Key Takeaways
- A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. It tells mail servers what to do with emails that fail SPF or DKIM checks..
- You need SPF or DKIM set up before enforcing DMARC. Monitoring with p=none is fine without them, but quarantine or reject won’t work until at least one passes.
- To publish a DMARC record, add a TXT record named _dmarc at your DNS provider. Propagation can take up to 48 hours – verify the record is live using a DMARC checker or dig/nslookup.
- Most DMARC errors come down to a few simple mistakes: missing semicolons, wrong record type, publishing at the root domain instead of _dmarc.yourdomain.com, or having two records when you should only have one.
- Gmail, Yahoo, and Microsoft require DMARC enforcement for bulk senders. If you handle card payments, PCI DSS v4.0 makes anti-phishing controls mandatory too.
A DMARC record is a DNS TXT record that tells receiving mail servers how to handle emails that fail authentication checks. This guide walks you through creating your DMARC record, publishing it to your domain’s DNS, verifying it works, and understanding the 2026 standard (RFC 9989) that now governs the protocol.
Whether you’re setting up email authentication for the first time or updating your record to meet 2025/2026 compliance requirements, you can generate and publish a working DMARC record in under 10 minutes. This guide is for IT professionals, domain administrators, MSPs, and compliance managers.
Note: DMARC was updated in May 2026 (RFC 9989). All record examples in this guide reflect the updated standard.
What Is a DMARC Record?
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that instructs receiving mail servers how to handle emails claiming to be from your domain that fail authentication checks.
DMARC builds on two existing email authentication protocols:
- SPF (Sender Policy Framework): Authorizes specific IPs to send email from your domain
- DKIM (DomainKeys Identified Mail): Cryptographically signs email to prove it came from your domain
Without DMARC, there’s no policy telling receivers what to do when SPF or DKIM fails. They make their own decisions, often letting spoofed emails through.
How DMARC Fits Into Email Authentication
- SPF checks the sending IP by checking if the server sending this email is authorized by the domain’s SPF record.
- DKIM validates the signature by verifying whether the email’s digital signature matches the domain’s published DKIM key.
- DMARC decides the action if SPF and/or DKIM fails. Your DMARC policy (and alignment rules) tell the receiver to reject, quarantine, or allow the email.
Before You Publish DMARC Record
DMARC records requires at least SPF or DKIM to be published and aligned with your sending domain. You can publish a DMARC record with p=none (monitoring) without them, but enforcement (p=quarantine or p=reject) requires at least one protocol to pass.
Quick checks:
Anatomy of a DMARC Record
A DMARC record is a string of tag-value pairs separated by semicolons. Only two tags are required, and everything else is optional but recommended.
Active Tags
| Tag | Purpose | Allowed values | Example | Requirement |
|---|---|---|---|---|
| v | DMARC version | DMARC1 | v=DMARC1 | Required |
| p | DMARC policy | none, quarantine, reject | p=none | Required |
| sp | Subdomain policy | none, quarantine, reject | sp=reject | Optional |
| np | Policy for non-existent subdomains | none, quarantine, reject | np=reject | Optional |
| rua | Aggregate report mail | Valid email address | rua=mailto:[email protected] | Recommended |
| ruf | Failure report mail | Valid email address | ruf=mailto:[email protected] | Optional |
| psd | Public suffix domain flag | y(yes)/n(no)/u(unknown) | psd=y | Optional |
| t | Testing mode | y(yes) | t=y | Optional |
| adkim | DKIM alignment mode | r(relaxed)/s(strict) | adkim=r | Optional |
| aspf | SPF alignment mode | r(relaxed)/s(strict) | aspf=s | Optional |
| fo | Failure report options | 0, 1, d, s | fo=1 | Optional |
Note on psd= This tag is primarily for Public Suffix Operators (PSOs) such as country-code registries or gTLD operators. Most ordinary domain owners should leave this out entirely. It’s only relevant if your domain is a public suffix like .gov.uk or .bank.
Note on ruf= Major receivers (Google, Microsoft, Yahoo) no longer send failure reports.
Deprecated Tags
RFC 9989 deprecated or removed three tags that caused implementation inconsistencies:
| Tag | What it was | Why deprecated | Action |
|---|---|---|---|
| pct | Percentage of emails to apply policy | Implemented inconsistently across receivers, leading to unpredictable results | Remove from new records. Use t=y instead to signal test mode. |
| ri | Report format | Only one value (afrf) was ever used; redundant | Remove from existing records when editing. |
| rf | Report interval (in seconds) | Receivers ignored it in practice | Remove from existing records when editing. |
Note: If your existing records include these tags, they still work as receivers simply ignore them. But when you edit your record next, you can delete them to align with RFC 9989 and do not include them when publishing new records.
DMARC Policy Comparison
| Policy | Receiver action | Protection level | ESP bulk sender requirement | When to use |
|---|---|---|---|---|
| none | Monitor only; no rejection | None | Acceptable | Initial deployment; monitoring traffic |
| quarantine | Send to spam/junk folder | Moderate | Meets requirements | For gradual enforcement |
| reject | Block and reject completely | High | Meets requirements | When confident to activate full enforcement. |
DMARC Record Examples
All examples below reflect RFC 9989 as they omit deprecated tags and include new tags where applicable.
Example 1: Monitoring Mode (Start Here)
v=DMARC1; p=none; rua=mailto:[email protected]
Use case: First-time DMARC setup. No enforcement. Aggregate reports sent daily to track authentication results.
What each tag does:
- v=DMARC1 Identifies this as a DMARC record
- p=none Take no action; just monitor
- rua= mailto:[email protected] Send daily reports to this email address
Example 2: Partial Enforcement (Transitional)
v=DMARC1; p=quarantine; sp=quarantine; np=reject; rua=mailto:[email protected]
Use case: Moving toward enforcement. Quarantine failing emails. Stricter policy for non-existent subdomains.
What’s new:
- sp=quarantine Subdomains inherit quarantine policy
- np=reject Non-existent subdomains are rejected (RFC 9989 protection)
Example 3: Full Enforcement
v=DMARC1; p=reject; sp=reject; np=reject; rua=mailto:[email protected]
Use case: Full production enforcement. Reject all failing emails. Domain doesn’t host mailing lists.
Example 4: Non-Sending / Parked Domain
v=DMARC1; p=reject; sp=reject; np=reject; adkim=s; aspf=s
Use case: Domain that doesn’t send email but needs protection from spoofing.
What’s different:
- adkim=s; aspf=s Strict alignment (no relaxed mode needed)
- No rua= Not monitoring reports (domain doesn’t send)
- np=reject Even non-existent subdomains reject spoofed email
Even inactive domains should be protected, as attackers can spoof unused domains in phishing campaigns.
Example 5: Subdomain with Stricter Policy
Parent domain: v=DMARC1; p=quarantine; rua=mailto:[email protected]
Subdomain (marketing.yourdomain.com): v=DMARC1; p=reject; sp=reject; np=reject; rua=mailto:[email protected]
Use case: Parent domain allows quarantine (has forwarded mail). Marketing subdomain is a dedicated sender; enforce p=reject.
Example 6: Microsoft 365 / Google Workspace
v=DMARC1; p=reject; rua=mailto:[email protected]
Note: Microsoft 365 or Google Workspace do not require a unique DMARC syntax. The record is published in DNS like any other DMARC deployment. Before enforcement, verify SPF and DKIM configuration for all sending sources.
For a detailed tutorial you can refer to our Microsoft 365 DMARC and Google Workspace DMARC setup guides.
How to Create a DMARC Record
Method 1: Using the PowerDMARC Free Generator
1. Go to DMARC Record Generator
2. Select your desired enforcement level (None / Monitoring, Quarantine, Reject)
3. Enter your domain and reporting email address
4. Enable subdomain policy and protect non-existent subdomains if you wish (Optional)
5. Click Generate
6. DMARC record created
Method 2: Create Manually
Open a text editor and write the record by hand:
v=DMARC1; p=none; rua=mailto:[email protected]
Start with p=none (monitoring). You’ll adjust the policy later once you understand your email traffic.
Required:
- v=DMARC1 (always)
- p= (your policy: none, quarantine, or reject)
- rua= (your reporting email)
How to Publish a DMARC Record – Step-by-Step by DNS Provider
Your domain’s DNS is managed by your domain registrar (GoDaddy, Namecheap, etc.), web hosting provider (cPanel), or CDN (Cloudflare). Log in there and follow the steps for your provider below.
Generic Steps (if your provider is not listed):
1. Find the DNS management console
2. Click on the domain for which you want to configure DMARC
3. Create a new TXT record
4. Record name: _dmarc (or _dmarc.yourdomain.com if the form requires full hostname)
5. Record value: paste your DMARC record string
6. Save and wait for propagation (24-48 hours)
7. Use DMARC checker to verify
Publish DMARC Record on GoDaddy
1. Log in to your GoDaddy Domain Portfolio
2. Click DNS next to your domain
3. Scroll to DNS Records
4. Click Add New Record
5. Type: TXT
6. Name: _dmarc
7. Value: paste your DMARC record
8. Click Save
Publish DMARC Record on Cloudflare
1. Log in to your Cloudflare Dashboard
2. Select your domain
3. Go to DNS > Records
4. Click Add Record
5. Type: TXT
6. Name: _dmarc
7. Content: paste your DMARC record
8. TTL: Auto (or 3600)
9. Proxy status: DNS only (not proxied)
10. Click Save
Note: Set proxy status to “DNS only” (grey cloud), not orange. DMARC must be queried directly at DNS, not proxied through Cloudflare.
Publish DMARC Record on cPanel / WHM
1. Log in to your cPanel account
2. Go to Zone Editor (under Domains)
3. Click Manage next to your domain
4. Click + Add New Record
5. Type: TXT
6. Name: _dmarc.yourdomain.com
7. Value (TXT Data): paste your DMARC record
8. Click Add a Record
Publish DMARC Record on Namecheap
1.Log in to your Namecheap account
2. Go to Dashboard > Domain List
3. Click Manage next to your domain
4. Go to Advanced DNS
5. Click Add New Record
6. Type: TXT Record
7. Host: _dmarc
8. Value: paste your DMARC record
9. TTL: Automatic (3600)
10. Click the checkmark to save
Publish DMARC Record on Amazon Route 53
1. Log in to AWS Management Console > Route 53
2. Go to Hosted zones and select your domain
3. Click Create record
4. Record name: _dmarc
5. Record type: TXT
6. Value: paste your DMARC record wrapped in double quotes
- Example: “v=DMARC1; p=none; rua=mailto:[email protected]”
- Route 53 requires quotes; without them, the record won’t save
7. TTL: 300 (or 3600)
8. Click Create records
Note: Route 53 requires TXT record values to be wrapped in double quotes. Copy-paste your record as-is, then wrap it in “…”.
Publish DMARC Record on Microsoft 365 / Azure DNS
If your DNS is managed in Azure DNS:
1. Log in to Azure Portal > DNS Zones
2. Select your domain
3. Click + Record set
4. Name: _dmarc
5. Type: TXT
6. TTL: 3600
7. Value: paste your DMARC record
8. Click OK
If your DNS is at a registrar (GoDaddy, Namecheap, etc.):
- Follow the registrar’s steps above
How Long Does a DMARC Record Take to Propagate?
DNS changes are controlled by a setting called TTL (Time To Live), which tells servers how long to cache a DNS record before checking for updates. Most DNS providers set TTL to 3600 seconds (1 hour) by default.
Typical timing:
- For most locations, DNS propagates within 1–2 hours
- Full global propagation can take up to 48 hours in rare cases
- Don’t panic if your DMARC checker shows “no record” in the first hour, wait at least 30-60 minutes and try again
Check propagation globally: Use our DNS Propagation Checker to verify your record is live across multiple global DNS servers.
How to Verify Your DMARC Record Is Working
Method 1: PowerDMARC DMARC Checker Tool
1. Go to DMARC Record Checker
2. Enter your domain name
3. Click Check
4. Results show:
- Valid: Record is correctly formatted and published
- Invalid: Syntax error; review your record
- No Record Found: Check DNS propagation or verify the record was saved in DNS
Method 2: Command Line (nslookup or dig)
On Windows (Command Prompt):
nslookup -type=TXT _dmarc.yourdomain.com
On Mac/Linux (Terminal):
dig TXT _dmarc.yourdomain.com
Successful output:
_dmarc.yourdomain.com. 3600 IN TXT “v=DMARC1; p=reject; sp=reject; np=reject; rua=mailto:[email protected]”
If you see no results, DNS hasn’t propagated yet or the record wasn’t saved correctly.
Method 3: Check the Email Header (Authentication-Results)
Send a test email and check the headers.
Steps:
1. Send yourself a test email from your domain (or ask someone at another company to send you email)
2. In Gmail:
- Open the email
- Click the three-dot menu (⋮) > Show original
- Search for Authentication-Results
3. In Outlook:
- Open the email
- Click File > Properties > Internet Headers
- Search for Authentication-Results
What to look for:
✅ DMARC pass:
Authentication-Results: mx.google.com;
dmarc=pass (p=REJECT sp=REJECT np=REJECT dis=NONE) header.from=yourdomain.com
❌ DMARC fail:
Authentication-Results: mx.google.com;
dmarc=fail (p=REJECT sp=REJECT) header.from=yourdomain.com reason=”SPF not aligned”
What “pass” means: Your SPF or DKIM signature aligned with the domain in the From header, and your DMARC policy was applied.
What “fail” means: SPF or DKIM failed or didn’t align. Check your SPF record and DKIM configuration.
When to Expect Your First DMARC Report
Aggregate reports are sent within 24-72 hours of publishing your record.
What the report contains:
- Daily summary of all email sent from your domain
- Authentication results (SPF pass/fail, DKIM pass/fail, DMARC pass/fail)
- Sending IP addresses and their volume
- Source countries
- Policy enforcement actions taken by receivers
What Changed in RFC 9989 for DMARC Records
In May 2026, RFC 9989 replaced RFC 7489 as the official DMARC standard. Your existing record still works. Here are the key changes for new records:
Three New Tags Added:
- np= (non-existent subdomain policy): Add np=reject or np=quarantine to protect non-existent subdomains. Before RFC 9989, attackers could spoof random subdomains without DMARC records. Now you can set a policy for them at the parent domain level. Most domain owners should add this.
- t= (test mode flag): Use t=y to signal that your policy is in testing mode. Receivers treat p=reject; t=y as p=quarantine (one step less strict), allowing safe staged rollouts. Replaces the old pct= tag.
- psd= (public suffix domain flag): Declares whether a domain is a public suffix (like .gov.uk or .bank). Only relevant for Public Suffix Operators and complex domain hierarchies. Most domain owners can ignore this.
Deprecated/Removed Tags:
- pct= is deprecated. Receivers implemented it inconsistently. Use t=y instead for staged rollouts.
- rf= and ri= have been removed. Delete them if they appear in your existing records. Receivers ignore them anyway.
For a deeper dive on RFC 9989 changes, refer to our DMARC RFC 9989 guide.
Compliance Requirements Active Now
| Requirement | Status | Deadline | Action |
|---|---|---|---|
| Gmail Permanent Rejection | Active | Feb 2024 | DMARC published required; p=none acceptable as starting point with expectation of progression toward p=quarantine or p=reject for bulk senders (5,000+ msgs/day) |
| Yahoo Permanent Rejection | Active | Feb 2024 | DMARC published required; p=none acceptable as starting point with expectation of progression toward p=quarantine or p=reject for bulk senders (5,000+ msgs/day) |
| Microsoft Outlook Enforcement | Active | May 2025 | DMARC enforcement with SPF and DKIM required for bulk senders to Outlook.com, Hotmail.com, Live.com |
| PCI-DSS v4.0 | Active | March 2025 | Anti-phishing controls required by all entities handling cardholder data. |
Learn about local and global requirements in our complete DMARC requirements guide.
Common DMARC Record Errors
1. No DMARC Record Found
Cause: You have not published a DMARC record on your domain, it’s misconfigured, or the DNS propagation time isn’t complete
Fix: Once you have confirmed that no record exists in your DNS, login to your DNS management console to publish a new record. If a record exists, edit your existing record to remove errors or misconfigurations. If you are not past the 48 hour window of propagation time, wait for some time before you check again.
2. Syntax Errors
Common mistakes:
- Missing semicolons: Each tag must be followed by a semicolon.
- Extra spaces: Avoid spaces after semicolons or around
- Incorrect version: Must be v=DMARC1, not v=DMARC2 or version=1
- Invalid tag names: Typos like po=reject instead of p=reject
Duplicate DMARC Records
Cause: You must have only one DMARC TXT record per domain. If you have multiple records, receivers will only read the first one they find. This can cause unexpected policy behavior.
Fix: Make sure to remove duplicate records under the same domain, or merge records if needed.
Use the command: nslookup -type=TXT _dmarc.yourdomain.com or use a DMARC checker tool. If you see two or more DMARC records, delete the duplicates immediately.
Wrong DNS Record Name or Type
Cause: Your DNS record name or type is invalid, for example, an MX record configured instead of a TXT for DMARC.
Fix:
- Record type: TXT (not A, CNAME, MX, etc.)
- Record name: _dmarc (some DNS providers auto-append your domain; some require _dmarc.yourdomain.com)
Common mistakes:
- Adding a DMARC record as an A or CNAME record
- Publishing at the root domain (yourdomain.com) instead of _dmarc.yourdomain.com
- Typos like _dmrc or dmarc (missing underscore)
Check your DNS manager to verify the exact name and type.
Need More Help? Full Troubleshooting Guide
For issues with SPF/DKIM alignment failures, third-party sender failures, or legitimate mail going to spam, see the full DMARC troubleshooting guide.
DMARC Records for Non-Sending and Parked Domains
Even if your domain doesn’t send email, attackers can spoof it to send phishing messages to your customers. Protect inactive and parked domains with a restrictive DMARC record.
Recommended Record for a Non-Sending Domain
v=DMARC1; p=reject; sp=reject; np=reject; adkim=s; aspf=s
What this does:
- p=reject; sp=reject; np=reject: Reject all unauthorized email
- adkim=s; aspf=s: Require strict alignment (no relaxed matching)
- No rua=: Not monitoring reports (domain doesn’t send)
Why Non-Sending Domains Are Targeted
Attackers can register lookalike domains or compromise inactive ones in your portfolio. A parked domain with no DMARC record looks like an open target for spoofing. Setting p=reject across the board prevents:
- Phishing emails sent from your “company.old” or “company.test” domains
- Reputational damage
- Undetected abuse (with no reporting, you’d never know it happened)
Next Steps After Publishing DMARC
Publishing p=none (monitoring mode) provides no protection, and it only collects data. To protect your domain from spoofing and phishing, you need to gradually move toward enforcement.
Three-phase approach:
- Monitor (p=none): Review DMARC reports for 1-2 weeks. Identify all legitimate senders and third parties sending on your behalf (SaaS tools, marketing platforms, ticketing systems).
- Transition (p=quarantine): Move suspicious traffic to spam. Keep this phase for 1-4 weeks while monitoring report volume. If legitimate mail is being quarantined, you’ve found a sender that needs SPF or DKIM configuration.
- Enforce (p=reject): Fully reject unauthorized email. Only transition to this after confirming all legitimate senders are aligned.
Managing DMARC at Scale for Multiple Domains
If you manage multiple domains, editing DNS records one by one is slow and error-prone. PowerDMARC’s Hosted DMARC solution automates record management across your entire portfolio.
Benefits:
- Manage unlimited domains from a single dashboard
- Bulk policy updates (roll out p=reject across 50 domains at once)
- AI-driven threat intelligence identifies spoofing attempts
- White-glove onboarding and expert support
Learn about Hosted DMARC.
Frequently Asked Questions
1. Do I need DMARC if I already have SPF and DKIM?
Yes. SPF and DKIM authenticate individual mechanisms, but without DMARC there is no policy telling receivers what to do when those checks fail. DMARC also enables aggregate reporting without which you have no visibility into who is sending email from your domain.
2. What happens if I don’t have a DMARC record?
Without DMARC, receiving servers make their own decisions about unauthenticated email, and your domain is more vulnerable to spoofing and phishing. Several ESPs require DMARC for bulk senders, and missing it can significantly harm deliverability.
3. Does DMARC apply to subdomains automatically?
Subdomains inherit the parent domain’s DMARC policy unless overridden. Use the sp= tag to set a different policy for existing subdomains, and the np= tag (new in RFC 9989) to set policy for non-existent subdomains. Setting sp=reject while keeping p=quarantine is a common pattern for stricter subdomain protection.
4. Is DMARC required for PCI DSS v4.0 compliance?
PCI DSS v4.0, which became fully active in 2025, requires anti-phishing controls for organizations that process payment card data. Although DMARC is not explicitly required for compliance, implementing it can help you meet the requirements.
- How to Setup DMARC: Complete Step-by-Step Configuration Guide (2026) - June 20, 2026
- How to Read DMARC Reports: A Complete Guide to RUA & RUF - June 10, 2026
- What Is DMARC? Definition, How It Works, and Why It Matters - April 28, 2026
