an email server receives a message claiming to be from your domain, it looks up this record and follows the instructions within. The beauty of DMARC records is their flexibility. You can start with a basic record that just monitors your email traffic, then gradually tighten the screws on potential fraudsters as you get more comfortable with the system.

Anatomy of a DMARC record

Now that we know what a DMARC record is, let’s dissect it to see what’s going on. Here’s a more comprehensive DMARC record example to work with:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic@example.com; pct=100; adkim=s; aspf=s

Let’s break this example down piece by piece:

  1. Tag-Value Pairs: Each DMARC record consists of tag-value pairs separated by semicolons. In our example, v=DMARC1 is one pair, p=reject is another, and so on.
  2. Tags: The part before the equals sign is the tag. It’s a label telling us what this piece of the record is about. For example, p stands for policy, rua for aggregate report URI.
  3. Values: After the equals sign comes the value. This is the actual instruction or data for that tag. For instance, in p=reject, the value “reject” tells receivers to reject emails that fail DMARC checks.

Some key tags you’ll see in most DMARC records:

  • v: Version (always DMARC1 for now)
  • p: Policy (none, quarantine, or reject)
  • rua: Aggregate report URI (where to send reports)
  • ruf: Forensic report URI (where to send failure reports)
  • pct: Percentage of messages subject to filtering
  • adkim and aspf: Alignment mode for DKIM and SPF

Remember, not all tags are mandatory. In fact, you can have a valid DMARC record with just two tags:

v=DMARC1; p=none

This bare-bones DMARC record example says, “I’m using DMARC version 1, and I want you to take no action on messages that fail; just report back to me.”

Essential DMARC record tags

Now that we’ve got a handle on the basic structure of a DMARC record, let’s zoom in on the must-have tags. These are the workhorses of your DMARC record – the ones you’ll see in almost every example and will definitely want to include in your own.

v (Version)

This one’s simple but essential. It tells receivers which version of DMARC you’re using. For now, there’s only one version, so this will always look like this:

v=DMARC1

p (Policy)

The “p” tag sets your domain’s core policy, telling receivers what to do with emails that fail DMARC checks. You’ve got three options:

  1. p=none: “Just monitor and report back to me.” Example: v=DMARC1; p=none
  2. p=quarantine: “Put suspicious emails in the spam folder.” Example: v=DMARC1; p=quarantine
  3. p=reject: “Don’t accept suspicious emails at all.” Example: v=DMARC1; p=reject
dmarc policy race

rua (Aggregate report URI)

This tag tells receivers where to send aggregate reports. These reports give you a bird’s-eye view of all emails using your domain (both legitimate and suspicious).

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com

And you can specify multiple email addresses by separating them with commas:

rua=mailto:reports@example.com,mailto:reports@thirdparty.com

ruf (Forensic report URI)

Similar to “rua”, but for forensic reports. These give you detailed information about specific messages that failed DMARC checks.

v=DMARC1; p=quarantine; rua=mailto:reports@example.com; ruf=mailto:forensic@example.com

Remember, while “v” and “p” are mandatory, “rua” and “ruf” are optional (but highly recommended). Without them, you’re telling receivers what to do, but you’re not asking for any feedback. That’s like setting up a security camera but never checking the footage.

Common DMARC record examples

These examples will show you how DMARC records change to meet different needs and security levels.

1. Monitoring policy example

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com

It tells receivers: “Don’t take any action on suspicious emails, but please send me reports so I can see what’s going on.” It’s perfect for when you’re just starting with DMARC and want to understand your email ecosystem without disrupting any legitimate email flows.

2. Quarantine policy example

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic@example.com

This record says: “Put half of the suspicious emails in the spam folder, and send me both aggregate and forensic reports.” The pct=50 tag applies the policy to only 50% of messages, allowing for a gradual rollout. It’s a good next step after monitoring, as it starts to protect your domain without going full throttle.

3. Reject policy example

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic@example.com

It tells receivers to reject any email that fails DMARC checks. Use this when you’re confident in your email authentication setup and want maximum protection against spoofing.

4. Subdomain policy example

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc-reports@example.com

This record introduces the sp tag, which sets a separate policy for subdomains. Here, it’s saying, “Reject suspicious emails from my main domain, but just quarantine those from subdomains.” It’s useful when you have different security needs for your main domain and subdomains.

5. Multiple reporting addresses example

v=DMARC1; p=quarantine; rua=mailto:reports@example.com,mailto:thirdparty@analyzer.com; ruf=mailto:forensic@example.com

This example shows how to send aggregate reports to multiple addresses, including a third-party analyzer. It’s great when you want your internal team and an external service to receive reports.

6. DKIM and SPF alignment example

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc-reports@example.com

This record uses adkim=s and aspf=s to require strict alignment for DKIM and SPF. This means the domain used in DKIM and SPF must match the From: header exactly. It’s a more stringent approach that can be useful for domains at high risk of spoofing.

Advanced DMARC record tags and examples

Let’s look at some examples of advanced DMARC tags and see how they give you more granular control over your email authentication.

7. Percentage example

v=DMARC1; p=reject; pct=25; rua=mailto:dmarc@example.com

The pct tag lets you apply your policy to only a percentage of your email. This record says, “Reject 25% of emails that fail DMARC, and just monitor the rest.” It’s a great way to gradually roll out a stricter policy.

8. Report Interval example

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ri=86400

The ri tag sets the desired interval between aggregate reports in seconds. This requests daily aggregate reports (86400 seconds = 24 hours).

9. Failure reporting options example

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; fo=1

The fo tag specifies which failed emails should generate forensic reports.

Options:

  • 0: Generate a report if all mechanisms fail (default)
  • 1: Generate a report if any mechanisms fail
  • d: Generate a report if DKIM fails
  • s: Generate a report if SPF fails

This record requests forensic reports for any authentication failure.

Get your DMARC records right with Valimail

These DMARC record examples gave you a good taste of what this authentication protocol looks like in action, but let’s face it—implementing DMARC can still be a complex, time-consuming process. 

Fortunately, Valimail can help. Here’s how:

  • Expertise: We’ve been in the email authentication game since 2015. We don’t just understand DMARC—we helped shape it.
  • Automation: Our platform takes the guesswork out of DMARC. We’ll help you create, implement, and maintain the perfect DMARC record for your needs.
  • Monitoring and Reporting: We provide clear, actionable insights from your DMARC reports. No more sifting through complex XML files—we’ll show you exactly what’s happening with your email ecosystem.
  • Gradual Implementation: We’ll guide you through a step-by-step process, from monitoring to full enforcement, to guarantee you don’t disrupt legitimate email flows.
  • Ongoing Support: Email threats evolve, and so should your defenses. We’ll help you keep your DMARC implementation up-to-date.

With Valimail, you can implement DMARC with confidence. Get started today by signing up for Valimail Monitor for free

Get started for free
with Monitor

Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.

Explore all Valimail
has to offer

Go one step further than visibility…Take action! Reach DMARC enforcement faster. Stay compliant with evolving sender requirements. All while protecting your brand.

[UPCOMING WEBINAR] Microsoft and Valimail Share DMARC Insights LIVE on 02/19 — Register HERE.