DMARC Generator
Build a valid DMARC record — policy, reporting addresses, coverage and alignment — then publish it and tighten as you learn from the reports.
v=DMARC1; p=none
Publish as a TXT record at _dmarc.yourdomain.com, then validate with the DMARC Checker. Start at p=none, review reports, then tighten.
What DMARC is (and why it’s the piece that stops spoofing)
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record at _dmarc.yourdomain.com that sits on top of SPF and DKIM. It does two things: it tells receivers what to do with mail that fails authentication, and it emails you reportsof everyone sending as your domain — including spoofers and forgotten services. Without DMARC, SPF and DKIM can pass on a hidden envelope domain that isn’t your visible From: address, so spoofed mail still lands. DMARC closes that gap and, since 2024, is requiredby Gmail and Yahoo for bulk senders. Here’s every option this generator exposes.
Every option, explained
Policy: p
none— monitor only. Reports failures but delivers everything. Your safe starting point.quarantine— send failing mail to spam.reject— block failing mail outright. The goal state, and what unlocks BIMI (your logo in the inbox).
Subdomain policy: sp
A separate policy for your subdomains. Leave it blank to inherit p, or set it (often reject) to lock down subdomains that shouldn’t send mail at all.
Rollout percentage: pct
Applies your policy to only a sample of mail (1–100), so you can ramp enforcement gradually — e.g. pct=25 quarantines a quarter of failing mail while you watch reports, then move to 100.
Reporting addresses: rua and ruf
rua(aggregate) — the address that receives daily XML summaries of who’s sending as you and whether they passed. Always set this — it’s how you discover legitimate senders before enforcing.ruf(forensic) — per-message failure samples. Optional, less widely supported, and can carry PII, so many leave it off.
Alignment mode: adkim and aspf
Controls how closely the authenticated domain must match your From: domain. Relaxed (r), the default, allows subdomains to align — right for most setups. Strict (s) requires an exact match; use only if you know every sender uses your exact domain.
The safe three-stage rollout
Start at p=none with an rua address and change nothing about delivery. After a few weeks of reports, once every legitimate sender passes and aligns, move to p=quarantine (optionally with pct), then finally p=reject. Jumping straight to reject before your senders align will block your own mail.
Related tools & guides
Frequently asked questions
▸ ▾ What DMARC policy should I start with?
Start at p=none with a rua reporting address to monitor safely, then tighten to quarantine and finally reject once your legitimate senders pass.
▸ ▾ Where do I publish the DMARC record?
As a TXT record at _dmarc.yourdomain.com.