DMARC record tags explained: p, rua, ruf, pct, adkim, aspf, and more

A DMARC record is a semicolon-separated list of tags published as TXT at _dmarc.yourdomain.com. Only v and p are required, but reporting, subdomain, percentage, and alignment tags control how useful and how strict the policy becomes. Most domains need fewer custom tags than online generators suggest.

Updated July 14, 2026

A minimal, useful DMARC record

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
A monitoring record with aggregate reporting.

Publish this at _dmarc.example.com. v=DMARC1 must appear first, p=none requests monitoring-only treatment, and rua= provides the destination for aggregate reports. When the reports show all legitimate senders aligned, change the policy deliberately.

Core policy and reporting tags

TagPurposePractical guidance
vProtocol versionRequired; use DMARC1 and place it first
pPolicy for the organizational domainRequired; none, quarantine, or reject
ruaAggregate-report destination(s)Strongly recommended; use a mailbox or DMARC processor built for XML volume
rufForensic/failure-report destination(s)Optional and inconsistently supported; consider privacy implications
spPolicy for subdomainsOptional; defaults to p when omitted
pctPercentage of failing messages subject to policyDefaults to 100; use staged values only with a clear rollout plan

Alignment and report-behavior tags

TagValuesDefault and effect
adkimr or sRelaxed by default; controls DKIM domain alignment
aspfr or sRelaxed by default; controls SPF domain alignment
fo0, 1, d, s combinationsControls when failure reports are requested; useful only where ruf is supported
riSecondsRequested aggregate-report interval; receivers may ignore it, default 86400

Relaxed alignment is the correct default for most organizations: mail.example.com can align with example.com. Strict alignment is not automatically more secure in a meaningful way, but it is easier to break when subdomains are intentionally used for sending.

Safe records for each rollout stage

# Observe
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com

# Enforce cautiously
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com

# Full enforcement
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com
Keep the record readable. Add optional tags only when they solve a real requirement.

A pct= rollout can reduce policy application during transition, but it also leaves part of the spoofed stream untreated and is not a substitute for analyzing reports. Many teams prefer a clean policy progression from none to quarantine to reject after fixing known sources.

Mistakes that invalidate or weaken a record

  • Publishing DMARC at the root instead of _dmarc.
  • Publishing more than one DMARC record at the same name.
  • Misspelling DMARC1, placing another tag before v, or using an unsupported policy value.
  • Sending reports to an external domain without the authorization record that receivers may require.
  • Using p=none indefinitely and assuming it blocks spoofing.
  • Adding strict alignment without checking legitimate subdomain senders.
  • Sending reports to an ordinary personal inbox that cannot process XML volume safely.

Use the DMARC generator to avoid syntax mistakes, then verify the public record with the DMARC checker. For the rollout itself, follow how to set up DMARC.

Sources and further reading

Common questions

Which DMARC tags are required?+

`v=DMARC1` and a valid `p=` policy are required. Reporting tags are optional in the syntax, though `rua=` is strongly recommended because reports make safe enforcement possible.

What does rua mean?+

It specifies one or more addresses for aggregate DMARC reports, usually daily XML summaries of sending sources and authentication results.

Should I add ruf?+

Only with a clear need and a destination able to handle sensitive failure reports. Support is inconsistent, and privacy policies may limit what receivers send.

Do I need adkim=s and aspf=s?+

Usually no. Relaxed alignment is the standard default and works well for legitimate subdomains. Strict mode can create avoidable failures without materially improving most deployments.