The vocabulary of the DMARC Validator API

The 8 fields and concepts you'll meet in the response — defined in plain English, each with a real example value.

8 terms
Protocols1

DMARC

Domain-based Message Authentication, Reporting & Conformance—an email authentication policy protocol.

DMARC builds on SPF and DKIM by defining policy (what to do when authentication fails) and reporting (where to send results). It requires alignment—the From domain must match authenticated domains. Published as a TXT record at _dmarc.domain.com.

Examplev=DMARC1; p=reject; rua=mailto:[email protected]

DMARC Components4

Policy

DMARC instruction for handling authentication failures: none, quarantine, or reject.

p=none monitors without action. p=quarantine sends failures to spam. p=reject blocks failures entirely. Start with none, progress through quarantine, end at reject. Subdomain policy (sp=) can differ from main domain policy.

Examplep=reject (block failures), p=quarantine (spam folder), p=none (monitor only)

Alignment

DMARC requirement that the From header domain matches the authenticated domain.

Strict alignment requires exact domain match. Relaxed alignment allows subdomains (mail.example.com passes for example.com). adkim= sets DKIM alignment mode, aspf= sets SPF alignment mode. Default is relaxed (r).

Exampleadkim=s (strict), aspf=r (relaxed)

Subdomain Policy (sp)

DMARC policy specifically for subdomains, separate from the main domain policy.

The sp= tag defines policy for subdomains. If not specified, subdomains inherit the main policy (p=). Setting sp=reject while main is p=quarantine enforces stricter rules on subdomains. Useful when subdomains shouldn't send email.

Examplesp=reject (block subdomain failures), sp=none (monitor subdomains)

Percentage (pct)

DMARC tag specifying what percentage of failing mail the policy applies to.

pct=100 (default) applies policy to all failures. pct=10 applies to only 10% of failures, useful during rollout. Gradually increase from pct=10 to pct=100 when moving to stricter policies. This reduces risk during enforcement.

Examplepct=25 (apply policy to 25% of failures)

Reporting2

Aggregate Report (rua)

Daily XML summaries of DMARC authentication results sent to specified addresses.

Aggregate reports show pass/fail counts grouped by source IP and authentication result. They help identify legitimate senders needing authentication and spoofing attempts. Configure with rua=mailto:address. Multiple addresses allowed, separated by commas.

Examplerua=mailto:[email protected],mailto:[email protected]

Forensic Report (ruf)

Detailed reports about individual DMARC authentication failures.

Forensic reports (failure reports) provide message-level details including headers. They're useful for investigating specific incidents. Many receivers don't send forensic reports due to privacy concerns. Configure with ruf=mailto:address.

Exampleruf=mailto:[email protected]

Implementation1

Enforcement

DMARC policy levels (quarantine/reject) that actively affect email delivery.

Enforcement means the DMARC policy takes action on failures. p=none is not enforcement (monitoring only). p=quarantine and p=reject are enforcement levels. Full enforcement (p=reject at pct=100) provides maximum protection against spoofing.

ExampleDomain at enforcement: p=reject, pct=100

See these fields live. Run the DMARC Validator API free — no card, no signup wall.

Scaling up?

Volume pricing, custom SLAs, and dedicated support for high-traffic teams.

Contact sales