Why validate DMARC syntax before publishing?
A malformed DMARC record is silently ignored by all receiving servers. Gmail, Outlook, Yahoo: none will alert you. Your emails remain unprotected against spoofing and phishing.
The DMARC syntax validator analyzes your record before DNS publication. You detect errors immediately, without waiting 24-48h of propagation to discover an issue.
Common errors detected:
- Missing v= tag → Record not recognized as DMARC
- Missing p= policy → No handling instructions for servers
- Invalid rua/ruf URI → Reports never received
- Duplicate tags → Unpredictable behavior, often ignored
How to validate your DMARC record in 3 steps
Step 1: Copy the DMARC record
Prepare your complete DMARC record. Typical example:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@captaindns.com; adkim=r; aspf=r; pct=100
If modifying an existing record, retrieve the current value from your DNS:
dig TXT _dmarc.captaindns.com +short
Step 2: Paste and validate
Paste the record in the field above. The tool analyzes:
- Presence of mandatory tags (v, p)
- Validity of each tag and value
- Report URI format (rua, ruf)
- RFC 7489 specification compliance
Step 3: Fix and publish
The diagnostic lists each tag with its status:
- ✅ Valid → Tag correct, ready for publication
- ❌ Error → Fix required before publication
- ⚠️ Warning → Functional but improvement recommended
Fix errors, validate again, then publish to your DNS.
What is a DMARC record?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record published at _dmarc.yourdomain.com. It tells receiving servers:
- What policy to apply to emails failing SPF and DKIM
- Where to send reports on authentication results
- How to align SPF/DKIM domains with the From address
DMARC record structure:
v=DMARC1; p=reject; rua=mailto:reports@captaindns.com; ruf=mailto:forensics@captaindns.com; adkim=s; aspf=s; pct=100
| Tag | Value | Meaning |
|---|---|---|
| v | DMARC1 | Protocol version (required) |
| p | reject | Policy: reject unauthenticated emails |
| rua | mailto:... | Aggregate report destination |
| ruf | mailto:... | Forensic report destination |
| adkim | s | Strict DKIM alignment |
| aspf | s | Strict SPF alignment |
| pct | 100 | Apply to 100% of messages |
DMARC tags validated in detail
Required tags
| Tag | Accepted values | Description |
|---|---|---|
| v | DMARC1 | Identifies the record as DMARC. Only valid value. |
| p | none, quarantine, reject | Policy for non-aligned messages from the main domain. |
Optional tags
| Tag | Accepted values | Description |
|---|---|---|
| sp | none, quarantine, reject | Policy for subdomains (inherits from p if absent). |
| rua | mailto: or https: URI | Aggregate report destinations (daily XML). |
| ruf | mailto: or https: URI | Forensic report destinations (per message). |
| adkim | r (relaxed), s (strict) | DKIM alignment mode. Default: relaxed. |
| aspf | r (relaxed), s (strict) | SPF alignment mode. Default: relaxed. |
| pct | 1-100 | Percentage of messages subject to policy. Default: 100. |
| fo | 0, 1, d, s | Forensic report generation options. |
| ri | Seconds | Desired interval between aggregate reports. Default: 86400. |
| rf | afrf, iodef | Forensic report format. |
Common syntax errors
Error 1: Record without v=DMARC1
Symptom: Validator shows "not_dmarc_record"
Cause: Record doesn't start with v=DMARC1
Fix:
- p=reject; rua=mailto:reports@captaindns.com
+ v=DMARC1; p=reject; rua=mailto:reports@captaindns.com
Error 2: Missing p= policy
Symptom: "missing_policy" or "empty_policy"
Cause: The p= tag is missing or empty
Fix:
- v=DMARC1; rua=mailto:reports@captaindns.com
+ v=DMARC1; p=none; rua=mailto:reports@captaindns.com
Error 3: Invalid rua/ruf URI
Symptom: "invalid_rua_uri" or "invalid_ruf_uri"
Cause: URI doesn't follow mailto: or https: format
Fix examples:
- rua=reports@captaindns.com # Missing mailto:
+ rua=mailto:reports@captaindns.com
- ruf="mailto:forensics@captaindns.com" # Quotes not allowed
+ ruf=mailto:forensics@captaindns.com
- rua=mailto: reports@captaindns.com # Space not allowed
+ rua=mailto:reports@captaindns.com
Error 4: Duplicate tag
Symptom: "duplicate_tag"
Cause: A tag appears multiple times
Fix:
- v=DMARC1; p=none; p=reject; rua=mailto:reports@captaindns.com
+ v=DMARC1; p=reject; rua=mailto:reports@captaindns.com
Error 5: pct out of range
Symptom: "invalid_pct_value"
Cause: pct value is not between 1 and 100
Fix:
- v=DMARC1; p=reject; pct=0 # 0 is invalid
+ v=DMARC1; p=reject; pct=10 # Minimum is 1
- v=DMARC1; p=reject; pct=150 # >100 is invalid
+ v=DMARC1; p=reject; pct=100
DMARC deployment best practices
1. Start with p=none
Don't jump straight to p=reject. Start by observing:
v=DMARC1; p=none; rua=mailto:dmarc@captaindns.com
This policy doesn't block anything but generates reports. Analyze them for 2-4 weeks.
2. Configure rua from the start
Aggregate reports are essential for:
- Identifying legitimate sources failing authentication
- Detecting spoofing attempts
- Validating progression toward p=quarantine then p=reject
3. Progress toward p=reject
Once SPF and DKIM are aligned on all legitimate sources:
p=none→ Observe (2-4 weeks)p=quarantine; pct=10→ Test on 10% of trafficp=quarantine; pct=50→ Gradually increasep=quarantine; pct=100→ Full quarantinep=reject→ Maximum protection
4. Manage subdomains with sp=
By default, subdomains inherit the p policy. If you send emails from subdomains (marketing.captaindns.com), remember to:
- Configure SPF/DKIM on each subdomain
- Use
sp=if the policy should differ
FAQ - Frequently asked questions
Q: Which DMARC tags are mandatory?
A: Two tags are required: v=DMARC1 (version) and p= (policy). Without these tags, the record is invalid and ignored by receiving servers. All other tags are optional.
Q: What does "missing policy" error mean?
A: The record doesn't contain the p= tag that defines the policy. Add one of three possible values:
p=none→ No action, reports onlyp=quarantine→ Mark as spamp=reject→ Reject the message
Q: How do I fix a rua/ruf URI error?
A: URIs must follow the exact format mailto:address@domain.com or https://endpoint. Common errors:
- Forgetting
mailto:before the address - Quotes around the URI
- Spaces in the address
- Invalid email address
Q: What's the difference between rua and ruf?
A:
- rua (aggregate reports): daily reports in XML format, statistical summary
- ruf (forensic reports): per-message report on failures
Start with rua only. ruf reports generate significant traffic and may contain sensitive data.
Q: What does "pct out of range" mean?
A: The pct tag defines the percentage of messages subject to the p policy. Accepted values: 1 to 100. If you omit pct, the policy applies to 100% of messages (default behavior).
Q: Why validate before DNS publication?
A: A syntax error makes the record invalid. Receiving servers silently ignore it: you get no alert, but your emails have no DMARC protection. Always validate before any DNS modification.
Q: Does the validator check DNS publication?
A: No, this tool only validates the syntax of the record. To verify that the record is correctly published and propagated in DNS, use the DMARC Inspector after publication.
Complementary tools
| Tool | Purpose |
|---|---|
| DMARC Inspector | Verify publication and resolve DMARC record from DNS |
| DMARC Generator | Create a spec-compliant DMARC record |
| SPF Inspector | Validate your domain's SPF record |
| DKIM Inspector | Verify DKIM public key and signature |
| Email Tester | Test complete authentication by sending a real email |
Useful resources
- RFC 7489 - Domain-based Message Authentication, Reporting and Conformance (DMARC) (official specification)
- Google - Set up DMARC (Gmail/Workspace guide)
- Microsoft - DMARC in Microsoft 365 (Outlook/M365 guide)
- dmarc.org - Overview (DMARC consortium documentation)