What is the difference between p=none, quarantine, and reject?

p=none takes no action and only sends reports — it is the monitoring stage. p=quarantine tells receivers to treat failing mail as suspicious, usually routing it to spam. p=reject blocks failing mail outright at the SMTP layer, the strongest protection. The standard path is none then quarantine then reject.

Where is the DMARC record published?

As a TXT record at the special hostname _dmarc.yourdomain (for example _dmarc.example.com), not at the domain apex. There is exactly one DMARC record per domain, and subdomains inherit it unless you set a separate sp policy.

What does DMARC alignment mean?

Alignment requires that the domain authenticated by SPF or DKIM matches the visible From domain. Relaxed alignment (the default) allows subdomains to match the organisational domain; strict alignment requires an exact match. DMARC only passes when at least one of SPF or DKIM both passes and aligns.

Should I set the ruf (forensic) tag?

It is optional and increasingly unsupported. Forensic reports contain per-message failure details that can include recipient data, so many providers stopped sending them for privacy reasons. Aggregate reports (rua) are the ones you actually rely on for visibility.

pct applies your policy to only a percentage of failing mail, letting you ramp enforcement gradually — for example pct=25 with p=quarantine quarantines a quarter of failures while the rest are merely monitored. It is a safety valve while you confirm legitimate mail is aligned.

DMARC Record Builder & Policy Explainer

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receivers what to do when a message claiming to be from your domain fails authentication. This builder produces a valid record and explains every tag as you go.

How it works

DMARC is published as a single TXT record at _dmarc.<your-domain>. The record is a list of tags; the builder assembles them in the correct order and validates each:

v=DMARC1 — the version, always first.
p= — the policy: none (monitor), quarantine (spam), or reject (block). This is the only required tag besides the version.
sp= — an optional separate policy for subdomains.
pct= — apply the policy to only a percentage of failing mail, for staged rollout.
rua= — the address for daily aggregate reports (the data you act on).
ruf= — the address for per-message forensic reports (often unsupported).
adkim= / aspf= — DKIM and SPF alignment mode, relaxed (default) or strict.

Crucially, DMARC only passes when SPF or DKIM both passes and aligns with the From domain. Authentication alone is not enough — alignment is what stops a spoofer who authenticates their own unrelated domain.

The recommended rollout

Moving straight to p=reject risks blocking your own legitimate mail. The safe sequence is:

1. p=none      with rua  → collect reports, find all your senders
2. p=quarantine          → start protecting; watch reports for false positives
3. p=reject              → full enforcement once everything is aligned

A typical monitoring record looks like:

v=DMARC1; p=none; rua=mailto:[email protected]; adkim=r; aspf=r

and a hardened one:

v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s

Tips

Always publish an rua address before enforcing — without reports you are flying blind and may silently block real mail.
Keep pct as a ramp: try p=quarantine; pct=25, then raise it as reports stay clean.
Relaxed alignment is fine for most senders; switch to strict only once you are certain all your mail signs/sends from the exact From domain.
Validation here is offline. After publishing, confirm the record resolves with a DNS TXT query and watch the first aggregate reports arrive within a day or two.