DMARC Records
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together with a policy, telling receiving servers what to do when a message fails authentication — and giving you reports on what's being sent in your name.
Quick Start
For a straightforward, non-disruptive starting point, publish this basic record. It monitors authentication without affecting delivery:
| Type | Host | Value |
|---|---|---|
| TXT | _dmarc | v=DMARC1; p=none; sp=none; adkim=r; aspf=r; |
v=DMARC1; p=none; sp=none; adkim=r; aspf=r;
Key Components
DMARC records use several tags to control behavior:
| Tag | Meaning |
|---|---|
v | Version — always DMARC1. |
p | Policy — action on failed authentication: none, quarantine or reject. |
rua / ruf | Optional reporting endpoints for aggregate and forensic reports. |
adkim / aspf | Alignment settings for DKIM and SPF (r = relaxed, s = strict). |
Implementation Strategy
Take a gradual approach so you never accidentally block your own legitimate mail:
- Monitor
Start withp=noneand review the reports you receive. - Confirm sources
Verify that SPF and DKIM pass for every legitimate sender. - Tighten policy
Progressively move top=quarantineand eventuallyp=rejectas you gain confidence.
Don't forward DMARC reports to Gmail
Avoid forwarding DMARC reports to Gmail addresses. Google doesn't accept forwarded DMARC reports from itself, which can harm deliverability for your domain.
Related Records
DMARC is the final piece of the authentication stack. Make sure your SPF Records and DKIM Records are configured first, and see Technical Configuration for the full picture.