DMARC Record Generator

Build a correct DMARC TXT record with policy presets, a staged rollout plan and validation warnings that catch mistakes before DNS does.

This DMARC record generator builds the exact TXT record you publish, right in your browser, so nothing you type ever leaves the page. Pick a policy in plain English (p=none, quarantine or reject), set the reporting address, and it writes the v=DMARC1 value along with the host you publish it at, which is _dmarc.yourdomain.com and not the root, the thing people get wrong constantly. It follows the RFC 7489 tag syntax for sp, pct, adkim, aspf, rua, ruf and fo, and invents nothing. Staged rollout presets walk you from monitoring to enforcement, and live warnings flag the dangerous combinations, like reject with no reporting or a pct that does nothing under p=none, before you ever paste the record into a DNS panel.

100% in your browser. Nothing you type ever leaves this page.

DMARC record generator with policy presets and a staged rollout plan

The first DMARC record I ever published had a typo in the rua address. I sat there for two weeks wondering why no reports showed up. So this generator does the boring checks for me now. Pick your policy, type the reporting address, and it writes the exact TXT record plus the host you publish it at (that's _dmarc.yourdomain.com, not the root, and yes people get that wrong constantly). It sticks to the tag syntax from RFC 7489 and invents nothing. Everything runs in your browser. Once the record is live, paste your domain into a DMARC record checker to confirm DNS is actually serving what you wrote.

Your domain (used only for the host hint)

p=noneMonitor only. Mail flows exactly as before, you just get reports. This is where everyone should start. p=quarantineFailing mail gets treated as suspicious, usually shoved into spam. Recoverable if you got something wrong. p=rejectFailing mail is refused outright. Maximum protection, zero forgiveness. Earn this one with monitoring first.

Subdomain policy (sp=)

Percentage (pct=) 100%

DKIM alignment (adkim=)

SPF alignment (aspf=)

Aggregate reports (rua=), email address

Failure reports (ruf=), optional

You can list several addresses separated by commas. Heads up on ruf: most large mailbox providers simply don't send failure reports anymore (privacy reasons), so don't count on that channel for much.

Failure reporting options (fo=)

0: report only when everything fails (default) 1: report if SPF or DKIM fails d: report DKIM failures s: report SPF failures 1:d:s (everything)

Staged rollout presets:

Publish at this host (TXT record name)_dmarc.example.com

Record typeTXT

Your DMARC record value

v=DMARC1; p=none

What DMARC actually does on top of SPF and DKIM

SPF says which servers may send for your domain. DKIM signs the message so tampering shows. Useful, both of them. But here's the gap nobody tells you about: neither one checks the From address your recipient actually sees. A phisher can pass SPF on their own domain while displaying yours in the From header, and plenty of filters wave it through.

DMARC closes that gap with alignment. It demands that the domain in the visible From header matches the domain that passed SPF or DKIM. No match, no pass. And then, this is the part I like, it lets you tell receiving servers what to do with the failures and asks them to send you reports about it. Suddenly you can see who's sending as your domain. Some of it will be you (a forgotten newsletter tool, the CRM, that one marketing platform). Some of it won't be. If you want a wider look at where your domain stands across all three mechanisms, an email authentication posture checker grades the whole setup in one pass.

Reading the policy levels honestly

The marketing version is "none, quarantine, reject, just pick reject for max security". The honest version is messier.

p=none blocks nothing. It's purely a reporting tap, and that's exactly why it's valuable. You run it for a few weeks and discover every system that sends mail as your domain, including the three you forgot existed. I've genuinely never seen a domain where the first batch of reports held zero surprises.

p=quarantine asks receivers to treat failures as suspicious, which in practice means the spam folder. It's the recoverable middle ground. A legitimate sender you missed lands in spam instead of vanishing, and someone will eventually tell you.

p=reject bounces failing mail at the door. It's the right end state for most domains, and it's also where invoices from your billing system silently stop arriving if you rushed. Reject isn't braver than quarantine. It's just less forgiving.

The staged rollout I recommend

This is the same sequence baked into the preset buttons above, and I'd argue the timeline matters more than the tags.

Weeks 1 to 4: p=none with rua set. Collect reports. Fix SPF and DKIM for every legitimate source you find. Don't touch the policy until the reports look boring.
Weeks 5 to 8: p=quarantine with pct=25. Only a quarter of failing mail gets quarantined, so a mistake stings instead of bleeding. Raise pct in steps (50, then 100) as the reports stay clean.
After that: p=reject. Keep rua in the record forever. New SaaS tools that send mail as your domain will appear, usually without anyone telling IT.

Honestly, the four week monitoring window is a floor, not a target. Big org with decades of shadow IT? Make it three months. I might be overly cautious here, but I've never once regretted a slow DMARC rollout, and I've watched a fast one eat a week of payroll notifications.

Common mistakes I keep seeing

Publishing the record at the root domain instead of the _dmarc subdomain. The record itself is perfect, DNS just serves it from the wrong name, and every receiver ignores it.

Skipping rua entirely. A policy without reports means you're enforcing rules against traffic you cannot see. When something legitimate starts failing, your first clue is an angry phone call.

Jumping straight to p=reject because a compliance checklist said so. The checklist isn't wrong about the destination, just the speed.

Two more, quicker: forgetting that rua addresses on a different domain need a verification record on the receiving side before reports flow (RFC 7489 calls this external destination verification), and setting strict alignment day one. Relaxed alignment passes mail from subdomains like mail.example.com; strict doesn't, and most setups rely on that without knowing it.

Frequently asked questions

Where exactly do I publish the DMARC record?

As a TXT record at _dmarc.yourdomain.com, with the underscore. Not at the root, not at www. In most DNS panels you enter just _dmarc as the name and the panel appends your domain automatically.

Does p=none do anything at all?

It blocks nothing, and that's the point. It switches on reporting so you can map every system sending as your domain before any enforcement starts. Skipping it is how legitimate mail gets bounced later.

What does pct actually control?

It asks receivers to apply your policy to only that percentage of failing messages. pct=25 with quarantine means roughly a quarter of failures get quarantined and the rest pass through. It only matters with quarantine or reject; combined with p=none there's nothing to throttle.

Do I need both rua and ruf?

You need rua. Aggregate reports are the whole feedback loop. ruf is optional and frankly unreliable, since most major providers stopped sending failure reports over privacy concerns. Set it if you want, just don't build your process around it.

What's the difference between relaxed and strict alignment?

Relaxed accepts an organizational domain match, so mail signed by mail.example.com aligns with a From of example.com. Strict demands an exact match. Relaxed is the default and the right call for almost everyone; strict breaks subdomain senders you forgot about.

How long until I see my first aggregate reports?

Usually within 24 to 48 hours, since most receivers send one report per day per domain. If nothing arrives after three days, check the record with a DMARC lookup tool and double-check the rua address for typos. Been there.