Crawlsonar

DMARC Generator

Build a valid DMARC record — policy, reporting addresses, coverage and alignment — then publish it and tighten as you learn from the reports.

v=DMARC1; p=none

Publish as a TXT record at _dmarc.yourdomain.com, then validate with the DMARC Checker. Start at p=none, review reports, then tighten.

What DMARC is (and why it’s the piece that stops spoofing)

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record at _dmarc.yourdomain.com that sits on top of SPF and DKIM. It does two things: it tells receivers what to do with mail that fails authentication, and it emails you reportsof everyone sending as your domain — including spoofers and forgotten services. Without DMARC, SPF and DKIM can pass on a hidden envelope domain that isn’t your visible From: address, so spoofed mail still lands. DMARC closes that gap and, since 2024, is requiredby Gmail and Yahoo for bulk senders. Here’s every option this generator exposes.

Every option, explained

Policy: p

  • none — monitor only. Reports failures but delivers everything. Your safe starting point.
  • quarantine — send failing mail to spam.
  • reject — block failing mail outright. The goal state, and what unlocks BIMI (your logo in the inbox).

Subdomain policy: sp

A separate policy for your subdomains. Leave it blank to inherit p, or set it (often reject) to lock down subdomains that shouldn’t send mail at all.

Rollout percentage: pct

Applies your policy to only a sample of mail (1–100), so you can ramp enforcement gradually — e.g. pct=25 quarantines a quarter of failing mail while you watch reports, then move to 100.

Reporting addresses: rua and ruf

  • rua (aggregate) — the address that receives daily XML summaries of who’s sending as you and whether they passed. Always set this — it’s how you discover legitimate senders before enforcing.
  • ruf (forensic) — per-message failure samples. Optional, less widely supported, and can carry PII, so many leave it off.

Alignment mode: adkim and aspf

Controls how closely the authenticated domain must match your From: domain. Relaxed (r), the default, allows subdomains to align — right for most setups. Strict (s) requires an exact match; use only if you know every sender uses your exact domain.

The safe three-stage rollout

Start at p=none with an rua address and change nothing about delivery. After a few weeks of reports, once every legitimate sender passes and aligns, move to p=quarantine (optionally with pct), then finally p=reject. Jumping straight to reject before your senders align will block your own mail.

Related tools & guides

Frequently asked questions

What DMARC policy should I start with?

Start at p=none with a rua reporting address to monitor safely, then tighten to quarantine and finally reject once your legitimate senders pass.

Where do I publish the DMARC record?

As a TXT record at _dmarc.yourdomain.com.