How to Create and Publish a DMARC Record
by
Last Updated: 11 min read
Key Takeaways
- A DMARC record is a DNS TXT entry that helps authenticate outgoing emails and prevent spoofing and phishing attacks.
- Choosing the right DMARC policy is essential for controlling the handling of unauthorized emails.
- To implement DMARC, the record must be published in the Domain Name System (DNS) using tools such as cPanel, GoDaddy, or Cloudflare.
- Even domains that do not actively send emails should have a restrictive DMARC record, specifically “p=reject”, to prevent potential abuse.
- For optimal results, it is recommended to maintain a single DMARC record per domain and to implement enforcement gradually to avoid email delivery issues.
- Expert solutions like PowerDMARC automate DMARC record management and simplify monitoring through AI-driven threat intelligence.
DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a technical protocol for authenticating outbound messages. DMARC serves as the first line of defense against a variety of email-based threats, including phishing and spoofing.
To configure DMARC, you need to create a DMARC record. The created DMARC record is a TXT record that is then published on your DNS. This kicks start your email authentication process.
By setting up a DMARC record, you empower domain owners to instruct receivers how they should respond to emails sent from unauthorized or illegitimate sources.
Expert Tip from Maitham Al Lawati: “For organizations in healthcare or finance, DMARC is not just about security. It’s about meeting strict compliance requirements. Start with monitoring, then enforce.”
This guide walks you through creating and publishing a DMARC DNS TXT record correctly, plus how to verify it and troubleshoot common errors.
What are DMARC records?
A DMARC record is a DNS TXT record that specifies how email servers should handle messages that fail authentication checks (SPF & DKIM).
It helps domain owners prevent email spoofing and phishing by instructing recipient servers on whether to reject, quarantine, or allow unauthorized emails.
How Does DMARC Work?
DMARC works by building on two existing email authentication protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Here’s the step-by-step authentication flow:
- Email Sent: An email is sent claiming to be from your domain
- SPF Check: The receiving server checks if the sending IP is authorized in your SPF record
- DKIM Check: The server verifies the DKIM signature against your published DKIM key
- DMARC Evaluation: The server checks your DMARC policy and determines alignment
- Policy Enforcement: Based on your DMARC policy (none, quarantine, reject), the appropriate action is taken
- Reporting: Results are compiled and sent to your specified reporting addresses
Key Point: DMARC requires at least one of SPF or DKIM to pass AND be properly aligned with the domain in the “From” header for the email to pass DMARC authentication.
Anatomy of a DMARC Record
Understanding each DMARC tag is essential for proper configuration. Here’s a comprehensive breakdown of all DMARC record components:
| Tag | Description | Possible Values | Example |
|---|---|---|---|
| v | Version (Required) | DMARC1 | v=DMARC1 |
| p | Policy for domain (Required) | none, quarantine, reject | p=quarantine |
| rua | Aggregate report email | Email address | rua=mailto:[email protected] |
| ruf | Forensic report email | Email address | ruf=mailto:[email protected] |
| sp | Subdomain policy | none, quarantine, reject | sp=reject |
| adkim | DKIM alignment mode | r (relaxed), s (strict) | adkim=r |
| aspf | SPF alignment mode | r (relaxed), s (strict) | aspf=r |
| pct | Percentage of emails to apply policy | 0-100 | pct=25 |
| fo | Forensic options | 0, 1, d, s | fo=1 |
| rf | Report format | afrf | rf=afrf |
| ri | Report interval (seconds) | Number | ri=86400 |
DMARC Record Examples
Here are real-world DMARC record examples for different use cases. Copy and customize these for your domain:
Basic Monitoring Mode (Recommended for Beginners)
- v=DMARC1; p=none; rua=mailto:[email protected]
- Use case: Initial DMARC implementation for monitoring email traffic without enforcement.
Quarantine Policy with Reporting
- v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=25
- Use case: Gradual enforcement affecting 25% of emails, with both aggregate and forensic reporting.
Strict Enforcement Policy
- v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected]; adkim=s; aspf=s
- Use case: Full protection with strict alignment for both domain and subdomains.
Non-Sending Domain Protection
- v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s
- Use case: Domains that don’t send emails but need protection from spoofing.
DMARC Record Tags Explained
DMARC Policy Comparison Table
| Policy | Action | Pros | Cons | Best For |
|---|---|---|---|---|
| p=none | Monitor only | No delivery impact, learning phase | No protection against spoofing | Initial implementation |
| p=quarantine | Send to spam/junk | Moderate protection, emails still delivered | Spoofed emails may reach recipients | Gradual enforcement |
| p=reject | Block completely | Maximum protection | Risk of blocking legitimate emails | Full enforcement |
1. DMARC Policy Modes
The DMARC policy defines how receivers should handle emails that fail DMARC authentication. It’s denoted by “p”. It can have either of the following three values:
- p=none: To take no action against unauthorized emails.
- p=quarantine: To flag suspicious emails.
- p=reject: To reject unauthorized emails before they reach your recipients.
2. DMARC Reporting Options
- Aggregate Reports (rua=): These are summary reports sent to the specified email address, showing authentication results for all emails from the domain.
- Forensic Reports (ruf=): These are detailed failure reports sent when an email fails DMARC authentication.
3. DMARC Alignment Modes
- SPF Alignment (aspf=): Determines if the sender’s domain in the From: header aligns with the SPF record. There is an option to either strict (s) alignment for an exact match or relaxed (r) alignment for an organizational match.
- DKIM Alignment (adkim=): Determines if the DKIM signature domain aligns with the domain in the From: header. There is an option to either strict (s) alignment for an exact match or relaxed (r) alignment for an organizational match.
How DMARC Works with Subdomains
The ‘sp’ (subdomain policy) tag controls how DMARC policies apply to subdomains. If not specified, subdomains inherit the main domain’s policy.
- Inheritance: Subdomains automatically inherit the parent domain’s DMARC policy
- Override: Use ‘sp=’ tag to set different policies for subdomains
- Best Practice: Set stricter policies for subdomains that don’t send emails
How to Create a DMARC Record?
To create a DMARC DNS record for your domain, make sure you have:
- a) a reliable tool to generate the record
- b) access to your DNS management console to publish the record
Follow the steps given below to create your record:
1. Generate Your DMARC Record
Start Your Free 15-Day DMARC Security Trial to access our portal using an email address or sign up using Gmail/Office 365. Go to Analysis Tools > PowerToolbox > Free DMARC Record Generator Tool to start creating your DMARC record.
2. Define a DMARC policy for your DMARC record
Decide on a DMARC policy depending on your desired enforcement level (none, quarantine, or reject). Here’s how you choose your DMARC record policy:
- If you want no action to be taken against unsolicited emails sent from your domain, choose “none”.
- If you want to quarantine emails that fail DMARC, choose “quarantine”.
- If you want to reject or discard emails that fail authentication, which can minimize spoofing and phishing attacks, choose “reject”.
3. Configure recommended DMARC record optional fields
While not all fields are mandatory, we recommend you configure a few useful optional fields in your DMARC record. Let’s find out what they are:
- Aggregate (rua) reporting field: If you configure the rua field, you will receive DMARC authentication data directly to your email address.
- Forensic (ruf) reporting field: Gain insights into forensic incidents like cyber attacks by configuring the ruf field in your DMARC record.
- DKIM/SPF alignment modes” Choose whether you wish to opt for a relaxed or a strict alignment for SPF and/or DKIM.
How to Publish a DMARC Record?
To publish a DMARC record, there are a few prerequisites:
- You need to have access to your DNS management console
- You need to have permission to edit and add new DNS records for your domain
Publishing Your DMARC Record With cPanel
- Access your cPanel DNS Management Console
- Under the Domains section, click on DNS Zone Editor or Advanced Zone Editor
3. Add a DMARC record of type TXT (tex), filling in the details as shown below. In the “TXT data” or “value” field, you need to paste your previously created DMARC record.
Publishing a DMARC Record with Godaddy
- Log in to your GoDaddy Domain Portfolio to access the DNS zone
- Under Domain Name, find and select your email-sending domain
- Under your domain name, click on DNS
- Now select Add New Record and start publishing your record with the following details:
- Type: TXT
- Name: _dmarc
- Value: paste the value of your DMARC record
Publishing a DMARC Record with Cloudflare
- Log in to your Cloudflare account.
- Select the desired account and domain.
- Navigate to DNS and click on Add Record
- Paste your generated DMARC record into the Add Record section, like the example below:
How to Check Your DMARC Record
After publishing your DMARC record, it’s crucial to verify it’s working correctly. Here’s a step-by-step verification process:
Step-by-Step DMARC Record Verification Checklist
- Use DNS Lookup Tools: Check if your DMARC record is published correctly using tools like nslookup or dig
- Validate Syntax: Use online DMARC validators to check for syntax errors
- Test Email Authentication: Send test emails and check headers for DMARC results
- Monitor Reports: Wait for DMARC reports to confirm proper functioning
- Check Multiple DNS Servers: Verify propagation across different DNS servers globally
Recommended DMARC Validation Tools
- PowerDMARC DMARC Checker: Free comprehensive validation tool
- MXToolbox DMARC Lookup: Quick DNS record verification
- Google Admin Toolbox: Dig tool for DNS record inspection
Here’s why 10,000+ customers trust PowerDMARC: AI-driven threat intelligence, white-glove onboarding, SOC2/ISO27001 compliance, and automated multi-domain management
- Huge reduction in spoofing attempts and unauthorized emails
- Faster onboarding + automated authentication management
- Real-time threat intelligence & reporting across domains
- Better email delivery rates due to strict DMARC enforcement
Your first 15 days are on us
Start Your Free 15-Day DMARC Security Trial
Verifying Your DMARC Record
To verify your DMARC record & avoid the common “No DMARC record found” error, you can use our free verification tool.
1. Sign up for free and navigate to Analysis Tools > PowerToolbox > DMARC Record Checker Tool
2. Review your DMARC record status, syntax, and tags to uncover any errors you may have
Ready to verify your DMARC record? Use PowerDMARC’s Free DMARC Checker
Common DMARC Record Mistakes to Avoid
Avoid these frequent DMARC misconfigurations that can compromise your email security and deliverability:
1. Syntax and Configuration Errors
- Missing semicolons: Each tag must be separated by semicolons
- Extra spaces: Avoid unnecessary spaces around tags and values
- Incorrect version: Always use “v=DMARC1” (not v=DMARC2 or similar)
- Invalid email addresses: Ensure reporting addresses are valid and accessible
2. Policy Implementation Mistakes
- Jumping to p=reject too quickly: Start with p=none for monitoring
- Not configuring SPF and DKIM first: DMARC requires these protocols to be set up
- Ignoring subdomain policies: Consider setting appropriate sp= values
3. Record Management Errors
- Multiple DMARC records: Only one DMARC record per domain is allowed
- Wrong DNS record name: Must be exactly “_dmarc.yourdomain.com”
- Incorrect record type: Must be TXT record type
4. Monitoring and Reporting Oversights
- Not setting up reporting: Missing rua= tag means no visibility into email authentication
- Ignoring DMARC reports: Reports contain crucial security insights
- Using inaccessible reporting addresses: Ensure you can receive and process reports
Troubleshooting Common DMARC Record Errors
Use this step-by-step checklist to resolve common DMARC record issues:
| Issue | Symptoms | Solution |
|---|---|---|
| Record Not Found | DNS lookup returns no results | Verify record is published as TXT type with name "_dmarc" |
| Syntax Errors | Record validation fails | Check for missing semicolons, extra spaces, or typos |
| Multiple Records | Inconsistent policy enforcement | Remove duplicate records, keep only one per domain |
| Propagation Delays | Changes not visible globally | Wait 24-48 hours for full DNS propagation |
| Invalid Email Addresses | Reports not received | Verify rua/ruf email addresses are valid and accessible |
Quick Troubleshooting Checklist
|
Common DMARC Record Errors
| Status | What it means | What can you do |
|---|---|---|
| Valid | Your DMARC record is correct and free of errors | Do nothing |
| Invalid | Your DMARC record has errors. This can be due to an incomplete or erroneous syntax. | Review your syntax, refer to our complete guide on DMARC tags, or contact us for expert assistance. |
| No Record Found | No DMARC record was present in your DNS. | Create a DMARC record for your domain and publish it on your DNS. |
Once you detect errors in your record, you must implement the necessary changes to your DNS and save the changes. You may recheck your record once the changes are processed.
Understanding DMARC Reports
DMARC reports provide crucial insights into your email authentication performance and potential security threats. Here’s what you need to know:
Types of DMARC Reports
1. Aggregate Reports (RUA)
- Frequency: Daily summaries of all email authentication results
- Content: Volume statistics, authentication results, source IPs
- Use Case: Monitor overall email authentication health and identify trends
2. Forensic Reports (RUF)
- Frequency: Real-time reports for authentication failures
- Content: Detailed email headers and authentication failure reasons
- Use Case: Investigate specific authentication failures and potential attacks
How to Interpret DMARC Reports
Key Metrics to Monitor:
- DMARC Pass Rate: Percentage of emails passing DMARC authentication
- SPF/DKIM Alignment: How well your authentication protocols align
- Source Analysis: Identify legitimate vs. suspicious sending sources
- Policy Impact: Effects of quarantine/reject policies on email delivery
Using Reports to Improve Email Security
- Identify Legitimate Senders: Ensure all authorized email sources are properly configured
- Detect Spoofing Attempts: Monitor for unauthorized use of your domain
- Optimize Authentication: Fix SPF and DKIM alignment issues
- Gradual Policy Enforcement: Use data to safely move from monitoring to enforcement
DMARC Record for Non-Sending Domains
Most people stop at securing their active domains, but attackers can spoof even your non-sending domains to send fake emails on your behalf! To prevent this, here are the steps to implement DMARC for your non-sending domains:
- Publish a non-permissive DMARC record: start by publishing a DMARC record for the inactive domain with an enforced policy like p=reject.
- Enable reporting (Recommended): Even if your domain doesn’t send emails, attackers can still spoof it to send phishing messages. DMARC reports alert you when this happens.
- Publish a restrictive SPF record: Set v=spf1 -all to prevent email sending.
- Disable integrated email services: If the domain is still linked to external email servers, it may be a good call to restrict them if the domain is no longer in use.
Consequences of Not Securing Your Inactive Domains
Failing to implement DMARC for your non-sending domains can lead to various consequences, such as:
- Increased risk of spoofing and phishing attacks
- Damage to brand and domain reputation
- Domain abuse going unnoticed for lengthy periods of time
Single DMARC Record Per Domain
When configuring your DMARC record, it’s important to publish a single record entry per domain. Multiple DMARC records for a single domain can cause conflicts and unwarranted authentication failures!
Why Multiple DMARC Records Are a Problem
- Email authentication failures: Email receivers may not know which DMARC record to follow.
- Misconfigurations and inconsistencies: Conflicting policies (e.g., one record using p=none and another using p=reject) lead to unpredictable enforcement.
- Inaccurate reporting: DMARC reports may be incomplete or unreliable.
Best Practices for Correct DMARC Implementation
To ensure correct DMARC record configuration, here are the best practices for implementation:
- Publish a single record for DMARC per domain.
- Avoid configuring the DMARC sp tag unless you want your subdomains to have a different policy.
- Use a DMARC checker tool to validate your record after publishing it.
- Monitor your DMARC reports regularly to ensure suspicious activities aren’t going unnoticed.
Next Steps After Publishing a DMARC Record
After you are done publishing your DMARC record, your next step should be to focus on protecting your domain from scammers and impersonators. That is your main agenda when you are implementing security protocols and email authentication services.
Simply publishing a DMARC record with a p=none policy doesn’t offer any protection against domain spoofing attacks and email fraud. For that, you need to shift to DMARC enforcement.
To shift to DMARC enforcement, a gradual approach is your best bet to get ideal results without any negative impact on your deliverability. Here’s a step-by-step process you can follow:
- Start with a p=none policy, which is your monitoring mode.
- Enable DMARC reporting for your domain to analyze your email traffic and deliverability.
- Shift to quarantine, keeping pct (percentage) at 10, and gradually increase it to 100% over a span of a couple of weeks.
- Once you are confident in your setup, move to p=reject, keeping pct on the lowest percentage setting and then gradually increasing to full enforcement for 100% of your mail volume.
How to Simplify DMARC Record Management
For organizations operating multiple domains, or simply those who do not wish to indulge in the hassle of manually configuring and maintaining DMARC records, expert solutions can automate DMARC record management under a single roof. Powered by AI-driven Threat intelligence technology and detailed reporting, PowerDMARC has been helping 2000+ customers around the world simplify their DMARC journey.
Professional DMARC management solutions offer:
- Multi-domain, multi-client management from a single dashboard
- White-glove onboarding and expert support
- Certified for SOC2, ISO27001, and GDPR compliance
To get started, take a free Start Your Free 15-Day DMARC Protection Trial of the platform today!
Frequently Asked Questions About DMARC Records
1. How do I create a DMARC record for my domain?
To create a DMARC record: 1) Generate your DMARC record using a tool like PowerDMARC’s generator, 2) Access your DNS management console, 3) Create a new TXT record with the name “_dmarc” and paste your DMARC record as the value, 4) Save the changes and wait for DNS propagation (up to 48 hours).
2. What happens if I don’t have a DMARC record?
Without a DMARC record, your domain is vulnerable to spoofing and phishing attacks. Email providers like Gmail and Yahoo may reject emails from bulk senders without DMARC. Your domain reputation can be damaged by unauthorized use, and you’ll have no visibility into email authentication failures.
3. How do I pass DMARC verification?
To pass DMARC verification: 1) Ensure SPF and DKIM are properly configured, 2) Verify domain alignment between your From: header and SPF/DKIM domains, 3) Use a DMARC policy that allows legitimate emails (start with p=none), 4) Monitor DMARC reports to identify and fix authentication issues.
4. What does a typical DMARC record look like?
A basic DMARC record is published as a DNS TXT record at _dmarc.yourdomain.com and usually starts in monitoring mode. A common example looks like this:
v=DMARC1; p=none; rua=mailto:[email protected]
What this does:
- v=DMARC1 identifies the record as a DMARC policy.
- p=none enables monitoring without blocking emails.
- rua specifies where aggregate DMARC reports are sent.
This setup lets you observe authentication results and detect spoofing attempts without affecting email delivery. Once you’ve reviewed reports and confirmed all legitimate senders are aligned, you can gradually move to p=quarantine or p=reject for enforcement.
Cybersecurity Expert, CEO at PowerDMARC
Maitham is a tech entrepreneur, cybersecurity expert, CEO and Founder of PowerDMARC with 15+ years of industry experience. Maitham holds a Global MBA from the University of Manchester and various professional certifications including CISSP, CISM, CRISC, and ISC2 CCSP.
Latest posts by Maitham Al Lawati (see all)
- Email Phishing and DMARC Statistics: 2026 Email Security Trends - January 6, 2026
- How to Fix “No SPF record found” in 2026 - January 3, 2026
- SPF Permerror: How to Fix Too Many DNS Lookups - December 24, 2025
