DMARC Record Generator

Answer three questions and copy a correct DMARC record — with honest guidance about what each policy actually does. Generated in your browser; nothing you type is sent to us.

1. Policy — what should receivers do with mail that fails authentication?

2. Where should aggregate reports go? (rua)

Without rua= you are flying blind: reports are the only way to see who is sending as your domain before you enforce.

Reports arrive as compressed XML — unreadable by hand at any volume.

Skip the XML: Deliverability Guard gives you a private ingest address to put here instead — your reports become a readable "who is sending as my domain" table with a safe-to-enforce advisor. Or inspect a single report file with the free DMARC report analyzer.

3. Optional fine-tuning

Only meaningful with quarantine/reject — a gentle way to phase enforcement in.

Your DMARC record

Publish as a TXT record at host/name _dmarc (so it lives at _dmarc.yourdomain.com).

v=DMARC1; p=none;
Verify after publishing →

What is a DMARC record?

DMARC (RFC 7489) is the DNS policy that tells receiving servers what to do with mail that claims to be from your domain but fails SPF and DKIM in alignment with your From: address — and where to send the daily reports describing what they saw. It is the piece that turns SPF and DKIM from advisory signals into actual spoofing protection, and since 2024–2025 Google, Yahoo and Microsoft require it from bulk senders.

The safe rollout path

  1. Publish p=none with rua= — pure monitoring; nothing can break.
  2. Read the reports for 2–4 weeks — find every legitimate sender (the forgotten newsletter tool, the CRM, the invoicing app) and fix their SPF/DKIM.
  3. Move to p=quarantine, optionally with pct=10 rising over weeks.
  4. Finish at p=reject — full protection.

Frequently asked questions

Is p=none pointless?

No — it satisfies the providers' minimum bulk-sender requirement and turns on the reporting you need before enforcing. What is pointless is staying there forever: p=none provides zero spoofing protection, which is why the safe-rollout path above exists.

Do I need both rua and ruf?

Only rua= (aggregate reports) matters in practice. Forensic ruf= reports contain message content, so most large receivers refuse to send them — this generator deliberately omits ruf.

What does "alignment" mean?

SPF or DKIM passing is not enough — the domain that passed must match your From: domain. Relaxed alignment (the default) accepts subdomains (mail.you.com aligns with you.com); strict requires an exact match. Keep relaxed unless you have a specific reason.

Last reviewed: Reviewed by the

How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.

Related Tools

Explore these related tools to get more insights and complete your analysis:

IP Lookup

Enter any IP address to instantly find its geographic location, ISP, hostname, and organization. Our IP lookup tool provides accurate geolocation data worldw...

DNS Lookup

Check DNS records for any domain instantly. Our free DNS lookup tool queries authoritative nameservers to show A, AAAA, MX, TXT, NS, SOA, and CNAME records.

WHOIS Lookup

Look up WHOIS data for any domain to see registration details, nameservers, registrar information, creation and expiration dates, and contact information.

SSL Certificate Checker

Check any website's SSL/TLS certificate. View expiration date, issuer, certificate chain, supported protocols, and get a security grade with recommendations.

Port Scanner

Scan any host to discover open ports and identify running services. Essential for security audits, firewall testing, and network troubleshooting.