Login Get Started
// free tool, no signup

Free DMARC Record Generator

Build a DMARC record from clear choices: your enforcement policy, where aggregate and forensic reports go, alignment mode, and a staged rollout percentage. The generator validates it as you go and gives you a copy-ready TXT record for _dmarc.yourdomain.com. Free, in your browser, nothing stored.

policy (p)

Monitoring only. You collect reports but receivers take no action. Start here, then tighten once reports look clean.

DKIM alignment (adkim)
SPF alignment (aspf)

DMARC is monitoring only

// dmarc txt record (publish at _dmarc.yourdomain.com)
v=DMARC1; p=none

Publish this as a TXT record at the host _dmarc on your domain.

DMARC is monitoring only
  • DMARC record Found pass
  • Policy p=none: monitoring only, no protection check
  • Aggregate reports No rua address, you receive no reports check
  • Subdomain policy Inherits p= (default) pass
  • Forensic reports Not set (optional) pass
  • SPF alignment relaxed (default) pass
  • DKIM alignment relaxed (default) pass
  • Coverage 100% of mail pass
  • Test mode Off pass

Generated a record? Confirm it resolves with the DMARC checker, then see where your mail lands with a free inbox placement test.

// what it is

What a DMARC record generator does

DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do with mail that fails SPF and DKIM alignment, and asks them to send you reports about it. This generator assembles the DMARC TXT record from plain options: the policy (none to monitor, quarantine to send failures to spam, or reject to refuse them), the addresses that receive aggregate (rua) and forensic (ruf) reports, the alignment mode for SPF and DKIM, and a pct value for rolling enforcement out gradually. It validates the result with the same checks as our DMARC checker. Publish the output at the _dmarc host on your domain. DMARC needs a passing, aligned SPF or DKIM, so set those up first.

// reading the result

How to read your result

  • p= policy

    p=none only monitors and collects reports, p=quarantine sends failing mail to spam, and p=reject refuses it outright. Begin at none to read your reports, then move to quarantine and reject once legitimate mail passes.

  • rua report address

    Where mailbox providers send daily aggregate reports. Point it at a mailbox or a DMARC reporting service so you can see who sends as your domain. Without it you collect nothing.

  • Alignment (adkim, aspf)

    Relaxed (the default) lets a subdomain align with the organizational domain; strict requires an exact match. Relaxed is right for most senders.

  • pct rollout

    Applies your policy to a share of mail, for example pct=25 during a staged rollout. Return it to 100 once you trust the policy. Note that pct was removed in the latest DMARC specification (RFC 9989, published 2026), which replaces it with a simpler t flag for test mode, so newer guidance favors moving straight to full enforcement.

  • sp subdomain policy

    Sets a separate policy for subdomains. Leave it to inherit p=, or set sp=reject to lock down subdomains you never send from.

// common issues

Common problems and fixes

Jumping straight to p=reject

Going to reject before checking reports can block legitimate mail you forgot about. Start at p=none, confirm your real senders pass, then tighten to quarantine and reject.

No rua address

A DMARC record with no rua tag gives you no visibility into who is sending as your domain or whether enforcement is safe. Always include at least one aggregate report address.

Publishing at the wrong host

DMARC lives at the _dmarc host, so the full name is _dmarc.yourdomain.com. Publishing it at the apex domain instead means receivers never find it.

DMARC without aligned SPF or DKIM

DMARC passes only when SPF or DKIM both authenticates and aligns with the From domain. If neither aligns, even legitimate mail fails DMARC. Fix SPF and DKIM first.

Leaving pct below 100 forever

A partial pct is for rollout, not a destination. While it is low, some failing mail escapes your policy. Once reports look clean, set it back to 100. The latest DMARC standard (RFC 9989) removes pct in favor of a test-mode t flag, so many senders now skip staged percentages and move straight to full enforcement.

// FAQ

Questions, answered.

How do I create a DMARC record?
Choose a policy (start with none), add an aggregate report address, keep relaxed alignment for most setups, then publish the record at _dmarc.yourdomain.com. Verify it with the DMARC checker.
Should I start with p=none or p=reject?
Start with p=none to monitor without affecting delivery. Read the aggregate reports until every legitimate sender passes, then move to p=quarantine and finally p=reject for full protection.
Where is the DMARC record published?
As a TXT record at _dmarc.yourdomain.com, not at the apex domain. One DMARC record per domain; subdomains can be covered by the sp tag or their own record.
Do I need SPF and DKIM for DMARC?
Yes. DMARC checks that SPF or DKIM both passes and aligns with the visible From domain. Set up SPF and DKIM first, then layer DMARC on top.
What is a rua address?
The mailbox that receives DMARC aggregate reports, the daily XML summaries from mailbox providers that show how mail using your domain authenticated. They are how you find unauthorized senders before tightening your policy.
// more free checks

Check the rest of your setup

// before you hit send

A clean record is step one. See where your email actually lands.

Run a free spam test → Inbox placement test