DNSControl contains a DMARC_BUILDER which can be used to simply create DMARC policies for your domains.


Simple example

policy: "reject",
ruf: [
This yield the following record:
@ IN TXT "v=DMARC1; p=reject; ruf=mailto:[email protected]"

Advanced example

policy: "reject",
subdomainPolicy: "quarantine",
percent: 50,
alignmentSPF: "r",
alignmentDKIM: "strict",
rua: [
ruf: [
failureOptions: "1",
reportInterval: "1h",
label: "insecure",
policy: "none",
ruf: [
failureOptions: {
SPF: false,
DKIM: true,
This yields the following records:
@ IN TXT "v=DMARC1; p=reject; sp=quarantine; adkim=s; aspf=r; pct=50; rua=mailto:[email protected],; ruf=mailto:[email protected]; fo=1; ri=3600"
insecure IN TXT "v=DMARC1; p=none; ruf=mailto:[email protected]; fo=d"


  • label: The DNS label for the DMARC record (_dmarc prefix is added, default: "@")
  • version: The DMARC version to be used (default: DMARC1)
  • policy: The DMARC policy (p=), must be one of "none", "quarantine", "reject"
  • subdomainPolicy: The DMARC policy for subdomains (sp=), must be one of "none", "quarantine", "reject" (optional)
  • alignmentSPF: "strict"/"s" or "relaxed"/"r" alignment for SPF (aspf=, default: "r")
  • alignmentDKIM: "strict"/"s" or "relaxed"/"r" alignment for DKIM (adkim=, default: "r")
  • percent: Number between 0 and 100, percentage for which policies are applied (pct=, default: 100)
  • rua: Array of aggregate report targets (optional)
  • ruf: Array of failure report targets (optional)
  • failureOptions: Object or string; Object containing booleans SPF and DKIM, string is passed raw (fo=, default: "0")
  • failureFormat: Format in which failure reports are requested (rf=, default: "afrf")
  • reportInterval: Interval in which reports are requested (ri=)
  • ttl: Input for TTL method (optional)


  • TXT records are automatically split using AUTOSPLIT.
  • URIs in the rua and ruf arrays are passed raw. You must percent-encode all commas and exclamation points in the URI itself.