DMARC RECORD GENERATOR

Generate a DMARC Policy Record

Create a DMARC TXT record for monitoring, quarantine, or reject enforcement with alignment and report settings.

DMARC Record Generator

Create a DMARC TXT record that tells receivers how to handle email that fails domain authentication checks.

PolicySubdomain policyPolicy percentageDKIM alignmentSPF alignmentAggregate report URIForensic report URI

v=DMARC1; p=quarantine; sp=quarantine; pct=100; adkim=r; aspf=r

DNS publishing

DMARC Tells Receivers What to Do With Failures

Publish DMARC at _dmarc.yourdomain.com. Start with monitoring if you are unsure, then move toward quarantine or reject after legitimate senders are aligned.

About DMARC

How DMARC Works and How to Roll It Out Safely

What is DMARC?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a DNS record that builds on SPF and DKIM. It tells receivers two things: what to do with mail that fails authentication, and where to send reports about that mail. DMARC is what turns SPF and DKIM from advisory signals into enforceable policy. Without DMARC, a receiver can decide to ignore SPF failures. With DMARC at reject, the receiver is told to drop spoofed mail at the door.

The tags that matter

p= is the policy for the root domain (none, quarantine, or reject). sp= is the same setting for subdomains. pct= controls how much of the failing mail the policy applies to, useful during rollout. adkim= and aspf= toggle strict or relaxed alignment between the visible From domain and the SPF or DKIM signing domain. rua= is the address that receives aggregate reports, and ruf= receives forensic reports (most large receivers no longer send forensic data). The generator above wires these up so you only need to fill in the addresses.

The recommended deployment path

Start at p=none with a rua= address you actually monitor. Aggregate reports tell you which IPs send mail using your domain and whether they pass SPF and DKIM alignment. Once you have fixed legitimate senders that are failing, move to p=quarantine with pct=25 and ramp up to pct=100 while watching reports. Only move to p=reject once two full weekly report cycles show no legitimate failures. Trying to skip straight to reject is the most common reason DMARC rollouts break transactional email.

Alignment is not the same as authentication

An email can pass SPF or DKIM on the envelope or signing domain but still fail DMARC because the visible From domain is different. This is called alignment failure and it usually points to a third-party sender (a CRM, marketing tool, or transactional API) that signs with its own domain. Fix this by configuring the third party to use a subdomain of yours for both the envelope and DKIM signature.

Where to publish the record

DMARC lives at the special hostname _dmarc.yourdomain.com as a TXT record. Subdomain policies inherit from the parent unless you publish a separate DMARC record at _dmarc.sub.yourdomain.com. Aggregate report addresses can be on a different domain (most teams send reports to a dedicated processor), but that external domain must publish a yourdomain.com._report._dmarc record giving you permission.

DMARC Record Generator FAQ

What is the difference between p=none, p=quarantine, and p=reject?

p=none means monitor only: receivers report on failures but still deliver the mail. p=quarantine asks receivers to deliver failing mail to spam. p=reject asks receivers to drop failing mail at SMTP. Roll out in that order so you can catch broken senders in reports before they cost you real delivery.

Do I need SPF and DKIM before publishing DMARC?

Yes. DMARC depends on at least one of SPF or DKIM passing and aligning with the visible From domain. Publishing DMARC with no SPF or DKIM in place will fail every message and either trigger your monitoring reports or, at p=reject, block legitimate mail.

What is a DMARC aggregate report?

Aggregate reports are XML files that receivers like Google, Microsoft, and Yahoo send daily to the address in your rua= tag. They list every IP that sent mail claiming to be your domain, plus the SPF and DKIM results. They are the single most important signal during a DMARC rollout. Use a dedicated DMARC report processor if you do not want to parse XML by hand.

Where do I publish the DMARC record?

DMARC lives at the special hostname _dmarc.yourdomain.com as a TXT record. Subdomains inherit the parent policy unless you publish a separate _dmarc record on the subdomain. Only one DMARC record per host is allowed.

Want to Inspect a Suspicious Email?

Use the header analyzer to review SPF, DKIM, DMARC, and sender alignment signals.

Open Header Analyzer Open Temp Inbox

Browse all email tools Set up SPF first