DMARC Record Generator

Q: What is the difference between DMARC policies p=none, p=quarantine, and p=reject?

The p=none policy is monitoring-only and delivers all emails regardless of authentication results, recommended when first implementing DMARC. The p=quarantine policy sends failing emails to spam, while p=reject blocks them entirely. Start with p=none, then gradually move to p=quarantine, and finally p=reject once you have verified all legitimate email sources.

Q: What do the DMARC tags rua, ruf, and pct mean?

The rua tag specifies where daily aggregate DMARC reports are sent (XML summaries of authentication results). The ruf tag designates where forensic failure reports go. The pct tag controls what percentage of failing emails the policy applies to, allowing gradual rollout of stricter enforcement.

Q: What is the correct DMARC record format?

A DMARC record is a DNS TXT record at _dmarc.yourdomain.com that must begin with v=DMARC1 followed by semicolon-separated tags. The only required tags are v (version) and p (policy). A basic example: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. Optional tags include ruf, pct, adkim, aspf, sp, fo, and ri.

Generate a valid DMARC TXT record for your domain. Configure your policy, reporting addresses, and alignment settings.

Your Domain (for reference only)

Domain Policy (p=)

What should happen to emails that fail DMARC?

none Monitor only - delivers all email normally. Start here.

quarantine Send failing emails to spam/junk folder.

reject Block failing emails entirely. Most protective.

Aggregate Report Email (rua=)

Receive daily XML reports summarizing authentication results. Highly recommended.

Forensic Report Email (ruf=) (optional)

Receive individual failure reports. Not all providers support this.

Subdomain Policy (sp=)

Policy for subdomains. Defaults to the domain policy if not set.

Percentage (pct=)

Percentage of messages subject to the policy. Use less than 100 for gradual rollout.

SPF Alignment (aspf=)

DKIM Alignment (adkim=)

Failure Reporting (fo=)

When to generate forensic reports.

Report Interval (ri=) in seconds

How often aggregate reports are sent. Default is 86400 (24 hours).

Generated DMARC Record

Type: TXT

Host/Name: _dmarc

Value:

v=DMARC1; p=none;

How to Use This DMARC Generator

Choose your policy - Start with "none" to monitor your email traffic before enforcing policies.
Add a reporting email - This is essential for understanding who is sending email on behalf of your domain.
Configure advanced options - Adjust alignment, percentage, and other settings as needed.
Copy the record - Add it as a TXT record in your DNS provider with the hostname _dmarc.
Verify - Use our DMARC Checker to confirm the record is published correctly.

DMARC Deployment Best Practices

Always start with p=none and monitor reports for at least 2-4 weeks before moving to enforcement.
Make sure all legitimate sending sources (marketing platforms, transactional email services, etc.) are authenticated with SPF and DKIM before enforcing DMARC.
Use pct= for gradual rollout when moving from none to quarantine or reject.
Set up a dedicated email address or use a DMARC report processing service for aggregate reports, as they can be high-volume.

Where to Add the Record

The DMARC record is a TXT record published at _dmarc.yourdomain.com. Log in to your DNS provider (GoDaddy, Cloudflare, Route 53, etc.) and create a new TXT record with the hostname set to _dmarc and the value set to the generated record above.

Frequently Asked Questions

A DMARC record is a DNS TXT entry that tells receiving mail servers how to handle emails that fail SPF and DKIM authentication checks. You need one because email providers like Google and Yahoo now require DMARC records, and without one, your emails may be blocked or sent to spam. DMARC also protects your domain from phishing and email spoofing attacks.

Use our free DMARC record generator above to configure your policy settings, reporting email addresses, and alignment preferences. The tool outputs a TXT record value that you then publish in your DNS by creating a new TXT record with the host set to _dmarc and pasting the generated value. Propagation typically takes a few minutes to 48 hours.

The p=none policy is monitoring-only and delivers all emails regardless of authentication results, recommended when first implementing DMARC. The p=quarantine policy sends failing emails to spam, while p=reject blocks them entirely. Start with p=none, then gradually move to p=quarantine, and finally p=reject once you have verified all legitimate email sources.

The rua tag specifies where daily aggregate DMARC reports are sent (XML summaries of authentication results). The ruf tag designates where forensic failure reports go. The pct tag controls what percentage of failing emails the policy applies to, allowing gradual rollout of stricter enforcement.

Yes, you must set up SPF and DKIM before implementing DMARC because DMARC relies on both protocols to determine email authenticity. Without SPF and DKIM in place, DMARC has no authentication results to evaluate and all your emails would fail DMARC checks.

DMARC alignment ensures the domain in the visible From header matches the domain authenticated by SPF or DKIM. Without alignment, an attacker could pass SPF or DKIM using their own domain but spoof yours in the From header. DMARC supports strict (exact match) and relaxed (subdomain match) alignment modes.

Yes, you can generate and publish separate DMARC records for subdomains by creating a TXT record at _dmarc.subdomain.yourdomain.com. If no subdomain-specific record exists, the subdomain inherits the parent domain's DMARC policy. You can also use the sp tag to set a default policy for all subdomains.

A DMARC record is a DNS TXT record at _dmarc.yourdomain.com that must begin with v=DMARC1 followed by semicolon-separated tags. The only required tags are v (version) and p (policy). A basic example: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. Optional tags include ruf, pct, adkim, aspf, sp, fo, and ri.