Free DNS tool

DMARC Record Generator

Choose a policy, add reporting addresses, and build a valid _dmarc TXT record live. Copy it straight into your DNS, then tighten the policy as your reports come back clean.

DMARC tag builder v=DMARC1

What should receivers do with mail that fails DMARC authentication?


Receive daily XML reports summarizing authentication results. Highly recommended.

Receive individual failure reports. Not all providers send these.

DMARC, explained

What is a DMARC record?

DMARC, short for Domain-based Message Authentication, Reporting and Conformance, is an email authentication standard defined in RFC 7489. A DMARC record is a single DNS TXT entry, published at the _dmarc host of your domain, that tells receiving mail servers two things: what to do with messages that fail SPF and DKIM, and where to send reports about the mail being sent in your name.

Since 2024, the largest mailbox providers expect bulk senders to publish DMARC alongside SPF and DKIM. Without a record, receivers have no instructions for handling spoofed mail, and anyone can forge your From address with nothing to stop them.

The DMARC tags explained

Every DMARC record begins with v=DMARC1 and is followed by semicolon separated tags. Only v and p are required. These are the tags this generator builds for you.

  • p= the domain policy: none monitors only, quarantine sends failing mail to spam, and reject blocks it entirely.
  • sp= a separate policy for subdomains. Leave it out and subdomains inherit the domain policy.
  • pct= the percentage of failing mail the policy applies to, used to roll out enforcement gradually.
  • rua= the address that receives daily aggregate reports, the XML summaries that show you who is sending as your domain.
  • ruf= the address that receives forensic failure reports for individual messages, where supported.
  • adkim= and aspf= the alignment mode for DKIM and SPF, either r for relaxed or s for strict.
  • fo= when a forensic report should be generated, and ri= how often aggregate reports are sent, in seconds.

Choosing a policy

The policy is the heart of the record. Start at p=none so nothing about your mail flow changes while you collect reports and confirm every legitimate sender is authenticated. Move to p=quarantine once those reports are clean, which sends failing mail to spam without losing it entirely. Finish at p=reject, the strongest setting, where receivers block failing mail before it reaches the inbox.

DMARC depends on SPF and DKIM, so publish and verify both before you enforce a policy. Alignment is what ties them together: it requires the domain in the visible From header to match the domain that passed SPF or DKIM, which is what stops an attacker from passing authentication on their own domain while spoofing yours.

A safe rollout

Tightening too quickly can drop real mail, so move through the policies in order and let your aggregate reports guide each step.

  1. Publish p=none with rua. Add an aggregate report address and watch for a few weeks until you can see every service that sends as your domain.
  2. Authenticate every sender. Make sure each legitimate platform passes SPF or DKIM with alignment before you enforce anything.
  3. Move to quarantine. Switch to p=quarantine, optionally with a pct below 100, and confirm reports stay clean.
  4. Advance to reject. Once quarantine runs clean, set p=reject for full protection against spoofing of your domain.

Where to publish the record

The record is a TXT record whose host is _dmarc, so the full name becomes _dmarc.yourdomain.com. Open your DNS provider, create a new TXT record with that host, paste the generated value, and save. Propagation usually takes a few minutes, though it can run up to 48 hours depending on your TTL.

After you publish, confirm it with the DMARC record checker. DMARC only works on top of authentication, so make sure your SPF record and DKIM signing are in place first.

Frequently asked

DMARC record questions

What is a DMARC record?
A DMARC record is a DNS TXT entry published at the _dmarc host of your domain. It tells receiving mail servers how to handle messages that fail SPF and DKIM authentication, and where to send aggregate and forensic reports about mail sent in your name. The standard is defined in RFC 7489, and it always begins with v=DMARC1 followed by a policy tag such as p=none.
How do I create a DMARC record?
Use the generator above. Choose a policy, add an aggregate report address, and adjust the advanced tags if you need them. The tool assembles a valid TXT value live, which you then publish in DNS by creating a new TXT record with the host set to _dmarc and pasting in the generated value. Propagation typically takes a few minutes to 48 hours depending on your TTL.
What should the DMARC policy (p=) be?
Start with p=none. It takes no action on failing mail and lets you gather aggregate reports without risk while you confirm every legitimate sender is authenticated. Once those reports are clean, move to p=quarantine so failing mail goes to spam, then to p=reject so it is blocked outright. The goal of a full rollout is p=reject, which gives the strongest protection against spoofing.
What is the rua tag in a DMARC record?
The rua tag sets the address that receives aggregate reports, the daily XML summaries that list every source sending mail as your domain along with their SPF and DKIM results. It is written as rua=mailto:dmarc-reports@example.com. Aggregate reporting is what makes p=none worthwhile, because it shows you who your senders are before you start enforcing a policy.
Do I need a DMARC record?
For any domain that sends email, yes. Since 2024 the largest mailbox providers expect bulk senders to publish DMARC alongside SPF and DKIM, and without it your mail is easier to spoof and more likely to be filtered. Even a monitoring-only p=none record with an rua address is worth publishing, because it gives you visibility into how your domain is being used.
How do I roll out DMARC safely?
Publish p=none with an rua address first and watch the aggregate reports for a few weeks until you can see every service that sends as your domain. Make sure each one passes SPF or DKIM with alignment, then move to p=quarantine, optionally using pct below 100 for a gradual ramp. When quarantine reports stay clean, advance to p=reject. Moving in this order avoids dropping legitimate mail.
What is a good starter DMARC record?
A safe starting record is v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;. It changes nothing about how your mail is delivered while it collects the reports you need to see your senders. Once those reports confirm every legitimate source is authenticated, you can tighten the policy to quarantine and then reject.
Do I need SPF and DKIM before setting up DMARC?
Yes. DMARC has no results of its own to evaluate; it builds on SPF and DKIM and checks that the authenticated domain aligns with the visible From address. If neither SPF nor DKIM is in place and aligned, every message fails DMARC. Publish and verify SPF and DKIM first, then add a DMARC record on top.
What is the sp tag and do I need it?
The sp tag sets a separate DMARC policy for your subdomains. If you leave it out, subdomains inherit your main policy, which is fine for most domains. You only need sp when you want subdomains treated differently, for example enforcing reject on the root while keeping a looser policy on a subdomain during testing. Many organizations set sp=reject to stop attackers from spoofing made-up subdomains.
What does the pct tag do in a DMARC record?
The pct tag applies your policy to only a percentage of failing mail, which is useful while you ramp up enforcement. For example p=quarantine; pct=25 quarantines a quarter of failing messages and leaves the rest at the next lower policy. Use it to ease into quarantine or reject, then raise it to 100 once your reports are clean, since enforcement is only complete at pct=100.
What policy should I move to after p=none?
Move from p=none to p=quarantine once your aggregate reports show every legitimate sender passing and aligned. Quarantine sends failing mail to spam without deleting it, which is a safe first step into enforcement. After quarantine runs cleanly with no collateral damage, advance to p=reject for full protection. Never jump straight to reject before you have read your reports.