A missing or misconfigured DMARC record leaves your domain open to email spoofing — attackers can send phishing emails that appear to come from your address with nothing blocking them. Yet publishing a p=reject policy without validating your SPF and DKIM setup first can block your own legitimate email. This guide covers how to validate your DMARC record correctly, what every tag means, the tools that catch errors before they cause problems, and how to safely progress from monitoring to full enforcement.
What is a DMARC record?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is a DNS TXT record published at `_dmarc.yourdomain.com` that tells receiving mail servers what to do when an email claiming to be from your domain fails authentication checks. Without DMARC, anyone can send email that appears to come from your domain — a technique called domain spoofing that is used in phishing and business email compromise attacks.
A DMARC record does two things: it sets a policy (what action to take on failing messages) and it configures reporting (where to send summaries of authentication results). The policy can be `none` (monitor but take no action), `quarantine` (deliver to spam), or `reject` (block the message entirely). The reporting tags specify email addresses that receive daily XML aggregate reports from major mail providers.
The DMARC record structure
# Monitoring-only record (safe starting point)
v=DMARC1; p=none; rua=mailto:[email protected]
# Quarantine with partial enforcement and forensic reports
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r
# Full rejection — use only after confirming all senders pass
v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:[email protected]; adkim=s; aspf=s- v=DMARC1: Version tag — mandatory, must be first, exactly as written.
- p=: Policy applied to the domain — `none`, `quarantine`, or `reject`.
- sp=: Subdomain policy — overrides p= for subdomains if set.
- rua=: Aggregate report destination — a mailto: URI (or reporting service URI).
- ruf=: Forensic report destination — individual failure reports (less common, privacy implications).
- pct=: Percentage of messages to apply the policy to — useful for gradual rollout (1–100).
- adkim=: DKIM alignment mode — `r` (relaxed) or `s` (strict).
- aspf=: SPF alignment mode — `r` (relaxed) or `s` (strict).
Note
How DMARC works with SPF and DKIM
DMARC does not authenticate email on its own — it is an orchestration layer that sits on top of SPF and DKIM. When a receiving mail server gets an email claiming to be from your domain, it checks two things: did the message pass SPF or DKIM, and does the authenticated domain align with the From header domain? If at least one of the two passes and aligns, DMARC passes. If neither passes with alignment, the receiving server applies the policy in your DMARC record.
SPF authentication and alignment
SPF (Sender Policy Framework) authorises which mail servers are allowed to send email on behalf of your domain. The check happens against the SMTP envelope sender (the `MAIL FROM` address), not the visible From header. For DMARC alignment, the domain in the `MAIL FROM` must match (or be a subdomain of, in relaxed mode) the From header domain. When you send through a third-party service like Mailchimp or SendGrid, their return-path domain is often `mailchimp.com` — this breaks SPF alignment unless you configure a custom return-path subdomain. Use the SPF Record Validator to check your SPF record for syntax errors and lookup limit violations before relying on it for DMARC alignment.
DKIM authentication and alignment
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. The signature includes a `d=` tag specifying the signing domain. For DMARC alignment, the `d=` domain must match (or be a subdomain of, in relaxed mode) the From header domain. DKIM alignment is more robust for third-party senders because you can configure them to sign with your own domain rather than theirs. The DKIM Record Validator checks that the public key DNS record for a given selector is correctly formatted and accessible.
| Authentication | What it checks | Alignment target | Quasar Tools checker |
|---|---|---|---|
| SPF | Which servers can send for domain | MAIL FROM domain vs From header | SPF Record Validator |
| DKIM | Cryptographic message signature | d= tag domain vs From header | DKIM Record Validator |
| DMARC | Policy + alignment orchestration | Requires SPF or DKIM to align | DMARC Record Validator |
To pass DMARC authentication, messages must be authenticated by SPF or DKIM, and the authenticating domain must align with the domain in the From header.
Warning
How to validate your DMARC record
Validating a DMARC record requires checking three things: that the DNS record exists and is accessible, that the syntax is correct, and that SPF and DKIM are configured to support the alignment DMARC depends on. Each step can be done quickly with the right tools.
Look up your current DMARC record
In a terminal, run `dig TXT _dmarc.yourdomain.com` (Linux/macOS) or `nslookup -type=TXT _dmarc.yourdomain.com` (Windows). The output should include a TXT record starting with `v=DMARC1`. If there is no result, no DMARC record has been published. If you see a redirect or an error, check that you queried `_dmarc.yourdomain.com` with the underscore prefix.
Validate syntax with the DMARC Record Validator
Copy the raw DMARC record value (everything after the TXT record type in the DNS response) and paste it into the DMARC Record Validator. The tool checks that `v=DMARC1` comes first, that `p=` is present with a valid value, that any `rua=` or `ruf=` URIs are correctly formatted, and that percentage and alignment values are within allowed ranges. Errors are reported with the specific tag that failed.
Validate SPF and DKIM independently
Use the SPF Record Validator to check your SPF record for the lookup limit (maximum 10 DNS lookups — exceeding it causes SPF permerror), syntax errors, and missing mechanisms. Use the DKIM Record Validator with your selector and domain to confirm the public key record is correctly published. DMARC is only as strong as the SPF and DKIM records supporting it.
Plan your enforcement progression
Use the DMARC Policy Rollout Planner to map out a safe timeline for moving from `p=none` to `p=quarantine` to `p=reject`. The planner accounts for your current authentication pass rates and suggests a pct= percentage progression that minimises the risk of blocking legitimate mail during the transition.
DMARC Record Validator
Validate DMARC DNS records for syntax errors, invalid policy values, and missing required tags — browser-local with tag-level diagnostics.
Common DMARC errors and fixes
Most DMARC validation problems fall into predictable categories. Many are simple syntax issues that a validator catches immediately; others are more subtle configuration problems that require understanding alignment to diagnose correctly.
Syntax and tag errors
- Missing v=DMARC1 as first tag: The version tag must be the first field. If any other tag precedes it, the record is invalid.
- Missing p= tag: The policy tag is required. A record without p= is malformed and ignored by most mail servers.
- Invalid p= value: Only `none`, `quarantine`, and `reject` are valid. Any other value (e.g. `monitor`) causes the record to be rejected.
- Missing semicolons between tags: Tags must be separated by semicolons. A missing separator causes the parser to merge two tags into one invalid tag.
- Spaces around = signs: `p = none` (with spaces) is invalid in some parsers. Use `p=none` with no spaces.
- Invalid rua= URI format: The rua= value must be a valid `mailto:` URI. A plain email address without `mailto:` is a syntax error.
Alignment and authentication errors
Alignment errors are harder to diagnose than syntax errors because they require understanding the email headers. The most common scenario: you configured SPF correctly for direct sends from your own mail server, but when email is sent via a third-party marketing platform, the `MAIL FROM` uses the platform's domain — breaking SPF alignment. The fix is either to configure DKIM signing with your own domain on the third-party platform, or to set up a custom return-path subdomain that maps to your domain.
| Error | Symptom | Cause | Fix |
|---|---|---|---|
| No DMARC record | dig returns no TXT record | Record not published | Create TXT at _dmarc.yourdomain.com |
| Wrong DNS location | Record ignored by mail servers | _dmarc. prefix missing | Publish at _dmarc.yourdomain.com |
| Missing p= tag | Record treated as invalid | Required tag omitted | Add p=none, p=quarantine, or p=reject |
| SPF alignment failure | DMARC fails for 3rd-party senders | MAIL FROM domain mismatch | Configure custom return-path subdomain |
| DKIM alignment failure | DMARC fails despite valid DKIM | d= domain mismatch | Configure DKIM signing with your domain |
| SPF lookup limit exceeded | SPF permerror, DMARC fails | More than 10 DNS lookups | Use SPF Flatten Checker to consolidate |
| pct= out of range | Validator reports error | Value not between 1 and 100 | Set pct= to a valid integer 1–100 |
Tip
Moving from none to enforcement
The most common mistake in DMARC deployment is setting `p=reject` before confirming that all legitimate email streams are correctly authenticating. Emails from forgotten sending services — transactional email platforms, CRM tools, ticketing systems, partner integrations — will be silently blocked, and the sender may not notice until they receive complaint reports or users report missing emails.
The three-phase rollout
A safe DMARC rollout follows three phases. In Phase 1 (weeks 1–4), publish `p=none` with a `rua=` reporting address and review aggregate reports to identify all sending sources and their pass rates. In Phase 2 (weeks 5–10), move to `p=quarantine; pct=10` and gradually increase `pct=` as reports confirm pass rates improve — starting with 10% means only 10% of failing messages are quarantined, limiting blast radius. In Phase 3 (week 11+), move to `p=reject` once all legitimate senders consistently pass and your aggregate reports show minimal or no authentication failures from legitimate sources.
What to look for in aggregate reports
Aggregate reports show every source that sent email claiming to be from your domain. Look for your own mail servers, your email service providers, and any authorised third-party senders — all should show high pass rates for both SPF and DKIM. Any source with significant volume and low pass rates needs investigation: either it is a legitimate sender that needs its authentication fixed, or it is an unauthorised sender that enforcement should block. The DMARC Policy Rollout Planner guides you through interpreting these signals and choosing appropriate timing for each phase transition.
Warning
DMARC reporting and monitoring
DMARC reporting is the feedback loop that makes enforcement safe. Without aggregate reports, you are flying blind — you cannot know which sources are passing or failing authentication, or whether a recent sending infrastructure change broke something. Setting up reporting correctly is as important as setting up the policy itself.
Aggregate reports (rua=)
The `rua=` tag specifies a `mailto:` URI that receives daily XML aggregate reports from every major mail provider (Google, Microsoft, Yahoo, etc.) that handles email from your domain. Each report is a compressed XML file showing message counts, source IPs, SPF/DKIM/DMARC results, and policy disposition. The receiving address must be on the same domain as the DMARC record, or a cross-domain URI with a permission record published at the third-party domain. Most organisations use a dedicated DMARC reporting service rather than a direct inbox because raw XML reports require parsing tools to be useful.
Forensic reports (ruf=)
The `ruf=` tag configures forensic (failure) reports — individual copies of messages that fail DMARC. These contain more detail than aggregate reports but have privacy implications: they may include email headers, and some providers have stopped sending them due to GDPR considerations. Most DMARC practitioners use only `rua=` for aggregate data and omit `ruf=` unless forensic analysis of specific failure cases is needed.
Third-party DMARC reporting services
- Google Postmaster Tools: Free dashboard showing your domain's reputation and email authentication pass rates from Gmail's perspective.
- Postmark DMARC: Free aggregate report parser with a visual dashboard — good for getting started without a paid service.
- Dmarcian: Comprehensive paid platform with per-source analysis, authentication issue alerts, and rollout guidance.
- Valimail: Enterprise-grade DMARC platform with automated enforcement recommendations based on report analysis.
- EasyDMARC: Mid-market DMARC monitoring and management platform with actionable insights per sending source.
DMARC best practices
Following these practices ensures your DMARC deployment provides real protection without disrupting legitimate email, and that your configuration stays correct as your sending infrastructure evolves.
Always validate the full email authentication stack
A DMARC record is only as effective as the SPF and DKIM records supporting it. Validate all three together: use the DMARC Record Validator for the policy record, the SPF Record Validator to check mechanism syntax and the 10-lookup limit, and the DKIM Record Validator to confirm your public key is correctly published for each selector in use. Re-validate all three after any email infrastructure change — new sending service, domain migration, or SSL certificate renewal can all affect DKIM key publication.
Use relaxed alignment during transition
The default alignment mode for both SPF and DKIM is relaxed (`adkim=r; aspf=r`), which allows subdomains to satisfy alignment for the parent domain. This is the right setting during a rollout because many legitimate senders use subdomains of your domain for authentication. Only switch to strict alignment (`adkim=s; aspf=s`) if you have a specific security requirement and have confirmed all senders use exact domain matching — strict alignment with a single misconfigured sender breaks DMARC for every message that sender transmits.
- Start with p=none, never p=reject: Build confidence in your authentication pass rates before applying enforcement.
- Set up rua= before anything else: You cannot make informed policy decisions without aggregate report data.
- Check the DKIM selector-planning helper: Use the DKIM Selector Planning Helper when rotating DKIM keys to avoid overlap errors.
- Use pct= for gradual enforcement: Start at pct=10 when moving to quarantine or reject — this limits impact if something is misconfigured.
- Re-validate after every email platform change: Adding a new marketing tool, CRM, or ticketing system typically requires updating SPF and configuring DKIM.
- Monitor DNS propagation: After publishing or changing a DMARC record, use the DNS Propagation ETA Estimator to know when the change will be visible globally.
DMARC Policy Rollout Planner
Plan your DMARC enforcement progression from none to quarantine to reject with a step-by-step timeline based on your authentication data.
Key takeaways
- DMARC sits on top of SPF and DKIM — it sets the policy for failing messages and requires at least one of SPF or DKIM to align with the From header domain.
- Validate the full stack: use the DMARC Record Validator, SPF Record Validator, and DKIM Record Validator together.
- The most common errors are missing `p=` tag, invalid policy values, wrong DNS location (missing `_dmarc.` prefix), and SPF/DKIM alignment failures for third-party senders.
- Never jump straight to `p=reject` — start with `p=none`, analyse aggregate reports for 2–4 weeks, then progress to quarantine and reject gradually using `pct=`.
- Google and Yahoo 2024 bulk sender requirements mandate DMARC at `p=none` or above for senders exceeding 5,000 daily messages — but only `p=reject` actually blocks spoofed email.
- Set up `rua=` aggregate reporting from day one — you cannot make safe enforcement decisions without data on which sources are passing and failing authentication.
- Use the DMARC Policy Rollout Planner to map a safe, step-by-step path from monitoring to full enforcement.