DMARC Record Examples: Copy-Paste Records for Every Scenario

Every DMARC record is a single line of text published as a DNS TXT record on _dmarc.yourdomain.com. The syntax is straightforward, but getting the tags right for your situation matters. Below are ready-to-use DMARC record examples for the most common scenarios. Replace yourdomain.com with your actual domain, copy the record, and add it to your DNS.

If you need a refresher on what each tag does, see our full DMARC record syntax and tags reference.

1. Basic Monitoring Record

v=DMARC1; p=none; rua=mailto:[email protected];

This is the starter DMARC record example that every domain should begin with. The p=none policy tells receiving servers to deliver all email normally, even if it fails authentication. The rua tag sends aggregate reports to your inbox so you can see who is sending email as your domain. Start here and review reports for two to four weeks before enforcing anything.

2. Monitoring with Forensic Reports

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

This adds forensic (failure) reports on top of aggregate monitoring. The ruf tag specifies where to send detailed reports for individual failing messages, and fo=1 tells providers to generate a report when either SPF or DKIM fails — not just when both fail. Use this when you need granular visibility into authentication failures during your initial monitoring phase.

3. Quarantine Policy

v=DMARC1; p=quarantine; rua=mailto:[email protected];

This sample DMARC record tells receiving servers to send failing messages to the spam or junk folder. Use this after you have reviewed your monitoring reports and confirmed that all legitimate senders are passing SPF or DKIM. It is the natural second step on the path to full enforcement. For a detailed comparison of enforcement options, see our quarantine vs reject breakdown.

4. Gradual Quarantine Rollout

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected];

The pct tag controls what percentage of failing messages the policy applies to. Here, only 25% of failing emails get quarantined — the remaining 75% are delivered normally. This limits the blast radius if you missed a legitimate sender during monitoring. Increase pct gradually: 25, then 50, then 100, giving each level a week of observation before moving up.

5. Full Reject Policy

v=DMARC1; p=reject; rua=mailto:[email protected];

This is the goal state for every active domain. The p=reject policy tells receiving servers to block any email that fails DMARC alignment entirely — no inbox, no spam folder, no delivery at all. Only move here after running at p=quarantine; pct=100; with clean reports for several weeks. You can verify your current record at dmarcrecordchecker.com before making changes.

6. Subdomain Policy

v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected];

The sp tag sets a separate policy for subdomains. This example DMARC record enforces full reject on the main domain while keeping subdomains at quarantine. This is useful when your root domain is fully authenticated but subdomains like app.yourdomain.com or mail.yourdomain.com still need time to verify their senders. Without sp, subdomains inherit the main p= policy. For more detail on subdomain handling, see our DMARC for subdomains guide.

7. Multiple Reporting Addresses

v=DMARC1; p=reject; rua=mailto:[email protected],mailto:[email protected];

You can send aggregate reports to multiple addresses by separating them with a comma inside the rua tag. This is common when you use a third-party DMARC monitoring service alongside your own mailbox. Both addresses receive identical reports. Note that if the second address is on a different domain, that domain must publish a DNS authorization record at yourdomain.com._report._dmarc.thirdparty.com to accept reports.

8. Strict Alignment

v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:[email protected];

By default, DMARC uses relaxed alignment — meaning mail.yourdomain.com aligns with yourdomain.com. Setting aspf=s and adkim=s switches to strict alignment, requiring an exact domain match between the header From domain and the SPF/DKIM domains. Use strict alignment when you need tighter control and are certain all your senders authenticate with the exact root domain, not subdomains.

9. Parked or Inactive Domain

v=DMARC1; p=reject;

For domains that never send email — parked domains, redirects, brand-protection registrations — use p=reject with no reporting addresses. There is no legitimate email to monitor, so any message claiming to come from this domain is fraudulent and should be blocked. This is the simplest possible DMARC record and every unused domain should have one. You can also pair this with a null SPF record (v=spf1 -all) for complete protection.

Choosing the Right Example

If you are setting up DMARC for the first time, start with Example 1 (basic monitoring). Collect reports, identify all legitimate senders, authenticate them with SPF and DKIM, then work through quarantine to reject over the course of several weeks. Our how to create a DMARC record guide walks through the full process step by step.

If you manage multiple domains, apply Example 9 to every domain that does not send email. This takes thirty seconds per domain and closes a common spoofing gap that attackers actively exploit.

For a complete breakdown of every tag used in these examples, see our DMARC record syntax and tags reference. And to understand the broader context of how DMARC fits into email authentication alongside SPF and DKIM, start with our complete guide to DMARC.

Monitor Your New DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.