DMARC Record Generator

1. Your domain

2. Enforcement policy (p)

none — monitor only quarantine — send to spam reject — block

3. Where should reports go?

Aggregate reports (rua)

Forensic reports (ruf, optional)

4. Advanced (optional)

Percentage of mail to apply policy (pct)

Report interval seconds (ri)

Subdomain policy (sp)

SPF alignment (aspf)

DKIM alignment (adkim)

Your DMARC record

Add this as a TXT record at _dmarc.yourdomain.com

v=DMARC1; p=none

What is a DMARC record?

DMARC ties SPF and DKIM together and tells receiving mail servers what to do when a message claiming to be from your domain fails authentication — and where to send reports about it. It's the record that actually stops attackers from spoofing your domain, and it gives you visibility into who is sending mail as you.

Start at none, end at reject

The safe rollout is: publish p=none with a reports address, watch the aggregate reports for a few weeks to confirm your legitimate senders pass, then move to p=quarantine, and finally p=reject for full protection. Never jump straight to reject — you risk blocking your own mail.

Reading your reports

DMARC aggregate (rua) reports arrive as XML, which is hard to read by hand. Paste them into our DMARC Report Analyzer to see your sending sources and pass rate at a glance.

Frequently asked questions

Where exactly does the DMARC record go?

As a TXT record on the special host _dmarc.yourdomain.com — not on the root domain. This generator shows the exact host name to use.

Do I need SPF and DKIM first?

Yes. DMARC works by checking SPF and DKIM alignment, so set those up first. A DMARC record with no working SPF/DKIM will fail all your mail once you enforce it.

What is alignment (relaxed vs strict)?

Alignment checks that the domain authenticated by SPF/DKIM matches the visible From domain. Relaxed allows subdomains to match; strict requires an exact match. Relaxed is the usual choice.