There are many tags you can include in your Domain-based Message Authentication Reporting and Conformance (DMARC) record.
For help creating a DMARC record, use Kitterman's DMARC Record Assistant.
Required tags
- v: This is the version tag that identifies the record retrieved as a DMARC record. It's value must be DMARC1 and be listed first in the DMARC record.
- p: This is the tag that indicates the requested policy you wish mailbox providers to apply when your email fails DMARC authentication and alignment checks. The policy is applied to a primary domain (example.com) and all of its subdomains (m.example.com, b.example.com, etc), unless the sp tag is used (see below) with a different policy value. Learn more about the different policy values here. The different policy values are:
- none
- quarantine
- reject
Optional but recommended tags
- rua=mailto:address@company.com: This is a tag that lets mailbox providers know where you want aggregate reports to be sent. Aggregate reports provide visibility into the health of your email program by helping to identify potential authentication issues or malicious activity. These reports contain higher level information and are sent by participating mailbox providers daily.
- fo: This is a tag that lets mailbox providers know you want message samples of emails that failed either SPF and/or DKIM. There are four value options available:
- 0: Generate a DMARC failure report if all underlying authentication mechanisms (SPF and DKIM) fail to produce an aligned “pass” result. (default)
- 1: Generate a DMARC failure report if any underlying authentication mechanism (SPF or DKIM) produced something other than an aligned “pass” result. (recommended)
- d: Generate a DKIM failure report if the message had a signature that failed evaluation, regardless of its alignment.
- s: Generate an SPF failure report if the message failed SPF evaluation, regardless of its alignment.
Optional tags
- sp: This tag is used to indicate a requested policy for all subdomains where mail is failing the DMARC authentication and alignment checks. It is most effective when a domain owner wants to specify different policies for the primary domain and all subdomains. The policy options are the same as the "p" tag listed above. If this tag is not used for subdomains, the policy set using the p tag will apply to the primary domain and all of its subdomains.
- adkim: Indicates strict (s) or relaxed (r) DKIM identifier alignment. The default is relaxed (r).
- aspf: Indicates strict (s) or relaxed (r) SPF identifier alignment. The default is relaxed (r).
- pct: The percentage of messages to which the DMARC policy is to be applied. This tag provides a way to gradually implement and test the impact of the policy.
- Values are integers ranging from 1 - 100. The default value is 100.
- ruf=mailto:address@company.com: This tag that lets mailbox providers know where you want your forensic (message-level) reports to be sent. Forensic reports are more detailed and are intended to be delivered by mailbox providers almost immediately after detecting a DMARC authentication failure. However, due to potential privacy and performance concerns, most mailbox providers do not send them.
- rf: Format for message failure reports. The default is Authentication Failure Reporting Format, or “afrf.” Afrf is the only value supported at this time.
- ri: The number of seconds elapsed between sending aggregate reports to the sender. The default value is 86400 seconds which is equivalent to one day. Participating mailbox providers that are able to accommodate sending more than one aggregate report per day will provide more frequent reports on a best-effort basis.
