DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication and security protocol used in conjunction with SPF and DKIM so that emails that fail the authentication can be reported back to the domain owner, or to many services that can generate reports out of those emails.

DMARC is a TXT record added to the domain's DNS into the name _dmarc. IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected],mailto:yyy@zzz; pct=100; ri=86400"


The p parameter is used by email servers to decide what to do with the message.

  • none to do nothing

  • reject to reject the message

  • quarantine to flag the message, which can mean marking it as spam or storing it in a separate folder

The pct parameter should remain at 100(%) for low-traffic domains so the protocol applies to all messages.

The ri parameter is a hint on how often to report the failed messages. The value of 86400, daily, is a good default value.

To check the DMARC record, use host or dig:

$ host -t TXT descriptive text "v=DMARC1;p=quarantine;rua=mailto:…,mailto:…;pct=100;ri=86400"
$ dig +short -t TXT