DMARC Record Generator
Build a correct DMARC record in seconds — pick your policy, add your reporting address, and copy the exact TXT record to publish in DNS. Free, no signup.
Used to show the exact host name to publish — the record itself doesn't contain it.
Start at none to observe, then tighten once reports look clean.
Where daily XML summaries are sent. Comma-separate multiple addresses.
Advanced options (sp, alignment, pct, ruf)
Subdomains inherit p unless you set this. Attackers love unused subdomains — reject is a strong choice once you're at enforcement.
Relaxed allows subdomain matches (mail.yourdomain.com signs for yourdomain.com). Strict requires an exact match — most domains should stay relaxed.
Same idea for the SPF (Return-Path) domain.
Applies quarantine/reject to a percentage of failing mail during rollout. Retired in DMARCbis — use briefly if at all.
Per-message failure samples. Rarely sent by large providers; contains message data.
Your DMARC record
Publish this as a TXT record in your DNS.
_dmarc.yourdomain.com
v=DMARC1; p=none;
Record type: TXT · TTL: your provider's default (e.g. 3600) is fine.
After you publish
- Add the TXT record at your DNS host and allow up to an hour for propagation.
- Verify it with the free DMARC checker.
- Watch your aggregate reports, fix SPF and DKIM for every legitimate sender, then step up to quarantine and reject.
What is a DMARC record generator?
A DMARC record is a single TXT entry in your DNS that tells receiving mail servers what to do with messages that fail SPF and DKIM alignment — and where to send reports about them. The syntax is simple but unforgiving: a misplaced tag or a missing mailto: prefix and receivers ignore the record entirely. This generator assembles the record from plain-language choices, flags the mistakes we see most often (no reporting address, sampling at p=none, strict alignment breaking subdomain senders), and gives you the exact host and value to paste into your DNS provider. Once it's live, verify it with the DMARC checker and read the full guide to creating a DMARC record.
Email authentication knowledge base
Every tag you can put in a DMARC record, explained.
- vVersion
- The Version tag is essential in a DMARC record and must strictly be set to ‘DMARC1’. If this value is not correctly specified or if the tag is absent, the DMARC record will not be considered valid and will be disregarded.
- pDMARC policy
- The DMARC policy setting is crucial and accepts three possible values: ‘none’, ‘quarantine’, or ‘reject’. By default, it is set to ‘none’, which means it doesn’t actively intervene with emails that fail authentication. This setting primarily serves to gather DMARC reports, aiding in understanding the existing email traffic and its authentication status. On the other hand, the ‘quarantine’ option flags unauthenticated emails as dubious, and ‘reject’ outright prevents their delivery.
- ruaAggregate report destination
- The destination for sending aggregate reports is specified using a ‘mailto:’ URI, which Email Service Providers (ESPs) utilize to dispatch failure reports. While this tag is not mandatory, omitting it means you will not receive any reports.
- rufForensic report destination
- The destination for Forensic (Failure) report transmission is designated by a ‘mailto:’ URI, which is employed by Email Service Providers (ESPs) for the delivery of failure reports. Although this tag is not obligatory, failing to include it will result in not receiving any reports.
- spSubdomain policy
- The policy for subdomains defaults to inheriting the main domain’s policy tag (p=), as previously described, unless explicitly stated otherwise. Similar to the domain policy, the permissible values for subdomains are ‘none’, ‘quarantine’, or ‘reject’. However, this option is not commonly employed in current practices.
- adkimDKIM alignment
- The alignment of the DKIM signature, indicated by this tag, refers to the congruence between the DKIM domain and the originating domain in the ‘Header From’. The acceptable values for this tag are ‘r’ for relaxed and ‘s’ for strict. The default setting, ‘r’, permits a partial match between these domains, whereas the ‘s’ setting demands an exact match of the domains.
- aspfSPF alignment
- This tag pertains to the SPF alignment, which concerns the compatibility between the SPF domain (the sender) and the domain in the ‘Header From’. It allows two settings: ‘r’ for relaxed and ‘s’ for strict. By default, it is set to ‘r’, which tolerates a partial match between the domains. In contrast, the ‘s’ setting necessitates an exact correspondence of the domains.
- foForensic reporting options
- The options for forensic reporting include ‘0’, ‘1’, ‘d’, and ‘s’. The default setting is ‘0’, which triggers a forensic report only when both SPF and DKIM alignments do not pass. Use ‘1’ if the outcome of either SPF or DKIM is anything other than a pass. The option ‘d’ is selected to generate a report specifically for DKIM validation failures, and ‘s’ is used for SPF-related issues. To actually receive these forensic reports, it’s necessary to specify the ‘ruf’ tag.
- rfFailure report format
- The format for failure report generation can be set to either ‘afrf’ or ‘iodef’, as these are the two permissible options.
- pctPercentage
- The Percentage tag is relevant exclusively for domains operating under a ‘quarantine’ or ‘reject’ policy. It specifies the proportion of email failures to which the chosen policy should apply. The remainder is managed under a less stringent policy. For instance, with ‘pct=70’ set on a domain with a ‘quarantine’ policy, this policy is enforced on only 70% of failed emails, while the other 30% are treated as if under a ‘none’ policy. Similarly, for a domain with ‘p=reject’ and ‘pct=70’, the ‘reject’ policy is applied to 70% of failures, with the remaining 30% defaulting to ‘quarantine’.
- riReporting interval
- The Reporting interval specifies how often XML reports are received, measured in seconds. The standard setting is 86400 seconds, which equates to daily reporting. However, it’s important to note that despite the specified interval, Internet Service Providers (ISPs) typically send these reports on their own schedules, which in most cases, is also once a day.