DMARC Record Generator
Build a valid DMARC TXT record for your domain. Select your policy, configure reporting, and get the exact DNS record to publish — with live preview and deployment guidance for MSPs and IT admins.
What is this?
Aggregate reports are daily XML summaries sent by receiving mail servers — Microsoft, Google, Yahoo, and others — to the address you enter here.
These reports show:- Which servers are sending email using your domain
- SPF pass/fail results per sending source
- DKIM pass/fail results per sending source
- DMARC pass/fail results per sending source
What is this?
Forensic reports are samples of individual messages that fail DMARC, sent in near-real-time to the address entered here.
Not all receiving providers send forensic reports. Many organizations skip this field due to privacy concerns — forensic reports may include message headers and partial content.
Example Optional — most organizations leave this blankWhat is this?
Percentage determines how much of your failing email is affected by the DMARC policy.
Examples- 100 — all failing messages are quarantined or rejected
- 50 — roughly half of failing messages are affected
- 10 — useful for gradual rollout when first enforcing
When p=none, this setting has no effect. It only applies with quarantine or reject.
What is this?
Subdomain policy controls how DMARC applies to subdomains of your domain.
Examples of affected subdomainsmail.yourdomain.comsupport.yourdomain.comnewsletter.yourdomain.com
If set to Inherit, subdomains use the same policy as the root domain. Use a separate subdomain policy only if your subdomains have different email setups.
✓ Recommended: Inherit for most deploymentsWhat is DKIM alignment?
DKIM alignment determines how closely the DKIM signing domain must match the domain in your From: header.
Relaxed (recommended)Subdomain matches are allowed. A DKIM signature from mail.yourdomain.com satisfies alignment for yourdomain.com.
The signing domain must exactly match the From: header domain. Subdomains do not satisfy strict alignment.
✓ Recommended: Relaxed — use Strict only for specific security requirementsWhat is SPF alignment?
SPF alignment determines how closely the SPF-authenticated domain (the envelope From / Return-Path) must match the domain in your From: header.
Relaxed (recommended)Subdomain matches are allowed. An envelope sender of bounce.yourdomain.com satisfies alignment for yourdomain.com.
The envelope From domain must exactly match the From: header domain. This can cause failures with common email infrastructure.
✓ Recommended: Relaxed for most organizationsWhat is DMARC?
DMARC — Domain-based Message Authentication, Reporting and Conformance — is an email authentication policy that builds on top of SPF and DKIM. It tells receiving mail servers what to do when a message fails authentication checks, and where to send reports about those failures.
Without DMARC, anyone can send email with your domain in the From: address. DMARC closes that gap by giving domain owners direct control over how unauthenticated mail is handled — from monitoring only, through quarantining to spam, up to full rejection.
For MSPs: DMARC is now a baseline deliverability and anti-spoofing requirement. Microsoft 365 and Google Workspace both use DMARC signals when filtering inbound mail. Clients without a DMARC record are easier to impersonate and may have mail rejected by strict receivers.
DMARC policies: none, quarantine, and reject
The p= tag is the most important part of a DMARC record. It controls what happens when
a message fails DMARC authentication.
| Policy | Effect on failing mail | When to use |
|---|---|---|
| p=none | Delivered normally. Results reported to rua/ruf. | First deployment. Observe and map all senders. |
| p=quarantine | Sent to spam or junk folder. | After reviewing reports and identifying all legitimate senders. |
| p=reject | Rejected outright by the receiving server. | Full enforcement. Use after confirming all mail passes authentication. |
Recommended deployment stages
- p=none with rua address — collect reports for 2–4 weeks.
- p=quarantine; pct=10 — apply to 10% of failing mail, monitor reports.
- p=quarantine; pct=100 — full quarantine, continue reviewing reports.
- p=reject; pct=100 — full enforcement once confident all senders pass.
Common sources that need DMARC alignment
- Primary mail server (Microsoft 365, Google Workspace)
- Marketing email platforms (Mailchimp, Constant Contact, HubSpot)
- Transactional email services (SendGrid, Postmark, Mailgun)
- CRM systems that send on behalf of the domain
- Helpdesk platforms (Zendesk, Freshdesk)
- Automated notification systems and monitoring alerts
DMARC reports: rua and ruf explained
Aggregate reports (rua)
Sent daily to the rua address as XML files. Each report contains:
- Total message counts
- Pass/fail breakdown by sending IP
- SPF and DKIM result per source
- Policy applied
Aggregate reports are the primary visibility tool for DMARC. Use them to identify all services sending mail on behalf of your domain before enforcing quarantine or reject.
Forensic reports (ruf)
Sent per-failure as individual message samples. They can include:
- Full message headers
- Authentication failure detail
- Partial message content (varies by registry)
Forensic reports are optional and increasingly restricted — many receiving servers no longer send them due to privacy regulations. They are useful for debugging specific failures but should not be the primary reporting mechanism.
Frequently asked questions
What is DMARC and how does it work?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication policy that builds on SPF and DKIM. When a receiving server gets an email, it checks whether the message passes SPF and DKIM. DMARC tells the server what to do if those checks fail — deliver, quarantine, or reject — and where to send reports. Without DMARC, anyone can forge your domain's From: address in outbound email.
What is the difference between p=none, p=quarantine, and p=reject?
p=none is monitoring mode — failing messages are delivered normally and results are reported. p=quarantine sends failing messages to the spam folder. p=reject causes the receiving server to reject the message outright. Start with p=none to collect data, move to quarantine as you gain confidence, then enforce p=reject once all legitimate senders pass authentication.
Why should I add a reporting address (rua)?
Without an rua address, your DMARC record enforces policy blindly — you can't see which senders are passing or failing, which makes it impossible to safely progress from p=none to quarantine or reject. Aggregate reports sent to your rua address show every service sending mail for your domain, their IP addresses, and their authentication results. This data is essential for identifying legitimate senders that need to be configured before you enforce.
What does pct mean in a DMARC record?
pct (percentage) controls what percentage of failing messages the policy applies to. At pct=100, every failing message is quarantined or rejected. At pct=10, only 10% are affected. This allows gradual rollout — you can start at pct=10, review reports, and increase toward pct=100 as you confirm legitimate mail is not affected. The pct tag has no effect with p=none.
What is DMARC alignment and which mode should I use?
Alignment determines how closely the From: header domain must match the domain used in SPF or DKIM authentication. Relaxed alignment allows subdomains to satisfy the check — mail from newsletter.example.com passes alignment for example.com. Strict alignment requires an exact match. Most organizations use relaxed (the default) to accommodate subdomains and third-party sending services. Only choose strict if you have a specific security requirement.
Where do I publish the DMARC TXT record?
Publish the record as a DNS TXT entry at _dmarc.yourdomain.com. For example.com, the record name is _dmarc.example.com with type TXT and a TTL of 3600. Add it in your DNS control panel — Cloudflare, GoDaddy, Route 53, or wherever your DNS is hosted. After publishing, use a DNS Lookup or DMARC validator tool to verify the record is live and correctly formatted.
Does DMARC replace SPF and DKIM?
No — DMARC requires both. It references SPF and DKIM results but does not replace them. If you add DMARC without a working SPF record and DKIM signing, legitimate mail will fail authentication. The correct order is: configure SPF → configure DKIM → add DMARC in p=none → collect reports → enforce. Use the SPF / DKIM / DMARC Validator tool on this site to check your current record status.
What is the subdomain policy (sp) in DMARC?
sp sets a separate policy for subdomains. If omitted, subdomains inherit the main p= value. sp=none explicitly exempts subdomains from enforcement — useful if you run marketing or transactional services from subdomains not yet configured for full DMARC compliance. sp=reject enforces full rejection on subdomains regardless of the root domain policy.