What are DMARC Tags: DMARC Tags Explained.

DMARC tags

DMARC tags are used in a DMARC record to define various aspects of a DMARC implementation, such as policy, aggregate report email URI, forensic report email URI, and more.

What is a DMARC record?

A DMARC record is a TXT resource record published in the DNS for the target domain. It consists of a list of semicolon-separated DMARC tags which tell the email receiver what to do with email messages that fail DMARC authentication.

Here is an example DMARC record:

v=DMARC1; p=reject; rua=mailto:5b06a2badd9f1@report.com; ruf=mailto:5b06a2badd9f1@report.com; sp=none; fo=0;

For a more detailed description on DMARC records, refer to Everything about a DMARC Record.

What is a DMARC tag

As you can see above, the above DMARC record has multiple components called DMARC tags separated by semicolons: v, p, rua, ruf, sp, and fo. Each tag has a value which defines a certain aspect of DMARC.

The following DMARC tags are available:

  • v is the DMARC version; it's always DMARC1;
  • p is the DMARC policy; it can be one of: none, quarantine, and reject, corresponding to the 3 main modes of DMARC;
  • rua specifies the URI of the mailbox to receive DMARC aggregate reports. It's required to request for DMARC aggregate reports;
  • ruf specifies the URI of the mailbox to receive DMARC failure/forensic reports. It's required to request for DMARC failure/forensic reports;
  • adkim (optional, default is "r".) specifies the DKIM Identidier Alignment mode. It can be either of:
    • r: relaxed mode
    • s: strict mode
  • aspf (optional, default is "r".) specifies the SPF Identidier Alignment mode. It can be either of:
    • r: relaxed mode
    • s: strict mode
  • fo (optional, default is "0") specifies failure/forensic reporting options. This tag is ignored if the ruf tag is not defined. The value of this tag is a colon-separated list of characters from '0', '1', 'd', and 's':

    • 0: geneate a DMARC failure/forensic report if both SPF and DKIM fail to produce an aligned pass result;
    • 1: geneate a DMARC failure/forensic report if either SPF or DKIM produces a result other than aligned pass;
    • d: geneate a DKIM failure report if the email's DKIM signature fails validation, regardless of the alignment;
    • s: geneate a SPF failure report if the email fails SPF evaluation, regardless of the alignment.

    For example, this DMARC record requests to receive all types of failure reports:

    v=DMARC1; p=reject; rua=mailto:5b06a2badd9f1@report.com; ruf=mailto:5b06a2badd9f1@report.com; sp=none; fo=0:1:d:s;
  • pct (optional, default is 100) specifies the percentage of emails to which the DMARC policy is to be applied. For example, this DMARC record requests to apply the reject policy to 10% of the emails:
    v=DMARC1; p=reject; rua=mailto:5b06a2badd9f1@report.com; ruf=mailto:5b06a2badd9f1@report.com; sp=none; pct=10;
  • sp (optional) specifies the policy for all subdomains. It applies only to the subdomains, instead of the domain itself. The syntax is identical to that of the p tag. If not defined, the value of the p tag will be applied to subdomains;
  • rf (optional, default is "afrf") specifies the format to be used for failure reports. Currently, only "afrf" is supported;
  • ri (optional, default is 86400) specifies the interval between aggregate reports in seconds. DMARC aggregate reports are sent daily by default.

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account