The short answer is no, a DMARC record cannot have multiple 'p' tags. The DMARC standard is very specific about its syntax to ensure that email receivers can interpret it without ambiguity. A domain can only have one DMARC record, and within that record, each tag, including the essential policy ('p') tag, can only be defined once.
Attempting to add more than one 'p' tag or creating multiple DMARC records for a single domain will invalidate your DMARC setup, causing receiving mail servers to ignore it completely. This would leave your domain unprotected against spoofing and phishing attacks.
Understanding the structure of a DMARC record
A DMARC record is published as a TXT record in your domain's DNS. It's a single string of text composed of tag-value pairs separated by semicolons. While there are many optional tags you can use, every DMARC record must contain two specific tags: 'v' and 'p'.
The 'v' tag specifies the version of the DMARC protocol and must always be v=DMARC1. The 'p' tag, which we're focusing on here, defines the policy that tells receiving servers how to handle emails that fail DMARC authentication checks. As Spambrella notes, these two tags are the only must-haves in all records.
What does the 'p' tag do?
The policy tag is arguably the most important component of your DMARC record. It instructs email receivers on the action to take for messages claiming to be from your domain that do not pass authentication. There are three possible values for the 'p' tag:
- p=none: This is the monitoring-only policy. It tells receivers to take no action against failing emails but to send DMARC aggregate reports to the address specified in the 'rua' tag. It's the recommended starting point for any DMARC implementation.
- p=quarantine: This policy asks receivers to treat failing emails with suspicion. This usually means placing them in the recipient's spam or junk folder.
- p=reject: This is the strictest policy. It instructs receivers to completely block any email that fails DMARC checks, preventing it from reaching the recipient's inbox or spam folder.
Why only one policy tag is allowed
The DMARC framework is designed for clarity and consistency. An email server needs a single, unambiguous instruction for how to handle a message. Imagine a record that contained both p=none and p=reject. The receiver wouldn't know whether to deliver the message or block it. This conflict would cause the server to treat the DMARC record as invalid and ignore it. To prevent this, the DMARC specification strictly permits only one 'p' tag.
Can you have multiple DMARC records?
Just as a DMARC record can't have multiple policies, a domain can't have multiple DMARC records. A common mistake is adding a new DMARC record for a new service without consolidating it with the existing one. If a receiving server performs a DNS lookup and finds two or more TXT records starting with v=DMARC1, the DMARC check will fail.
This means your DMARC policy will not be enforced, and you will not receive the valuable reports that help you monitor your email ecosystem. It is critical to ensure you have only one DMARC record for your domain.
Final thoughts on DMARC syntax
To summarize, the rules are simple but strict. Your domain must have exactly one DMARC record. Within that single record, you must have exactly one 'p' tag defining your enforcement policy. All tags within the record should be separated by a semicolon. A correctly formatted record might look something like this:
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=50;
By adhering to these syntax rules, you ensure that your DMARC policy is understood and enforced by email receivers across the globe, protecting your domain's reputation and improving your email deliverability.
