DMARC Record Generator

Generate a valid DMARC (_dmarc) TXT record by filling in your domain, policy, and reporting addresses. The tool outputs both the DNS host and the exact TXT value to paste into your registrar or DNS provider. Follow the built-in rollout guide to go from monitoring to full enforcement safely — skipping straight to p=reject without a test period can silently drop legitimate mail.

How to use the DMARC Record Generator

Fill in your domain (e.g. example.com), choose a policy, and add at least one aggregate report (rua) address so you get visibility into mail flow. Click Generate Record and copy the output into your DNS provider.

The output shows two lines: the DNS Host (e.g. _dmarc.example.com) and the TXT Value to paste in. Add a TXT record at the DNS host with that value.

  1. Start with p=none and an rua address. This monitors without blocking. Let reports arrive for 1–4 weeks. Use a DMARC report analyser to identify every sending source.
  2. Switch to p=quarantine pct=10. A small percentage of failing messages goes to spam. Watch for complaints. Gradually raise pct to 100 over 2–4 weeks.
  3. Switch to p=reject. Failing messages are rejected at the gateway. You are fully protected against domain spoofing.

The adkim and aspf alignment settings control how strictly the From: domain must match the DKIM signing domain and the SPF envelope sender domain. Relaxed (default) allows subdomains to match; strict requires an exact match.

What is a DMARC record?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that ties together SPF and DKIM results and lets domain owners specify what should happen to messages that fail both checks. It is published as a TXT record at _dmarc.<yourdomain> and is recognised by all major mail receivers (Gmail, Outlook, Yahoo Mail, etc.).

Without DMARC, a malicious sender can put any address in the From: header — including your domain — and SPF/DKIM checks alone will not stop it from reaching inboxes. DMARC closes this gap by adding the policy (p=) tag: mail receivers check whether the From: domain aligns with the authenticated SPF or DKIM domain; if it does not and a policy is set to quarantine or reject, the message is acted on accordingly. The reporting tags (rua, ruf) let you receive aggregate XML reports (sent once daily by most receivers) and optional forensic samples of failing messages so you can identify misconfigurations before moving to enforcement.

DMARC does not guarantee deliverability on its own — your sending infrastructure still needs valid SPF and DKIM records configured. What it does is tell receivers they can trust the authentication signals you have set up, and it gives you structured data to find and fix sources that are not signing correctly. It is a prerequisite for BIMI (brand logo display in email clients) and improves domain reputation scores at major email providers.

Common use cases

  • Spoofing protection — prevent attackers from sending phishing email that appears to come from your domain, protecting both customers and employees.
  • Business email rollout — add DMARC before migrating to a new ESP, so you discover unsigned mail streams during the p=none monitoring phase, not after rejections start.
  • Subdomain policy — use sp=reject on a sending domain that has no legitimate subdomains, blocking wildcard spoofing without affecting the main domain rollout pace.
  • Compliance requirements — PCI-DSS v4.0 and DISA STIGs require DMARC. Use p=reject plus a rua address to satisfy audit controls.
  • BIMI prerequisite — BIMI requires DMARC at p=quarantine or p=reject with pct=100 before a logo is shown in Gmail, Apple Mail, or Yahoo.
  • Third-party sender visibility — aggregate reports reveal mail sent by CRM, marketing, and support tools you authorised but forgot to add to SPF/DKIM, letting you fix authentication gaps.

Frequently asked questions

Do I need SPF and DKIM before adding DMARC?
Yes. DMARC evaluates SPF and DKIM alignment results. A DMARC record without working SPF and DKIM is harmless but provides no authentication — all messages will fail DMARC alignment and the policy (if set to quarantine/reject) will start blocking legitimate mail.

What does pct do?
The pct tag applies the policy to that percentage of messages that fail DMARC. pct=10 means the policy acts on 10% of failing mail; the other 90% are treated as if the policy were none. It is a safe rollout mechanism — raise it over time as you confirm no legitimate mail is failing.

Can I have multiple rua or ruf addresses?
Yes. Separate multiple mailto URIs with a comma in the tag value, e.g. rua=mailto:[email protected],mailto:[email protected]. Most third-party DMARC report processors provide their own address you add alongside yours.

What is the difference between relaxed and strict alignment?
Relaxed alignment (the default) allows the authenticated domain to be a parent or sibling of the From: domain, so mail.example.com aligns with example.com. Strict alignment requires an exact match. Use strict only if all your mail streams sign with the exact From: domain.

Will DMARC stop all phishing using my domain?
DMARC prevents direct-domain spoofing (the From: header showing your exact domain) when p=reject is in place. It does not stop lookalike domains (examp1e.com), display-name spoofing, or compromised accounts — those require separate controls.