• How to Create and Publish a DMARC Record (2026 Step-by-Step Guide)

How to Create and Publish a DMARC Record (2026 Step-by-Step Guide)

by

Last Updated:
12 min read
How to Create and Publish a DMARC Record (2026 Step-by-Step Guide)

Key Takeaways

  • A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. It tells mail servers what to do with emails that fail SPF or DKIM checks..
  • You need SPF or DKIM set up before enforcing DMARC. Monitoring with p=none is fine without them, but quarantine or reject won’t work until at least one passes.
  • To publish a DMARC record, add a TXT record named _dmarc at your DNS provider. Propagation can take up to 48 hours – verify the record is live using a DMARC checker or dig/nslookup.
  • Most DMARC errors come down to a few simple mistakes: missing semicolons, wrong record type, publishing at the root domain instead of _dmarc.yourdomain.com, or having two records when you should only have one.
  • Gmail, Yahoo, and Microsoft require DMARC enforcement for bulk senders. If you handle card payments, PCI DSS v4.0 makes anti-phishing controls mandatory too.

A DMARC record is a DNS TXT record that tells receiving mail servers how to handle emails that fail authentication checks. This guide walks you through creating your DMARC record, publishing it to your domain’s DNS, verifying it works, and understanding the 2026 standard (RFC 9989) that now governs the protocol.

Whether you’re setting up email authentication for the first time or updating your record to meet 2025/2026 compliance requirements, you can generate and publish a working DMARC record in under 10 minutes. This guide is for IT professionals, domain administrators, MSPs, and compliance managers.

Note: DMARC was updated in May 2026 (RFC 9989). All record examples in this guide reflect the updated standard.

What Is a DMARC Record?

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that instructs receiving mail servers how to handle emails claiming to be from your domain that fail authentication checks.

DMARC builds on two existing email authentication protocols:

  • SPF (Sender Policy Framework): Authorizes specific IPs to send email from your domain
  • DKIM (DomainKeys Identified Mail): Cryptographically signs email to prove it came from your domain

Without DMARC, there’s no policy telling receivers what to do when SPF or DKIM fails. They make their own decisions, often letting spoofed emails through.

How DMARC Fits Into Email Authentication

  1. SPF checks the sending IP by checking if the server sending this email is authorized by the domain’s SPF record.
  2. DKIM validates the signature by verifying whether the email’s digital signature matches the domain’s published DKIM key.
  3. DMARC decides the action if SPF and/or DKIM fails. Your DMARC policy (and alignment rules) tell the receiver to reject, quarantine, or allow the email.

Before You Publish DMARC Record

DMARC records requires at least SPF or DKIM to be published and aligned with your sending domain. You can publish a DMARC record with p=none (monitoring) without them, but enforcement (p=quarantine or p=reject) requires at least one protocol to pass.

Quick checks:

Anatomy of a DMARC Record

A DMARC record is a string of tag-value pairs separated by semicolons. Only two tags are required, and everything else is optional but recommended.

Active Tags

TagPurposeAllowed valuesExampleRequirement
vDMARC versionDMARC1v=DMARC1Required
pDMARC policynone, quarantine, rejectp=noneRequired
spSubdomain policynone, quarantine, rejectsp=rejectOptional
npPolicy for non-existent subdomainsnone, quarantine, rejectnp=rejectOptional
ruaAggregate report mailValid email addressrua=mailto:[email protected]Recommended
rufFailure report mailValid email addressruf=mailto:[email protected]Optional
psdPublic suffix domain flagy(yes)/n(no)/u(unknown)psd=yOptional
tTesting modey(yes)t=yOptional
adkimDKIM alignment moder(relaxed)/s(strict)adkim=rOptional
aspfSPF alignment moder(relaxed)/s(strict)aspf=sOptional
foFailure report options0, 1, d, sfo=1Optional

Note on psd= This tag is primarily for Public Suffix Operators (PSOs) such as country-code registries or gTLD operators. Most ordinary domain owners should leave this out entirely. It’s only relevant if your domain is a public suffix like .gov.uk or .bank.

Note on ruf= Major receivers (Google, Microsoft, Yahoo) no longer send failure reports.

Deprecated Tags

RFC 9989 deprecated or removed three tags that caused implementation inconsistencies:

TagWhat it wasWhy deprecatedAction
pctPercentage of emails to apply policyImplemented inconsistently across receivers, leading to unpredictable resultsRemove from new records. Use t=y instead to signal test mode.
riReport formatOnly one value (afrf) was ever used; redundantRemove from existing records when editing.
rfReport interval (in seconds)Receivers ignored it in practiceRemove from existing records when editing.

Note: If your existing records include these tags, they still work as receivers simply ignore them. But when you edit your record next, you can delete them to align with RFC 9989 and do not include them when publishing new records.

DMARC Policy Comparison

PolicyReceiver actionProtection levelESP bulk sender requirementWhen to use
noneMonitor only; no rejectionNoneAcceptableInitial deployment; monitoring traffic
quarantineSend to spam/junk folderModerateMeets requirementsFor gradual enforcement
rejectBlock and reject completelyHighMeets requirementsWhen confident to activate full enforcement.

DMARC Record Examples

All examples below reflect RFC 9989 as they omit deprecated tags and include new tags where applicable.

Example 1: Monitoring Mode (Start Here)

v=DMARC1; p=none; rua=mailto:[email protected]

Use case: First-time DMARC setup. No enforcement. Aggregate reports sent daily to track authentication results.

What each tag does:

  • v=DMARC1 Identifies this as a DMARC record
  • p=none Take no action; just monitor
  • rua= mailto:[email protected] Send daily reports to this email address

Example 2: Partial Enforcement (Transitional)

v=DMARC1; p=quarantine; sp=quarantine; np=reject; rua=mailto:[email protected]

Use case: Moving toward enforcement. Quarantine failing emails. Stricter policy for non-existent subdomains.

What’s new:

  • sp=quarantine Subdomains inherit quarantine policy
  • np=reject Non-existent subdomains are rejected (RFC 9989 protection)

Example 3: Full Enforcement

v=DMARC1; p=reject; sp=reject; np=reject; rua=mailto:[email protected]

Use case: Full production enforcement. Reject all failing emails. Domain doesn’t host mailing lists.

Example 4: Non-Sending / Parked Domain

v=DMARC1; p=reject; sp=reject; np=reject; adkim=s; aspf=s

Use case: Domain that doesn’t send email but needs protection from spoofing.

What’s different:

  • adkim=s; aspf=s Strict alignment (no relaxed mode needed)
  • No rua= Not monitoring reports (domain doesn’t send)
  • np=reject Even non-existent subdomains reject spoofed email

Even inactive domains should be protected, as attackers can spoof unused domains in phishing campaigns.

Example 5: Subdomain with Stricter Policy

Parent domain: v=DMARC1; p=quarantine; rua=mailto:[email protected]
Subdomain (marketing.yourdomain.com): v=DMARC1; p=reject; sp=reject; np=reject; rua=mailto:[email protected]

Use case: Parent domain allows quarantine (has forwarded mail). Marketing subdomain is a dedicated sender; enforce p=reject.

Example 6: Microsoft 365 / Google Workspace

v=DMARC1; p=reject; rua=mailto:[email protected]

Note: Microsoft 365 or Google Workspace do not require a unique DMARC syntax. The record is published in DNS like any other DMARC deployment. Before enforcement, verify SPF and DKIM configuration for all sending sources.

For a detailed tutorial you can refer to our Microsoft 365 DMARC and Google Workspace DMARC setup guides.

How to Create a DMARC Record

Method 1: Using the PowerDMARC Free Generator

1. Go to DMARC Record Generator

DMARC Record Generator 1

2. Select your desired enforcement level (None / Monitoring, Quarantine, Reject)

enforcement level 2

3. Enter your domain and reporting email address

Enter your domain 3

4. Enable subdomain policy and protect non-existent subdomains if you wish (Optional)

Enable subdomain policy 4

5. Click Generate

6. DMARC record created

DMARC record created 6

Method 2: Create Manually

Open a text editor and write the record by hand:

v=DMARC1; p=none; rua=mailto:[email protected]

Start with p=none (monitoring). You’ll adjust the policy later once you understand your email traffic.

Required:

  • v=DMARC1 (always)
  • p= (your policy: none, quarantine, or reject)
  • rua= (your reporting email)

How to Publish a DMARC Record – Step-by-Step by DNS Provider

Your domain’s DNS is managed by your domain registrar (GoDaddy, Namecheap, etc.), web hosting provider (cPanel), or CDN (Cloudflare). Log in there and follow the steps for your provider below.

Generic Steps (if your provider is not listed):

1. Find the DNS management console

Find the DNS management console 7

2. Click on the domain for which you want to configure DMARC

configure DMARC 8

3. Create a new TXT record

Create a new TXT record 9

4. Record name: _dmarc (or _dmarc.yourdomain.com if the form requires full hostname)

5. Record value: paste your DMARC record string

Record value 10

6. Save and wait for propagation (24-48 hours)

Save and wait for propagation 11

7. Use DMARC checker to verify

Publish DMARC Record on GoDaddy

1. Log in to your GoDaddy Domain Portfolio

2. Click DNS next to your domain

3. Scroll to DNS Records

4. Click Add New Record

5. Type: TXT

6. Name: _dmarc

7. Value: paste your DMARC record

8. Click Save

Publish DMARC Record on Cloudflare

1. Log in to your Cloudflare Dashboard

2. Select your domain

3. Go to DNS > Records

4. Click Add Record

5. Type: TXT

6. Name: _dmarc

7. Content: paste your DMARC record

8. TTL: Auto (or 3600)

9. Proxy status: DNS only (not proxied)

10. Click Save

Note: Set proxy status to “DNS only” (grey cloud), not orange. DMARC must be queried directly at DNS, not proxied through Cloudflare.

Publish DMARC Record on cPanel / WHM

1. Log in to your cPanel account

2. Go to Zone Editor (under Domains)

3. Click Manage next to your domain

4. Click + Add New Record

5. Type: TXT

6. Name: _dmarc.yourdomain.com

7. Value (TXT Data): paste your DMARC record

8. Click Add a Record

Publish DMARC Record on Namecheap

1.Log in to your Namecheap account

2. Go to Dashboard > Domain List

3. Click Manage next to your domain

4. Go to Advanced DNS

5. Click Add New Record

6. Type: TXT Record

7. Host: _dmarc

8. Value: paste your DMARC record

9. TTL: Automatic (3600)

10. Click the checkmark to save

Publish DMARC Record on Amazon Route 53

1. Log in to AWS Management Console > Route 53

2. Go to Hosted zones and select your domain

3. Click Create record

4. Record name: _dmarc

5. Record type: TXT

6. Value: paste your DMARC record wrapped in double quotes

  • Example: “v=DMARC1; p=none; rua=mailto:[email protected]
  • Route 53 requires quotes; without them, the record won’t save

7. TTL: 300 (or 3600)

8. Click Create records

Note: Route 53 requires TXT record values to be wrapped in double quotes. Copy-paste your record as-is, then wrap it in “…”.

Publish DMARC Record on Microsoft 365 / Azure DNS

If your DNS is managed in Azure DNS:

1. Log in to Azure Portal > DNS Zones

2. Select your domain

3. Click + Record set

4. Name: _dmarc

5. Type: TXT

6. TTL: 3600

7. Value: paste your DMARC record

8. Click OK

If your DNS is at a registrar (GoDaddy, Namecheap, etc.):

  • Follow the registrar’s steps above

How Long Does a DMARC Record Take to Propagate?

DNS changes are controlled by a setting called TTL (Time To Live), which tells servers how long to cache a DNS record before checking for updates. Most DNS providers set TTL to 3600 seconds (1 hour) by default.

Typical timing:

  • For most locations, DNS propagates within 1–2 hours
  • Full global propagation can take up to 48 hours in rare cases
  • Don’t panic if your DMARC checker shows “no record” in the first hour, wait at least 30-60 minutes and try again

Check propagation globally: Use our DNS Propagation Checker to verify your record is live across multiple global DNS servers.

How to Verify Your DMARC Record Is Working

Method 1: PowerDMARC DMARC Checker Tool

1. Go to DMARC Record Checker

2. Enter your domain name

3. Click Check

DMARC Checker 12

4. Results show:

  • Valid: Record is correctly formatted and published
  • Invalid: Syntax error; review your record
  • No Record Found: Check DNS propagation or verify the record was saved in DNS

Method 2: Command Line (nslookup or dig)

On Windows (Command Prompt):

nslookup -type=TXT _dmarc.yourdomain.com

On Mac/Linux (Terminal):

dig TXT _dmarc.yourdomain.com

Successful output:

_dmarc.yourdomain.com. 3600 IN TXT “v=DMARC1; p=reject; sp=reject; np=reject; rua=mailto:[email protected]

If you see no results, DNS hasn’t propagated yet or the record wasn’t saved correctly.

Method 3: Check the Email Header (Authentication-Results)

Send a test email and check the headers.

Steps:

1. Send yourself a test email from your domain (or ask someone at another company to send you email)

email

2. In Gmail:

  • Open the email
  • Click the three-dot menu (⋮) > Show original

Gmail

  • Search for Authentication-Results

3. In Outlook:

  • Open the email
  • Click File > Properties > Internet Headers
  • Search for Authentication-Results

What to look for:

DMARC pass:

Authentication-Results: mx.google.com;
dmarc=pass (p=REJECT sp=REJECT np=REJECT dis=NONE) header.from=yourdomain.com

DMARC fail:

Authentication-Results: mx.google.com;
dmarc=fail (p=REJECT sp=REJECT) header.from=yourdomain.com reason=”SPF not aligned”

What “pass” means: Your SPF or DKIM signature aligned with the domain in the From header, and your DMARC policy was applied.

What “fail” means: SPF or DKIM failed or didn’t align. Check your SPF record and DKIM configuration.

When to Expect Your First DMARC Report

Aggregate reports are sent within 24-72 hours of publishing your record.

What the report contains:

  • Daily summary of all email sent from your domain
  • Authentication results (SPF pass/fail, DKIM pass/fail, DMARC pass/fail)
  • Sending IP addresses and their volume
  • Source countries
  • Policy enforcement actions taken by receivers

What Changed in RFC 9989 for DMARC Records

In May 2026, RFC 9989 replaced RFC 7489 as the official DMARC standard. Your existing record still works. Here are the key changes for new records:

Three New Tags Added:

  1. np= (non-existent subdomain policy): Add np=reject or np=quarantine to protect non-existent subdomains. Before RFC 9989, attackers could spoof random subdomains without DMARC records. Now you can set a policy for them at the parent domain level. Most domain owners should add this.
  2. t= (test mode flag): Use t=y to signal that your policy is in testing mode. Receivers treat p=reject; t=y as p=quarantine (one step less strict), allowing safe staged rollouts. Replaces the old pct= tag.
  3. psd= (public suffix domain flag): Declares whether a domain is a public suffix (like .gov.uk or .bank). Only relevant for Public Suffix Operators and complex domain hierarchies. Most domain owners can ignore this.

Deprecated/Removed Tags:

  • pct= is deprecated. Receivers implemented it inconsistently. Use t=y instead for staged rollouts.
  • rf= and ri= have been removed. Delete them if they appear in your existing records. Receivers ignore them anyway.

For a deeper dive on RFC 9989 changes, refer to our DMARC RFC 9989 guide.

Compliance Requirements Active Now

RequirementStatusDeadlineAction
Gmail Permanent RejectionActiveFeb 2024DMARC published required; p=none acceptable as starting point with expectation of progression toward p=quarantine or p=reject for bulk senders (5,000+ msgs/day)
Yahoo Permanent RejectionActiveFeb 2024DMARC published required; p=none acceptable as starting point with expectation of progression toward p=quarantine or p=reject for bulk senders (5,000+ msgs/day)
Microsoft Outlook EnforcementActiveMay 2025DMARC enforcement with SPF and DKIM required for bulk senders to Outlook.com, Hotmail.com, Live.com
PCI-DSS v4.0ActiveMarch 2025Anti-phishing controls required by all entities handling cardholder data.

Learn about local and global requirements in our complete DMARC requirements guide.

Common DMARC Record Errors

1. No DMARC Record Found

Cause: You have not published a DMARC record on your domain, it’s misconfigured, or the DNS propagation time isn’t complete

Fix: Once you have confirmed that no record exists in your DNS, login to your DNS management console to publish a new record. If a record exists, edit your existing record to remove errors or misconfigurations. If you are not past the 48 hour window of propagation time, wait for some time before you check again.

2. Syntax Errors

Common mistakes:

  • Missing semicolons: Each tag must be followed by a semicolon.
  • Extra spaces: Avoid spaces after semicolons or around
  • Incorrect version: Must be v=DMARC1, not v=DMARC2 or version=1
  • Invalid tag names: Typos like po=reject instead of p=reject

Duplicate DMARC Records

Cause: You must have only one DMARC TXT record per domain. If you have multiple records, receivers will only read the first one they find. This can cause unexpected policy behavior.

Fix: Make sure to remove duplicate records under the same domain, or merge records if needed.

Use the command: nslookup -type=TXT _dmarc.yourdomain.com or use a DMARC checker tool. If you see two or more DMARC records, delete the duplicates immediately.

Wrong DNS Record Name or Type

Cause: Your DNS record name or type is invalid, for example, an MX record configured instead of a TXT for DMARC.

Fix:

  • Record type: TXT (not A, CNAME, MX, etc.)
  • Record name: _dmarc (some DNS providers auto-append your domain; some require _dmarc.yourdomain.com)

Common mistakes:

  • Adding a DMARC record as an A or CNAME record
  • Publishing at the root domain (yourdomain.com) instead of _dmarc.yourdomain.com
  • Typos like _dmrc or dmarc (missing underscore)

Check your DNS manager to verify the exact name and type.

Need More Help? Full Troubleshooting Guide

For issues with SPF/DKIM alignment failures, third-party sender failures, or legitimate mail going to spam, see the full DMARC troubleshooting guide.

DMARC Records for Non-Sending and Parked Domains

Even if your domain doesn’t send email, attackers can spoof it to send phishing messages to your customers. Protect inactive and parked domains with a restrictive DMARC record.

v=DMARC1; p=reject; sp=reject; np=reject; adkim=s; aspf=s

What this does:

  • p=reject; sp=reject; np=reject: Reject all unauthorized email
  • adkim=s; aspf=s: Require strict alignment (no relaxed matching)
  • No rua=: Not monitoring reports (domain doesn’t send)

Why Non-Sending Domains Are Targeted

Attackers can register lookalike domains or compromise inactive ones in your portfolio. A parked domain with no DMARC record looks like an open target for spoofing. Setting p=reject across the board prevents:

  • Phishing emails sent from your “company.old” or “company.test” domains
  • Reputational damage
  • Undetected abuse (with no reporting, you’d never know it happened)

Next Steps After Publishing DMARC

Publishing p=none (monitoring mode) provides no protection, and it only collects data. To protect your domain from spoofing and phishing, you need to gradually move toward enforcement.

Three-phase approach:

  1. Monitor (p=none): Review DMARC reports for 1-2 weeks. Identify all legitimate senders and third parties sending on your behalf (SaaS tools, marketing platforms, ticketing systems).
  2. Transition (p=quarantine): Move suspicious traffic to spam. Keep this phase for 1-4 weeks while monitoring report volume. If legitimate mail is being quarantined, you’ve found a sender that needs SPF or DKIM configuration.
  3. Enforce (p=reject): Fully reject unauthorized email. Only transition to this after confirming all legitimate senders are aligned.

Managing DMARC at Scale for Multiple Domains

If you manage multiple domains, editing DNS records one by one is slow and error-prone. PowerDMARC’s Hosted DMARC solution automates record management across your entire portfolio.

Benefits:

  • Manage unlimited domains from a single dashboard
  • Bulk policy updates (roll out p=reject across 50 domains at once)
  • AI-driven threat intelligence identifies spoofing attempts
  • White-glove onboarding and expert support

Learn about Hosted DMARC.

Frequently Asked Questions

1. Do I need DMARC if I already have SPF and DKIM?

Yes. SPF and DKIM authenticate individual mechanisms, but without DMARC there is no policy telling receivers what to do when those checks fail. DMARC also enables aggregate reporting without which you have no visibility into who is sending email from your domain.

2. What happens if I don’t have a DMARC record?

Without DMARC, receiving servers make their own decisions about unauthenticated email, and your domain is more vulnerable to spoofing and phishing. Several ESPs require DMARC for bulk senders, and missing it can significantly harm deliverability.

3. Does DMARC apply to subdomains automatically?

Subdomains inherit the parent domain’s DMARC policy unless overridden. Use the sp= tag to set a different policy for existing subdomains, and the np= tag (new in RFC 9989) to set policy for non-existent subdomains. Setting sp=reject while keeping p=quarantine is a common pattern for stricter subdomain protection.

4. Is DMARC required for PCI DSS v4.0 compliance?

PCI DSS v4.0, which became fully active in 2025, requires anti-phishing controls for organizations that process payment card data. Although DMARC is not explicitly required for compliance, implementing it can help you meet the requirements.