How to Create a DMARC Record (Complete Guide)

If you’re learning how to create a DMARC record, you’re taking an important step toward protecting your domain from spoofing, phishing, and unauthorized use. DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, works alongside SPF and DKIM to help receiving mail servers determine whether a message is legitimate.

A DMARC record may look technical at first glance, but it is really just a TXT record published in your DNS with a specific set of tags. Once you understand the anatomy of the record, creating one becomes much easier. In this guide, we’ll break down the syntax, walk through the setup process step by step, and show you how to publish a valid record with confidence.

Understanding DMARC Record Syntax

Before you publish anything, it helps to understand the structure of the record itself. A DMARC record is stored as a DNS TXT record at a special subdomain: _dmarc.yourdomain.com. The value is a semicolon-separated list of tags that tell receiving servers what to do with messages that fail authentication checks.

v=DMARC1 — Version

This is the required version tag and must always be included. It identifies the record as a DMARC policy record.

Example:

v=DMARC1

p= — Policy

The p tag defines how receiving servers should handle messages that fail DMARC evaluation. This is also required. The valid values are:

• p=none — monitor only; no enforcement
• p=quarantine — treat suspicious messages as spam or quarantine them
• p=reject — reject unauthenticated messages outright

Example:

p=none

For organizations just starting out, p=none is often the safest first step because it allows you to collect reports before enforcing blocking actions.

rua= — Aggregate Reporting URI

The rua tag tells mail receivers where to send aggregate DMARC reports. These are typically XML files that summarize authentication results over a period of time. They are highly recommended because they help you see who is sending mail on behalf of your domain.

Example:

rua=mailto:dmarc-reports@yourdomain.com

You can also send reports to a third-party analysis platform if needed.

pct= — Percentage

The pct tag controls the percentage of failing messages to which the policy applies. This is optional, but useful when you want to roll out enforcement gradually.

Example:

pct=25

That means only 25% of failing messages will be subject to the policy. The default is 100 if omitted.

fo= — Failure Reporting Options

The fo tag specifies when forensic reports should be generated. It is optional and less commonly used today, but it can provide more detail on individual failures.

Typical values include:

• fo=0 — generate reports if both SPF and DKIM fail
• fo=1 — generate reports if either SPF or DKIM fails
• fo=d — generate reports for DKIM failures
• fo=s — generate reports for SPF failures

Example:

fo=1

Creating Your First DMARC Record (Step-by-Step)

Now let’s walk through how to create a DMARC record from scratch in a practical way. The goal is to build a valid record, publish it, and then monitor the results before moving to a stricter policy.

Step 1: Define Your Email Sending Sources

Start by identifying every system that sends email using your domain. This includes:

• Your primary mail server or Google Workspace / Microsoft 365
• Marketing platforms like Mailchimp, HubSpot, or Salesforce
• Transactional email services like SendGrid, Amazon SES, or Postmark
• Internal applications, help desks, and CRMs

Make sure SPF and DKIM are properly configured for each sender. DMARC depends on alignment, which means the domain in the visible From address must match or align with the authenticated SPF or DKIM domain. If SPF or DKIM are misconfigured, DMARC may fail even for legitimate messages.

Step 2: Set Up a Dedicated Reports Mailbox

Before publishing your record, create a mailbox specifically for DMARC reports, such as dmarc-reports@yourdomain.com. Aggregate reports can be large and unreadable in raw XML form, so this mailbox should ideally forward into a DMARC analysis tool or be monitored by your security or email operations team.

If you plan to use a third-party parser, check whether it provides a unique reporting address. Either way, the mailbox should be dedicated so reports don’t get lost among regular email.

Step 3: Write the TXT Record Value

A basic starting DMARC record might look like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

This record says:

• Use DMARC version 1
• Do not enforce blocking yet
• Send aggregate reports to the specified mailbox

If you want to gradually introduce enforcement later, you might add pct=:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com

A more detailed record might also include failure reporting:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; fo=1

Keep the syntax exact. Semicolons separate tags, and each tag should be written without spaces around the equals sign.

Step 4: Publish the Record to Your DNS Zone

In your DNS provider’s control panel, create a new TXT record for the host name:

_dmarc

This typically resolves to _dmarc.yourdomain.com.

Then paste the DMARC value into the TXT record field. Save the record and wait for DNS propagation, which may take anywhere from a few minutes to 48 hours depending on the provider.

After publication, verify that only one DMARC record exists for the domain. Multiple records cause problems and can make the domain appear misconfigured to receivers.

Best Practices for a Strong DMARC Rollout

Once you’ve learned how to create a DMARC record, the next step is using it effectively. A cautious rollout protects deliverability while improving security.

Start in Monitoring Mode

Begin with p=none so you can observe authentication patterns without impacting mail delivery. Review reports to identify legitimate senders that are failing alignment.

Fix SPF and DKIM First

DMARC enforcement only works when your email sources are authenticated correctly. If a vendor sends mail on your behalf, ensure they are included in SPF and signing with DKIM using an aligned domain.

Move Gradually to Enforcement

After monitoring, shift to p=quarantine and then p=reject once you’re confident all legitimate sources pass DMARC. Use pct= if you want to test enforcement on a subset of messages first.

Review Reports Regularly

Aggregate reports reveal unauthorized senders, forwarding issues, and configuration drift. Make review a recurring process, not a one-time setup task.

Keep the Record Simple

You do not need every possible tag on day one. A clean, valid DMARC record is better than an overly complex one with syntax issues.

Using DMARC Generators vs Manual Creation

If you’re unsure about formatting or want to avoid syntax mistakes, a generator can save time and reduce risk. Manual creation is perfectly valid, but it requires careful attention to punctuation, tag order, and DNS record placement.

The yourDMARC Generator at https://www.yourdmarc.com/tools/dmarc-generator can help you build a correct record quickly. This is especially useful if you are new to DMARC or managing multiple domains. Benefits include:

• Reducing typo risk in tags like v, p, rua, and pct
• Helping you assemble a valid TXT string in the right format
• Making it easier to test different policy values before publishing
• Saving time for teams that manage email security at scale

If your main goal is to learn how to create a DMARC record while avoiding common formatting errors, a generator is a practical option. You can still review the output manually before publishing it to DNS.

Verification and Ongoing Maintenance

After your record is published, verify it with a DNS lookup tool or DMARC checker. Confirm that:

• The TXT record exists at _dmarc.yourdomain.com
• Only one DMARC record is present
• The syntax is valid
• Your reporting mailbox is receiving aggregate reports

From there, monitor authentication results and adjust your policy as your email environment matures. As senders are identified and fixed, you can confidently move toward stronger enforcement.

Creating DMARC is not a one-time task. It is an ongoing part of email security hygiene, especially for organizations that use multiple sending platforms.

FAQ

Can I have multiple DMARC records on one domain?

No. A domain must only have a single DMARC TXT record. If multiple DMARC records are found in DNS, receiving mail servers will ignore both, leaving your domain unprotected.

What is the difference between rua and ruf in DMARC?

rua is used to receive aggregate reports (daily XML summaries of sending IPs), while ruf is used for forensic reports (detailed real-time copies of individual failed emails). Most setups prioritize rua.