What is the DMARC version specified by the 'v' tag?
Matthew Whittaker
Co-founder & CTO, Suped
Published 9 Jun 2025
Updated 31 Oct 2025
6 min read
When you set up DMARC (Domain-based Message Authentication, Reporting, and Conformance) for your domain, you're implementing a powerful email authentication protocol designed to protect against email spoofing and phishing. This protocol relies on a special DNS TXT record containing various DMARC tags that instruct receiving mail servers on how to handle emails claiming to be from your domain. Each tag plays a specific role in enforcing your email policy and providing valuable feedback.
Among these crucial DMARC tags, one stands out as absolutely mandatory and foundational: the 'v' tag. Without it, your DMARC record won't be recognized, and your efforts to secure your email ecosystem will be ineffective. It's the very first piece of information a mail server looks for to understand that a DMARC policy is even present and what version of the protocol to expect.
Let's delve into what the 'v' tag specifies, why its correct configuration is non-negotiable, and how it fits into the broader picture of email security.
Understanding the DMARC 'v' tag
The 'v' tag in a DMARC record stands for version. It is a mandatory tag that indicates the DMARC protocol version being used. For all currently implemented DMARC policies, this value must always be DMARC1. This specific value signals to receiving mail servers that the DNS record they are querying is indeed a DMARC record and should be processed according to the DMARC standard.
Without the v=DMARC1 tag, an email server won't recognize your DMARC record, rendering your entire policy ineffective. It's like having a contract without a clear title, nobody knows what they're looking at. This is why it's the very first tag that must appear in your DMARC DNS TXT record.
Example of the 'v' tag in a DMARC record
DNS TXT RecordDNS
v=DMARC1; p=none; rua=mailto:reports@example.com;
In this example, v=DMARC1 clearly defines the DMARC protocol version. The p=none tag specifies the policy for unauthenticated emails, and rua indicates where aggregate reports should be sent. This minimal setup allows you to begin monitoring your DMARC reports without impacting email delivery.
While there is only one official DMARC version (DMARC1) at present, the 'v' tag exists to allow for future versions of the protocol. If new versions are developed, this tag would enable a smooth transition and backward compatibility, ensuring that email systems can correctly interpret and apply policies based on the specified standard. Think of it as a future-proofing mechanism for email authentication.
The critical nature of 'v=DMARC1'
Ensuring your DMARC record contains v=DMARC1 is the most critical step in establishing a valid DMARC policy. Without it, your record is essentially invisible to receiving mail servers, and your domain remains unprotected. It's the handshake that initiates the DMARC process.
When a mail server receives an email, it performs a DNS lookup to find the sender's DMARC record. The very first thing it checks for is the v tag. If v=DMARC1 is not found (or is incorrect), the server will simply ignore the rest of the record's instructions, treating your domain as if it has no DMARC policy at all. This means emails that fail SPF or DKIM checks will not be subjected to your defined DMARC policy, increasing your vulnerability to malicious actors.
It’s vital to ensure this tag is correctly formatted and the very first entry in your DMARC record to avoid common DMARC verification failures. A misconfigured 'v' tag is often one of the first things to check if your DMARC reports aren't showing data or if your policy isn't being enforced as expected.
Tag
Description
Mandatory?
v
Specifies the DMARC protocol version. Must always be DMARC1.
Yes
p
Defines the policy for emails that fail DMARC authentication. Values: none, quarantine, or reject.
Yes
rua
Address for aggregate DMARC reports, providing an overview of email traffic.
No
ruf
Address for forensic (failure) reports, detailing specific authentication failures.
No
sp
Defines the DMARC policy for subdomains, overriding the root domain's 'p' tag.
No
Consequences of an incorrect 'v' tag
If the 'v' tag is missing or contains an incorrect value (e.g., v=DMARC2), mail servers will simply ignore your DMARC record. This means your domain will essentially operate without DMARC protection, leaving it vulnerable to various email-based attacks. The consequences can range from increased spam and phishing attempts against your recipients to damage to your brand's reputation.
Incorrect or missing 'v' tag
No DMARC Enforcement: Mail servers will not apply your specified DMARC policy (e.g., p=quarantine or p=reject) to unauthorized emails.
Increased Spam and Phishing: Your domain becomes an easy target for spoofing, allowing attackers to send fraudulent emails that appear to originate from your organization.
Damaged Reputation: Recipients receiving spoofed emails may lose trust in your brand, leading to reduced engagement and potential blocklisting (or blacklisting).
Lack of Visibility: You won't receive DMARC reports, leaving you blind to how your domain is being used and abused by others. This prevents you from fixing common DMARC issues.
Correct 'v=DMARC1' tag
Effective Policy Enforcement: Your DMARC policy is recognized and applied, protecting your domain from unauthorized email use.
Reduced Spam and Phishing: Malicious emails attempting to spoof your domain are filtered or rejected, improving recipient trust and email deliverability.
Enhanced Brand Reputation: Maintaining a strong DMARC policy signals to email providers and recipients that you take email security seriously.
Comprehensive Reporting: You receive valuable DMARC reports, offering insights into your email ecosystem and helping you refine your authentication setup.
Therefore, when configuring your DMARC record, always double-check that v=DMARC1 is present and correctly placed as the first tag. This simple step is fundamental to leveraging the full power of DMARC to protect your domain and recipients.
How Suped ensures your 'v' tag is always correct
Implementing and managing DMARC can seem complex, but tools like Suped are designed to simplify the process. We provide comprehensive DMARC monitoring and reporting, turning raw DMARC data into actionable insights, helping you ensure your 'v' tag and entire DMARC record are always configured correctly.
Our platform's AI-Powered Recommendations guide you through the intricacies of DMARC, offering clear steps to strengthen your policy, resolve issues like an incorrect 'v' tag, and improve your email deliverability. With our generous free plan, you can start securing your domain today.
Beyond simply checking your DMARC record, Suped provides real-time alerts, a unified platform for SPF, DKIM, and DMARC, and SPF flattening to tackle the 10-DNS-lookup limit. Whether you're an SMB, a large enterprise, or an MSP managing multiple domains, our platform offers the tools you need for robust email security and deliverability.
Key takeaway
The 'v' tag is the simplest yet most fundamental part of your DMARC record. It acts as the identifier, informing receiving mail servers that a DMARC policy exists and specifies the protocol version for processing. Always ensure your DMARC record begins with v=DMARC1 to guarantee your email authentication efforts are recognized and effective. This small but mighty tag is your first line of defense against email fraud.
