DMARC Record Generator

Generate a DMARC TXT record from policy and report settings.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication policy that builds on top of SPF and DKIM. It tells receiving servers how to handle messages that fail authentication (do nothing, quarantine, or reject) and lets you collect reports about who is sending mail using your domain. This generator lets you pick the policy (p), subdomain policy (sp), application percentage (pct), aggregate/forensic report addresses (rua/ruf), and alignment modes (adkim/aspf) to build a valid DMARC TXT record instantly.

Publish the generated value as a TXT record on the _dmarc subdomain of your domain. When rolling DMARC out, start with p=none to monitor, confirm legitimate mail passes via the reports, then gradually tighten to quarantine and reject. Everything runs in your browser and no input is sent anywhere.

DomainDomain the record applies to. e.g. example.com

Policy (p)Subdomain policy (sp)

Application percentage (pct)0–100. Default 100. Lower it to apply quarantine/reject to only some mail.Aggregate report address (rua)Email address. The mailto: prefix is added automatically. (optional)Forensic report address (ruf)Email address. The mailto: prefix is added automatically. (optional)

DKIM alignment (adkim)SPF alignment (aspf)

TXT value

DNS host name: _dmarc.example.com

Record type: TXT

v=DMARC1; p=none

p=none is a monitoring stage. It collects reports without blocking any mail, making it safe for initial rollout. Confirm legitimate flows in the reports before tightening to quarantine/reject.

DMARC tags at a glance

A DMARC record is a set of tag=value pairs separated by semicolons. The most common tags are:

v: Version. Always DMARC1 and must come first.
p: Domain policy. none (monitor only) / quarantine (send to spam) / reject (refuse delivery).
sp: Subdomain policy. If omitted, it inherits the value of p.
pct: Percentage of mail the policy applies to (0–100). For example pct=25 applies quarantine/reject to only 25% of messages for a gradual rollout.
rua: Address for aggregate reports, published as a mailto: URI.
ruf: Address for forensic (failure) reports. Many receivers no longer support it due to privacy concerns.
adkim / aspf: DKIM/SPF alignment mode. r (relaxed, default) or s (strict).

How to publish

Set the DNS host name to _dmarc.example.com (for the root domain). For a subdomain use _dmarc.sub.example.com.
Choose record type TXT.
Paste the value this tool generates and save.
After propagation, verify with a lookup such as dig TXT _dmarc.example.com.

A staged rollout strategy

Jumping straight to p=reject risks blocking legitimate mail. The recommended order is none → quarantine → reject. When moving to quarantine or reject, start pct at a low value and raise it toward 100 while watching the reports. The key prerequisite is making sure SPF and DKIM are aligned across every sending source first. After publishing the record, confirm it took effect with DMARC Record Lookup.

Frequently asked questions

Is configuring DMARC alone enough?

No. DMARC relies on the authentication results of SPF and DKIM. Set up SPF and DKIM with proper alignment first, then apply the DMARC policy so that legitimate mail is not blocked.

What is the difference between p=none and reject?

none takes no action and only collects reports — a monitoring stage. quarantine sends failing mail to spam, and reject refuses delivery entirely. Start with none when first deploying.

What is the difference between rua and ruf?

rua receives aggregate reports (XML summaries of authentication statistics), while ruf receives forensic reports with details about individual failing messages. Many receivers do not support ruf due to privacy concerns.

What is the difference between relaxed and strict for adkim/aspf?

relaxed (r) treats matching organizational domains (e.g. example.com) as aligned, while strict (s) requires an exact domain match. Relaxed is sufficient for most setups; use strict only when you need tighter control.

Are the email addresses I enter sent anywhere?

No. This tool assembles the record string entirely in your browser. The domain, emails, and policy values you enter are never sent to a server or any third party.

Related tools

Email →

Email Bounce Code Decoder

Explain 4xx/5xx SMTP bounce codes and how to fix them.

Email Header Analyzer

Analyze mail headers: hops, delays and SPF/DKIM/DMARC results.

SPF Record Lookup

Look up a domain's SPF TXT record and check syntax.

DMARC Record Lookup

Look up the _dmarc TXT record and explain its policy and tags.

DKIM Record Lookup

Look up the selector._domainkey TXT record for a DKIM public key.

Email Blacklist (DNSBL) Check

Check whether an IP is listed on major DNSBL blacklists.