DMARC Tags: Explanation and Examples

dmarc tags

Estimated reading time: 7 minutes

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol, which controls how the messages failing email authentication must be treated and allows domain owners to receive the reports containing valuable information about their email sources and sent messages.

DMARC Record Explained

DMARC is implemented by publishing a TXT DNS record for a domain. A DMARC record represents a range of tags and their values separated by semi-colons. By utilizing tags, domain owners can control various options such as the policy to be applied to non-compliant messages, report receiving, alignment mode and other.

DMARC record examples:

v=DMARC1; p=reject; rua=mailto:agg@glockapps.com;  ruf=mailto:for@glockapps.com; fo=1;

v=DMARC1; p=none; sp=quarantine; rua=mailto:agg@glockapps.com; fo=1; adkim=r; aspf=r

 v=DMARC1; p=none;

DMARC Tags Meaning

Incorrectly utilized DMARC tags may make your DMARC record invalid or lead to DMARC failures for your legitimate messages. Therefore, it is important to understand the function of each DMARC tag in order to implement a DMARC protocol properly and make the most out of it.

There are required and optional DMARC tags. When creating a DMARC record, you cannot omit required tags, which include

v – a DMARC record always starts with the v= tag that represents the protocol version. Currently it is always v=DMARC1;

p – a DMARC p= tag specifies the policy to be applied to DMARC non-compliant messages. Three policy values are available:

  • None – monitoring mode, no special instruction is given to email receivers; failed emails are treated corresponding to email filtering rules. Example: p=none;
  • Quarantine – enforced policy, which tells email receivers to quarantine (send to Junk) an email failing DMARC authentication. Example: p=quarantine;
  • Reject – enforced policy, which tells email receivers to reject an email failing DMARC authentication before it reaches the recipient’s mailbox. Example: p=reject;

Thus, the simplest DMARC record could be 

v=DMARC1; p=none;

You can specify additional instructions for email receivers by utilizing optional tags in a DMARC record. These tags include:

sp – a DMARC sp tag specifies the policy to be applied to non-compliant messages sent from subdomains. Without this tag, the value in the p= tag is to be applied to subdomains. 

Example: v=DMARC1; p=none; sp=reject;

pct – a DMARC pct tag specifies the percent of non-compliant messages, to which the policy is to be applied. In the example below, the Reject policy will be applied to 25% of emails failing DMARC. If not specified, the default value of 100 is used.

Example: v=DMARC1; p=reject; pct=25;

rua – a DMARC rua tag designates the email addresses, to which DMARC aggregate reports are to be sent. The email addresses must be preceded with mailto: prefix and separated by commas.

Example: v=DMARC1; p=reject; pct=25; rua=mailto:agg@glockapps.com, mailto:user@testdomain.com;  

ruf – a DMARC ruf tag designates the email addresses, to which DMARC failure/forensic reports are to be sent. The email addresses must be preceded with mailto: prefix and separated by commas.

Example: v=DMARC1; p=reject; pct=25; rua=mailto:agg@glockapps.com, mailto:user@testdomain.com; ruf=mailto:for@glockapps.com, mailto:user@testdomain.com; 

Although DMARC standard doesn’t limit the number of email addresses that can be used in the rua and ruf tags, email receivers typically send the reports to the first two addresses defined in each tag and skip the other. 

fo – a DMARC fo tag designates the type of failure/forensic reports to be generated and sent. By utilizing the fo= tag, senders can only receive specific reports focused on DKIM or SPF issues. 

The fo tag can have these values:

  • 0 (fo=0): generate a DMARC forensic report if both SPF alignment and DKIM alignment fail to return the “pass” result. This is the default value if the fo tag in not specified in the record;
  • 1 (fo=1): generate a DMARC forensic report if either SPF alignment or DKIM alignment returns a result other than “pass”. This is a recommended option as it provides an optimal scheme to be alerted of any authentication issues; 
  • d (fo=d): generate a DKIM failure report if an email fails evaluation by DKIM, regardless of the alignment. This option is useful for senders concerned about DKIM authentication issues;
  • s (fo=s): generate a SPF failure report if an email fails evaluation by SPF, regardless of the alignment. This option is useful for senders concerned about SPF authentication issues.

To combine different values in one tag, separate them with colons. 

Example: 

v=DMARC1; p=reject; rua=mailto:agg@glockapps.com; ruf=mailto:for@glockapps.com; fo=0:d:s;

It is to note that the fo tag is ignored if the ruf tag is not used in the record. 

adkim – a DMARC adkim tag designates the DKIM Identifier Alignment mode. It has two values:

  • r: relaxed mode, which means the organizational domains utilized in the email’s “From” header and in the DKIM signature must match. This is the recommended mode as it allows a safe utilization of subdomains. 
  • s: strict mode, which means the exact match of the domains utilized in the email’s “From” header and in the DKIM signature. 

If adkim is not specified in the record, email receivers will use the relaxed mode by default. 

aspf – a DMARC aspf tag designates the SPF Identifier Alignment mode. It has two values:

  • r: relaxed mode, which means the organizational domains utilized in the email’s “From” header and in the “Return-Path” header must match. This is the recommended mode as it allows a safe utilization of subdomains. 
  • s: strict mode, which means the exact match of the domains utilized in the email’s “From” header and in “Return-Path” header. 

If aspf is not specified in the record, email receivers will use the relaxed mode by default. 

Example: 

v=DMARC1; p=reject; rua=mailto:agg@glockapps.com; ruf=mailto:for@glockapps.com; fo=0:d:s; adkim=s; aspf=r;

rf – designates the format for failure/forensic reports. The default value is “afrf” (Authentication Failure Reporting Format), which is the only value currently supported. If the rf tag has a different value, an email receiver should ignore the rf tag or the entire DMARC record.

ri – a DMARC ri tag designates the interval between aggregate reports in seconds. The default value is 86400 (24 hours). 

Example: 

v=DMARC1; p=reject; rua=mailto:agg@glockapps.com; ruf=mailto:for@glockapps.com; fo=0:d:s; adkim=s; aspf=r; rf=afrf; ri=86400;

How to Test a DMARC Record

To verify if a domain has a published DMARC record, domain owners can use DMARC checker tools. The free DMARC Checker at GlockApps instantly shows the DMARC record found for the domain, provides the explanation of the tags used in the record, and returns a detailed analysis of the test. 

How to Generate a DMARC Record

Creating a DMARC record for a domain is made easy with GlockApps DMARC Analyzer. It takes 3 steps:

  1. Enter your domain name.
  2. Choose DMARC options: policy, policy for subdomains, and alignment mode.
  3. Receive the DMARC record value.

Publish the DMARC record in DNS to comply with the latest sender standards.

A DMARC record will contain the email addresses pointing to GlockApps, which means we will process DMARC aggregate and forensic reports for your domain and show you the data in a comprehensive dashboard.

You will get visibility on your email sources (known, unknown, and forward), email authentication outcomes, and email traffic. This data helps in identifying domain spoofing, authentication failures, and account compromisation, and allows to enforce a DMARC policy in a safe manner.

GlockApps DMARC Analytics: Aggregate Report Data

Conclusion

DMARC is now a required authentication protocol for the domains sending messages using Google, Yahoo, and Microsoft servers. It is important to understand different DMARC tags and their functions in order to create a good DMARC record for your domain. 

DMARC represents a good possibility for email senders to receive reports with valuable data about their sending sources, DMARC compliant and non-compliant messages. Domain owners are encouraged to examine the data in the reports to control their domains’ outbound traffic and timely spot domain spoofing assaults.

Click the button below to create a free account with GlockApps and process DMARC reports for 10,000 messages for free every month.

Get 10,000 DMARC Messages for Free

Related Posts

Using DMARC Enforcement

There is no other channel with such a wide audience reach than email. That is why legal business owners are Read more

DMARC is known for its proven usefulness in protecting your email domains from cyber threats. Publishing a DMARC record in Read more

Email Forwarding and DMARC

Email forwarding is a common practice in both personal and professional settings. Whether you're consolidating inboxes or routing customer messages Read more

microsoft email security

As email security threats rise, Yahoo, Gmail, and now Microsoft enforce a new email sender policy that mandates using SPF, Read more

AUTHOR BIO

Julia Gulevich is an email marketing expert and customer support professional at Geminds LLC with more than 15 years of experience. Author of numerous blog posts, publications, and articles about email marketing and deliverability.