DMARC Record Generator

Build DMARC DNS TXT records with customizable policy, reporting, alignment, and enforcement options.

  1. Home
  2. Hash & Security
  3. DMARC Record Generator

Reporting

Email to receive aggregate DMARC reports (XML).

Email to receive forensic (failure) reports.


Enforcement & Alignment

Percentage of messages to apply policy to (1-100).

Report interval in seconds (default 86400 = 24h).


DMARC DNS TXT Record

Add this as a TXT record for _dmarc.<yourdomain.com> in your DNS zone.

What Is a DMARC Record Generator?

Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol that tells receiving mail servers how to handle email that fails SPF or DKIM checks. It is published as a DNS TXT record at _dmarc.yourdomain.com and works alongside SPF and DKIM to provide comprehensive email authentication.

A DMARC record specifies the policy (p=none, p=quarantine, or p=reject), where to send reports (RUA for aggregate, RUF for forensic), alignment requirements for DKIM and SPF, and optional parameters like percentage (pct) and subdomain policy (sp). The recommended starting point is p=none (monitoring) to gather data, then gradually tighten to p=quarantine and finally p=reject.

DMARC helps prevent email spoofing, phishing, and domain impersonation. Major email providers like Gmail, Yahoo, and Microsoft use DMARC policies to decide whether to deliver, quarantine, or reject email that claims to be from your domain.

How to Use This DMARC Record Generator

  1. Enter your domain — Type the domain you want to protect.
  2. Set your policy — Start with p=none to monitor without affecting delivery. Once you've verified SPF and DKIM work, move to p=quarantine then p=reject.
  3. Configure reports — Enter email addresses for RUA and RUF to receive DMARC reports. Use a dedicated email address or a DMARC analysis service.
  4. Adjust alignment — Use Relaxed (r) alignment for most setups. Strict (s) requires an exact domain match for DKIM/SPF.
  5. Copy and publish — Click Copy and add the TXT record to _dmarc.yourdomain.com in your DNS zone.

Frequently Asked Questions

What DMARC policy should I start with?

Always start with p=none (monitoring). This allows you to collect DMARC reports and verify that your legitimate email passes SPF and DKIM checks without affecting delivery. After 1-2 weeks of monitoring, move to p=quarantine, then after another week to p=reject for maximum protection.

What is the difference between RUA and RUF?

RUA (Aggregate Reports) are daily XML summaries showing how receiving servers evaluate your email authentication. RUF (Forensic Reports) are individual failure reports triggered when an email fails authentication. RUF can generate high volumes and is optional. Most organizations use a DMARC analysis service (like dmarcian, Postmark, or URIports) for easier report processing.

Do I need SPF and DKIM before DMARC?

Yes. DMARC builds on SPF and DKIM — it tells receivers what to do when those checks fail. Without properly configured SPF and DKIM, setting DMARC to p=reject will cause legitimate email to be rejected. Use the SPF Record Generator and DKIM Record Generator tools first, then publish your DMARC record.