NsLookup logo
Learning center

DMARC Tags Explained: 2026 Guide

If you send emails from your domain, you also need to protect it. That's where DMARC comes in.
DMARC Tags Explained: 2026 Guide

DMARC is an email authentication method that helps you control who can send emails using your domain. It works through a DMARC record, which is added to your domain settings and tells inbox providers how to verify your emails and what to do if something feels off.

In 2026, email threats like spoofing and phishing are getting smarter and more frequent. Without proper protection, anyone can try to impersonate your domain and trick your customers. DMARC helps prevent this. It checks if emails are legitimate, blocks harmful ones, and gives you visibility into what's happening behind the scenes.

In this blog, you will learn what DMARC is, how it works, and what each DMARC tag means.

How Does DMARC Work

DMARC does not check emails on its own. It depends on two methods called SPF and DKIM. SPF checks whether the server sending the email is authorized to send email for your domain. DKIM adds a digital signature to the email to ensure the message has not been altered. DMARC combines SPF and DKIM results to determine whether an email is safe.

Here are some more concepts involved in the DMARC process:

DMARC Alignment

DMARC alignment means the domain used in SPF or DKIM should match the domain in the "From" address that the user sees. If they match, the email is aligned. If they do not match, DMARC may treat the email as suspicious, even if SPF or DKIM passes.

DMARC Authentication

First, the server checks SPF and DKIM to verify the sender. Then DMARC reviews these results and checks if the domains are properly aligned with the "From" address. If both authentication and alignment are correct, the email passes DMARC and is delivered to the inbox. If either check fails, the email fails DMARC and is handled according to the domain owner's policy.

DMARC Policy Actions: None, Quarantine, Reject

If an email fails DMARC, the next step depends on which of the following policies you have chosen:

  • None: The email is still delivered, but you get reports about the failure
  • Quarantine: The email is sent to the spam or junk folder
  • Reject: The email is blocked completely and not delivered

DMARC Tags Explained

Here is an easy explanation of all the DMARC tags you can use:

v (Version)

This shows the DMARC version you are using. It is always set to v=DMARC1 and is required in every DMARC record.

pct (Percentage)

This tells what percentage of your emails the DMARC policy should apply to. It is optional; if not set, it applies to 100% of emails by default.

p (Policy)

This defines what should happen if an email fails DMARC. It is a required tag. You can choose: none, quarantine, or reject.

sp (Subdomain Policy)

This sets the DMARC policy for your subdomains. It is optional and only needed if you want a different rule for subdomains.

rua (Aggregate Reports)

This tells where you want to receive DMARC reports. It is optional but strongly recommended. Example: rua=mailto:[email protected]

ruf (Forensic Reports)

This is used to receive detailed failure reports. It is optional, and not all providers send these reports.

fo (Failure Options)

This controls when failure reports should be sent. It is optional and only useful if you are using forensic reports. Common options are:

  • 0: Report only if both SPF and DKIM fail
  • 1: Report if either SPF or DKIM fails
  • d: Report DKIM failures
  • s: Report SPF failures

aspf (SPF Alignment Mode)

This defines how strictly SPF should match your domain. It is optional. Its values are either r (relaxed) or s (strict).

adkim (DKIM Alignment Mode)

This defines how strictly DKIM should match your domain. Its values are either r (relaxed) or s (strict).

rf (Report Format)

This defines the format of forensic reports. It is optional and usually set to afrf by default.

ri (Reporting Interval)

This tells how often you want to receive DMARC reports. It is optional. The default is 86400 seconds (once every 24 hours).

Conclusion

DMARC is a simple but powerful way to protect your domain from email misuse. It works with SPF and DKIM to verify emails, ensures proper alignment, and lets you decide what happens when something goes wrong. Understanding DMARC tags helps you take full control of your setup and avoid common mistakes.

By starting with the right policy and gradually enforcing stricter rules, you can improve your email security and deliverability. If your SPF records are getting too complex, using an automated SPF solution can help you stay within limits and keep your authentication setup clean and effective.

Start your DMARC journey now with our free 14-day trial. We are quick with DMARC enforcement; our team and tools are adept enough to help even the trickiest enterprises reach full enforcement in about 40-50 days. If you are a small or mid-sized business owner, it's only going to be a job of a few days. So, reach out to us now.