DNS Record Explainer

v=DMARC1 — version tag. Always "DMARC1". Required.

p=none — policy directive. Tells receivers what to do with mail that fails DMARC checks (SPF + DKIM alignment). "none" means monitor only; don't reject or quarantine. Receiver still processes the message normally and sends aggregate reports to your rua address.

rua=mailto:[email protected] — reporting URI for aggregate reports. Receivers send you XML summaries daily/weekly showing pass/fail stats, sender IPs, volume per domain. Critical for visibility. The address must be reachable and you must confirm ownership (most DMARC implementations auto-send confirmation requests).

• Policy is "none" — you're in monitoring mode. No enforcement yet. Once you've reviewed reports and confirmed SPF/DKIM are working correctly, graduate to p=quarantine or p=reject to actually block failing mail.

• No ruf tag — you're not receiving forensic reports (detailed info on individual failing messages). Optional but useful during initial rollout; add ruf=mailto:[email protected] if you want granular failure details.

• No aspf/adkim tags — defaults to "r" (relaxed alignment for both), which is permissive. Worth keeping unless you have strict requirements. Tight alignment (aspf=s/adkim=s) means SPF/DKIM must pass on the exact domain, not subdomains.

• No subdomain policy (sp tag) — subdomains of example.com inherit the p=none policy. Consider sp=quarantine or sp=reject if you don't control all subdomains.

DMARC sits on top of SPF and DKIM. It verifies that mail claiming to be from example.com actually passed authentication checks and came from servers you authorize. Without it, attackers spoof your domain easily. This record does nothing if SPF and DKIM aren't already published and aligned. Deploy it at DNS name _dmarc.example.com (or _dmarc.subdomain.example.com for specific subdomains).

→ /tools/dmarc-checker run the live checker on a real domain → /blog/dmarc-policies-explained