DMARC Record Generator

Create a valid DMARC policy and DNS TXT record instantly.

DMARC Record Generator

Generate a DMARC TXT record value and the correct DNS host name.

Enter the domain you want to protect. The DMARC host will be _dmarc.<domain>.
Comma/space separated emails. The tool will format mailto: URIs automatically.
Common value: 86400 (daily).
Enable this if you want to explicitly set a subdomain policy.
Tip: Start with p=none and a working rua mailbox to monitor reports before enforcing.
No output yet
Configure your DMARC settings and click Generate.
Copied

About DMARC Record Generator

DMARC Record Generator – create a DMARC TXT record

Use this DMARC Record Generator to build a valid DMARC policy in seconds and publish it as a DNS TXT record. Whether you’re tightening spoofing protection or simply starting with reporting-only mode, this tool helps you assemble the correct tags, avoid syntax mistakes, and understand what each setting does.

DMARC works alongside SPF and DKIM to protect your domain from phishing and unauthorized email sending. With the right policy and reporting addresses, you can monitor who is sending mail on your behalf and gradually enforce stronger controls without breaking legitimate email flows.

How It Works

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is published as a TXT record at _dmarc.yourdomain.com. Receiving mail servers evaluate SPF and DKIM results, then apply your DMARC policy to decide whether to deliver, quarantine, or reject messages that fail alignment rules. This generator takes your choices (policy, alignment, reporting, and optional tags) and outputs the exact TXT value you can paste into your DNS provider.

Steps

  • 1) Enter your domain – The tool prepares the correct host name: _dmarc.<domain>.
  • 2) Choose a policy – Start with none to collect reports, then move to quarantine or reject when confident.
  • 3) Configure alignment – Select relaxed or strict alignment for DKIM (adkim) and SPF (aspf).
  • 4) Add reporting – Provide aggregate report recipients (rua) and optional forensic recipients (ruf).
  • 5) Generate and copy – Paste the TXT value into DNS and wait for propagation.

Key Features

Policy builder with safe defaults

Select p=none to begin in monitoring mode. This is the recommended starting point for most domains because it does not block mail while you learn which sources are sending on your behalf. When you are ready, switch to p=quarantine (spam folder) or p=reject (block) for stronger enforcement.

Alignment controls (adkim and aspf)

DMARC requires “identifier alignment” between the visible From: domain and the domains authenticated by DKIM and SPF. Relaxed alignment is more forgiving and often easier when multiple subdomains or third-party senders are involved. Strict alignment offers tighter protection but can require careful DKIM/SPF setup across all systems.

Reporting address formatting

DMARC reporting uses mailto: URIs. The generator accepts one or multiple emails and formats them into a comma-separated list. Aggregate reports (RUA) are typically XML summaries sent daily, while forensic reports (RUF) may include message samples and can be restricted by providers or privacy rules.

Percent rollout (pct)

When enforcing quarantine or reject, you can use pct to apply the policy to only a percentage of failing messages. This is a practical way to reduce risk while you validate that legitimate mail is aligned correctly.

Copy-friendly output for DNS providers

Different DNS dashboards label fields differently (Host/Name vs. Record vs. Value). The result panel includes the host name and the TXT value, so you can copy exactly what you need with fewer mistakes.

Use Cases

  • Launching DMARC on a new domain – Publish p=none with RUA reporting to get visibility without disruption.
  • Reducing phishing and brand spoofing – Move to p=quarantine or p=reject after confirming alignment for legitimate mail streams.
  • Auditing third-party senders – Reports reveal which vendors send mail using your domain, helping you enforce DKIM signing and SPF authorization.
  • Hardening transactional email – Ensure password resets, invoices, and notifications are aligned and protected against spoofing.
  • Monitoring subdomains – Use sp to set a distinct policy for subdomains if you have separate mail sources or want a staged rollout.

In practice, the most effective DMARC rollout starts with reporting-only, followed by incremental enforcement. The generator is designed to support this journey: build a simple baseline record first, then iterate as you learn from real-world reports.

Optimization Tips

Start with reporting-only, then enforce gradually

Begin with p=none and a valid rua mailbox you actively monitor. After you’ve confirmed all legitimate sources pass alignment, switch to p=quarantine with pct set to 10–50%. Increase the percentage over time until you reach 100%, then consider p=reject for maximum protection.

Keep SPF and DKIM healthy across every sender

DMARC does not replace SPF or DKIM; it depends on them. Ensure each platform that sends mail for your domain is either covered by SPF (and doesn’t exceed DNS lookup limits) or signs with DKIM using your domain. If a vendor can’t align DKIM or SPF properly, consider using a dedicated subdomain for that vendor.

Use strict alignment only when you’re confident

Strict alignment (adkim=s, aspf=s) can reduce abuse, but it can also break legitimate flows if any sender uses a different domain for DKIM signing or MAIL FROM. Roll out strict settings after reports show consistent alignment across your ecosystem.

FAQ

DMARC is published at _dmarc.<your-domain>. In many DNS providers, the “Host” or “Name” field should be _dmarc (and the provider appends your zone automatically). This tool shows both the host and the full record to help you match your provider’s format.

For most organizations, yes. p=none enables reporting without blocking mail. Once you confirm legitimate senders align with SPF or DKIM, you can move toward quarantine or reject using pct for a gradual rollout.

RUA is aggregate reporting: periodic summaries (often daily) showing authentication outcomes by sender and IP. RUF is forensic reporting: message-level failure details that may include limited content, depending on the receiver and privacy policies. Many providers send RUA reliably; RUF support varies.

They control alignment strictness. adkim applies to DKIM and aspf applies to SPF. Relaxed (r) allows subdomain relationships; strict (s) requires an exact match to the From: domain. Strict settings can improve security but may require more careful sender configuration.

It depends on DNS propagation and caching. Many changes are visible within minutes, but some environments can take longer. After publishing, you can verify with DNS lookups and by watching for incoming DMARC reports at your RUA mailbox.

Why Choose This Tool

DMARC records are simple in concept but easy to misconfigure: missing semicolons, incorrect tag names, and improperly formatted reporting URIs can cause receivers to ignore your policy. This generator focuses on correctness and clarity so you can publish a syntactically valid record on the first try.

Beyond output, the tool encourages a safe rollout approach: start with monitoring, validate alignment, then enforce gradually. When combined with well-maintained SPF and DKIM, DMARC becomes a powerful layer of protection for your brand and your recipients.

<

Deep Dive: Understanding DMARC Tags

A DMARC record is made of tag-value pairs separated by semicolons. Some tags are required, while others are optional but highly useful. The generator exposes the most practical tags for real-world deployment, so you can start small and extend later without rewriting the record from scratch.

Required tags

  • v – Version. For DMARC this is always DMARC1.
  • p – Policy for the organizational domain. Choose none, quarantine, or reject.

Common optional tags

  • rua – Aggregate report recipients. Use a dedicated mailbox or a DMARC analysis service.
  • ruf – Forensic report recipients. Not all receivers send these, and content may be redacted.
  • pct – Percentage of failing messages to which the policy applies (useful for staged rollouts).
  • adkim and aspf – DKIM and SPF alignment modes (relaxed or strict).
  • sp – Policy for subdomains, letting you treat subdomain mail differently from the parent domain.
  • fo – Failure reporting options that influence when forensic reports may be generated.
  • ri – Requested interval for aggregate reports, in seconds (commonly 86400 for daily).

Most organizations only need a subset at first: v, p, and rua. As your program matures, you can refine alignment, add subdomain policy, and tune rollout percentage to balance security and deliverability.

Deliverability and Deployment Notes

Publishing a DMARC record is only one part of a successful email authentication strategy. To get reliable results, confirm that your primary mail streams are aligned. For example, if your transactional email provider signs DKIM with a provider-owned domain instead of your domain, DMARC may fail even if DKIM passes. In that scenario, ask the provider to enable custom DKIM for your domain or route mail through a subdomain you control.

Similarly, SPF alignment depends on the Return-Path / MAIL FROM domain used during SMTP. Many systems use a bounce domain that can be customized. If you cannot align SPF for a given sender, focus on DKIM alignment instead—DMARC passes if either SPF or DKIM passes and aligns with the From: domain.

Finally, keep your record readable. While whitespace is typically tolerated, some DNS interfaces wrap long TXT values. If your record becomes long (for example, many reporting URIs), your DNS provider may split the TXT value into multiple quoted strings automatically. That is normal; receiving systems will concatenate them.