A DMARC record is a single DNS TXT entry that publishes your email authentication policy. It lives at a fixed location, `_dmarc.yourdomain.com` (note the leading underscore), and any receiving mail server can look it up to learn how you want failing mail handled and where to send reports.

## Where does a DMARC record live?

Always at the `_dmarc` subdomain of the domain you're protecting. For `example.com`, the record sits at `_dmarc.example.com`. For a subdomain you send from, say `mail.example.com`, it would be `_dmarc.mail.example.com`, though most teams publish one record at the organizational domain and let it cover the subdomains. It's a TXT record, the same record type SPF uses, which is why anyone who has published [an SPF record](/blog/what-is-an-spf-record) will find the process familiar.

## What does a DMARC record look like?

Here's a straightforward one:

```text
v=DMARC1; p=none; rua=mailto:dmarc@example.com
```

Read left to right, that says: this is a DMARC version 1 record, apply no enforcement yet (monitor only), and send aggregate reports to dmarc@example.com. A more complete record might read:

```text
v=DMARC1; p=quarantine; sp=reject; rua=mailto:agg@example.com; ruf=mailto:forensic@example.com; adkim=s; aspf=r; pct=100
```

Every record is just a list of `tag=value` pairs separated by semicolons. Two are required (`v` and `p`); the rest are optional and have sensible defaults.

## What does each DMARC tag mean?

| Tag     | Required | What it does                                                    | Example                           |
| ------- | -------- | --------------------------------------------------------------- | --------------------------------- |
| `v`     | Yes      | Protocol version. Always `DMARC1`, and must come first.         | `v=DMARC1`                        |
| `p`     | Yes      | Policy for the main domain: `none`, `quarantine`, or `reject`.  | `p=quarantine`                    |
| `sp`    | No       | Policy for subdomains, when you want it to differ from `p`.     | `sp=reject`                       |
| `rua`   | No       | Where aggregate (summary) reports are sent.                     | `rua=mailto:agg@example.com`      |
| `ruf`   | No       | Where forensic (per-message failure) reports are sent.          | `ruf=mailto:forensic@example.com` |
| `adkim` | No       | DKIM alignment mode: `r` relaxed (default) or `s` strict.       | `adkim=s`                         |
| `aspf`  | No       | SPF alignment mode: `r` relaxed (default) or `s` strict.        | `aspf=r`                          |
| `pct`   | No       | Percent of failing mail the policy applies to (default 100).    | `pct=25`                          |
| `fo`    | No       | Forensic reporting options: when a failure report is generated. | `fo=1`                            |
| `ri`    | No       | Aggregate reporting interval in seconds (default 86400).        | `ri=86400`                        |

The two you'll touch most are `p` and `rua`. `p` is your enforcement level, and choosing it well is the heart of a good rollout (the full breakdown is in [what is a DMARC policy](/blog/what-is-a-dmarc-policy)). `rua` is the address that receives the daily summaries you'll actually learn from.

## What's the difference between rua and ruf?

`rua` collects aggregate reports: XML summaries, usually one per day from each provider, covering all the mail they saw under your domain. This is the stream worth watching. `ruf` collects forensic reports, which are copies (often redacted) of individual messages that failed. Many providers don't send forensic reports at all for privacy reasons, so don't be surprised by a quiet `ruf` mailbox. When the reports start arriving, [how to read a DMARC report](/blog/how-to-read-a-dmarc-report) walks through the fields.

## What do the alignment tags do?

`adkim` and `aspf` control how exact the domain match has to be. Relaxed (`r`) lets a subdomain match the organizational domain, so `mail.example.com` aligns with `example.com`. Strict (`s`) demands an exact match. Relaxed is the default and the right choice for almost everyone; reach for strict only when you have a specific reason. Alignment is the mechanism that makes DMARC stronger than SPF or DKIM used alone, and [how DMARC works](/blog/how-does-dmarc-work) explains why.

## How do you publish and check it?

You add the TXT record through your DNS host, then confirm it resolves. The step-by-step, including a cPanel walkthrough, is in [how to set up DMARC](/blog/how-to-set-up-dmarc). If you send through Bird, DKIM and SPF alignment are set up through your sending-domain records, so publishing this DMARC record and pointing `rua` at a mailbox you watch is most of the job. The [authentication guide](/docs/guides/email/dkim-spf-dmarc) in the docs has the Bird-specific details.

A DMARC record is small, but it's doing a lot of work in one line. Get the `p` and `rua` right and you can refine everything else later.