How to Create a DMARC Record (with Examples)

TL;DR: A DMARC record is a single TXT record published at _dmarc.yourdomain.com. The two tags you must have are v=DMARC1 and a policy p=; everything else is optional. A safe starter is v=DMARC1; p=none; rua=mailto:[email protected]. Below is every tag explained, plus copy-paste examples. Scan your domain free after you publish to confirm it's valid.

Where the record goes

Create a TXT record with the host/name _dmarc (so it resolves at _dmarc.yourdomain.com) and paste the DMARC value. Just one DMARC record per domain.

Every DMARC tag, explained

Copy-paste examples

Safe starter (monitor only):

v=DMARC1; p=none; rua=mailto:[email protected]

Enforcement (after you've confirmed your senders pass):

v=DMARC1; p=reject; rua=mailto:[email protected]; sp=reject; adkim=s; aspf=s

Parked / non-sending domain:

v=DMARC1; p=reject; rua=mailto:[email protected]

Replace the email with a mailbox you actually check. Don't jump straight to reject on a sending domain — move there in stages so you don't block real mail.

After you publish

1. Wait for DNS to propagate (minutes to a couple of hours).
2. Scan your domain to confirm the record is valid and detected.
3. Watch your aggregate reports and tighten the policy over time.

FAQ

What's the minimum valid DMARC record?

v=DMARC1; p=none is technically valid, but always add rua= so you actually receive reports.

Do I need ruf and fo?

No — forensic reporting is rarely supported and optional. Start with rua.

Can I generate it automatically?

You can, but the tags above are all there is — picking your policy and a reporting mailbox is the only real decision.

Want it set up and tuned for you? Scan your domain, then reply to your report — we're developers and we'll publish the right DMARC record and take it to enforcement safely.