Blog article
- 8 minutes read
- Kiara Saloojee
- DMARC Enthusiast
How to Create a DMARC TXT Record: Syntax, Tags, and Publishing
DMARC TXT record overview:
- A DMARC TXT record is published at
_dmarc.yourdomain.comand requires two tags:v=DMARC1andp= - Configure SPF and DKIM before publishing – if neither is working, enforcement will disrupt legitimate email
- Start with p=none to collect report data – moving to enforcement without reviewing reports can cause email disruption
A DMARC TXT record tells receiving servers what to do with emails that fail authentication – whether to deliver them, quarantine them, or reject them outright. Without one, anyone can send emails that appear to come from your domain.
DMARC builds on SPF and DKIM. Both should be configured and working before you create a DMARC record. If both SPF and DKIM are missing or broken, moving to enforcement will disrupt legitimate email delivery.
This guide covers DMARC record syntax, tag definitions, a working example, and how to publish and verify the record. If you’re setting up DMARC for the first time, this is the reference to start from.
One important note before you start: Publishing a DMARC TXT record with p=none doesn’t stop spoofing. It starts monitoring. Protection comes later, after you review report data and advance to p=reject.
What a DMARC TXT Record Looks Like
A DMARC TXT record is published at _dmarc.yourdomain.com – not the root domain.
Here is a minimal working example:
| Host | Type | Value |
|---|---|---|
_dmarc.yourdomain.com | TXT | v=DMARC1; p=reject; |
Every valid DMARC TXT record includes two elements:
v=DMARC1: The version identifierp=:The policy applied to the domain (none, quarantine, or reject)
Everything else is optional. Start with these two.
DMARC Record Syntax: Tags Explained
Understanding DMARC record syntax is the difference between a record that works and one that disrupts legitimate email. Each tag controls a specific function – here’s what they do.
Required Tags
| Tag | Purpose |
|---|---|
v=DMARC1 | Version identifier. Always the first tag. No alternatives. |
p= | Policy for the domain. |
Optional Tags (Commonly Used)
| Tag | Purpose |
|---|---|
ruf= | Destination for failure (RUF) reports. Generated for each message that fails DMARC. |
sp= | Subdomain policy. Overrides p= for subdomains. Useful when subdomain sending sources haven’t been fully mapped. |
adkim= | DKIM alignment mode. r (relaxed, default) or s (strict). Strict requires an exact domain match. |
aspf= | SPF alignment mode. r (relaxed, default) or s (strict). Same implications as adkim=. |
fo= | Forensic reporting options. Controls which failures generate RUF reports. fo=1 generates a report if either SPF or DKIM fails – recommended over the default fo=0. |
On alignment modes: Do not use strict alignment (adkim=s or aspf=s) as a default. Strict alignment fails relaxed matches and will reject or quarantine legitimate emails from subdomains and third-party senders. It is an advanced configuration suited to specific environments.
How to Create a DMARC TXT Record: Step-by-Step
1. Confirm SPF and DKIM Are Configured
DMARC passes if either SPF or DKIM passes alignment – but you should have both configured before moving to enforcement. A sender that relies on only one mechanism has no fallback if that mechanism fails. Verify that SPF covers your sending sources and that DKIM is signing outbound emails before you create the DMARC TXT record.
2. Choose Your Starting Policy
Start with p=none. This generates aggregate reports without affecting email delivery. Do not start with p=quarantine or p=reject before reviewing report data. You need visibility before you take action.
3. Set Your Reporting Destination
Configure rua= to a mailbox you control or a DMARC reporting service. Aggregate reports arrive daily and are the primary tool for mapping your sending infrastructure – every source sending email on behalf of your domain will appear in these reports.
4. Create the DMARC TXT Record
Combine the required tags into a single TXT record value.
For a new deployment:
| Host | Type | Value |
|---|---|---|
_dmarc.yourdomain.com | TXT | v=DMARC1; p=reject; rua=mailto:[email protected]; |
5. Publish the Record in the DNS
Create the DMARC TXT record at _dmarc.yourdomain.com in your DNS management console. A TTL of 3,600 seconds (one hour) is standard.
6. Verify the Record
Use a DNS lookup tool to confirm the record is live and correctly formatted.
Common DMARC TXT Record Mistakes to Avoid
Moving to Enforcement Too Early
DMARC passes if either SPF or DKIM is valid and aligned with the “From” domain. But if neither is correctly configured, every message fails – and under p=quarantine or p=reject, that means legitimate email goes to Spam or is blocked outright.
Ignoring Aggregate Reports
Without aggregate reports, there’s no visibility into what’s passing or failing. The monitoring phase is only useful if you act on the data.
Using Strict Alignment Without Testing
Strict alignment can cause legitimate emails from subdomains and third-party senders to fail DMARC. Start with relaxed – it’s the default for a reason.
Neglecting Subdomains
Subdomains that don’t have a dedicated sp= tag inherit the organizational domain policy. Subdomains used for sending need their own authentication review.
Continuously Monitoring Your DMARC TXT Record
Creating a DMARC TXT record starts the process. It doesn’t end it. The record generates data – that data requires review, interpretation, and action.
Aggregate reports are machine-readable XML files. For a single domain at low volume, manual review is manageable. As domain portfolios and sending infrastructure grow, the volume of report data and the number of sources to track exceed what teams can handle without tooling.
For companies managing multiple domains, distributed sending environments, or compliance requirements, manual DMARC management creates gaps: Sources are missed, subdomains are overlooked, and enforcement stalls because no one can confirm what’s still failing and why.
Teams that are already stretched can’t absorb that workload – and the audit trail needed to satisfy risk committees and regulators doesn’t build itself.
Visibility has to be continuous. Authentication configurations change when new tools are onboarded, DNS records are updated, or third-party senders modify their infrastructure. A DMARC TXT record that was accurate at launch may not reflect reality six months later.
From Record Setup to Full Enforcement
A DMARC TXT record is the starting point. Moving from p=none to p=reject – and maintaining it – requires continuous visibility across every sending source, domain, and subdomain.
Sendmarc’s DMARC Management gives security and IT teams what they need to reach and maintain full enforcement:
- Unified visibility into SPF, DKIM, and DMARC configurations across all domains
- Automated parsing and interpretation of aggregate report data
- Guided enforcement path with continuous monitoring across all sending sources
- Audit trails to support compliance and governance reporting
- Centralized control across departments, regions, and subsidiaries
See how Sendmarc simplifies DMARC management at scale.