A DMARC record is a single DNS TXT entry that publishes your email authentication policy. It lives at a fixed location, _dmarc.yourdomain.com (note the leading underscore), and any receiving mail server can look it up to learn how you want failing mail handled and where to send reports.
Where does a DMARC record live?
Always at the _dmarc subdomain of the domain you're protecting. For example.com, the record sits at _dmarc.example.com. For a subdomain you send from, say mail.example.com, it would be _dmarc.mail.example.com, though most teams publish one record at the organizational domain and let it cover the subdomains. It's a TXT record, the same record type SPF uses, which is why anyone who has published an SPF record will find the process familiar.
What does a DMARC record look like?
Here's a straightforward one:
v=DMARC1; p=none; rua=mailto:dmarc@example.comRead left to right, that says: this is a DMARC version 1 record, apply no enforcement yet (monitor only), and send aggregate reports to dmarc@example.com. A more complete record might read:
v=DMARC1; p=quarantine; sp=reject; rua=mailto:agg@example.com; ruf=mailto:forensic@example.com; adkim=s; aspf=r; pct=100Every record is just a list of tag=value pairs separated by semicolons. Two are required (v and p); the rest are optional and have sensible defaults.
What does each DMARC tag mean?
| Tag | Required | What it does | Example |
|---|---|---|---|
v | Yes | Protocol version. Always DMARC1, and must come first. | v=DMARC1 |
p | Yes | Policy for the main domain: none, quarantine, or reject. | p=quarantine |
sp | No | Policy for subdomains, when you want it to differ from p. | sp=reject |
rua | No | Where aggregate (summary) reports are sent. | rua=mailto:agg@example.com |
ruf | No | Where forensic (per-message failure) reports are sent. | ruf=mailto:forensic@example.com |
adkim | No | DKIM alignment mode: r relaxed (default) or s strict. | adkim=s |
aspf | No | SPF alignment mode: r relaxed (default) or s strict. | aspf=r |
pct | No | Percent of failing mail the policy applies to (default 100). | pct=25 |
fo | No | Forensic reporting options: when a failure report is generated. | fo=1 |
ri | No | Aggregate reporting interval in seconds (default 86400). | ri=86400 |
The two you'll touch most are p and rua. p is your enforcement level, and choosing it well is the heart of a good rollout (the full breakdown is in what is a DMARC policy). rua is the address that receives the daily summaries you'll actually learn from.
What's the difference between rua and ruf?
rua collects aggregate reports: XML summaries, usually one per day from each provider, covering all the mail they saw under your domain. This is the stream worth watching. ruf collects forensic reports, which are copies (often redacted) of individual messages that failed. Many providers don't send forensic reports at all for privacy reasons, so don't be surprised by a quiet ruf mailbox. When the reports start arriving, how to read a DMARC report walks through the fields.
What do the alignment tags do?
adkim and aspf control how exact the domain match has to be. Relaxed (r) lets a subdomain match the organizational domain, so mail.example.com aligns with example.com. Strict (s) demands an exact match. Relaxed is the default and the right choice for almost everyone; reach for strict only when you have a specific reason. Alignment is the mechanism that makes DMARC stronger than SPF or DKIM used alone, and how DMARC works explains why.
How do you publish and check it?
You add the TXT record through your DNS host, then confirm it resolves. The step-by-step, including a cPanel walkthrough, is in how to set up DMARC. If you send through Bird, DKIM and SPF alignment are set up through your sending-domain records, so publishing this DMARC record and pointing rua at a mailbox you watch is most of the job. The authentication guide in the docs has the Bird-specific details.
A DMARC record is small, but it's doing a lot of work in one line. Get the p and rua right and you can refine everything else later.