MailStrike logoMailStrike.ai

Free Tools

DMARC Record Generator

Generate a valid DMARC TXT record for your domain. Choose your policy, configure reporting, and get a copy-paste DNS record — free and browser-only.

1
2
3
4

Enter your domain

The domain you want to protect with a DMARC policy.

New to DMARC? DMARC tells receiving servers what to do when an email fails SPF or DKIM checks — nothing, quarantine it, or reject it outright. It also enables reporting so you can see who's sending email using your domain.

What is a DMARC record?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record that tells receiving mail servers what to do when an email fails SPF or DKIM authentication. It builds on top of both protocols to give domain owners policy control and visibility into how their domain is being used.

Without DMARC, anyone can send email that appears to come from your domain and there's nothing mail servers are instructed to do about it. With DMARC, you can monitor suspicious activity, send failing messages to spam, or reject them outright.

How DMARC works

1

Email is received

A receiving server gets an inbound email claiming to be from your domain.

2

SPF and DKIM are checked

The server verifies whether the sending IP is authorized by your SPF record, and whether the DKIM signature is valid.

3

DMARC alignment is evaluated

DMARC checks whether the authenticated domain aligns with the From address. SPF must align with the envelope sender; DKIM must align with the d= tag.

4

Policy is applied

If authentication fails, the server follows your DMARC policy — none (deliver), quarantine (spam), or reject (block).

5

Reports are sent

Participating mail providers send aggregate reports to your rua address, showing authentication pass/fail statistics across all senders.

none vs quarantine vs reject

The most important decision in a DMARC record is the policy tag (p=). Most domains should start at p=none and graduate to p=reject over time.

PolicyAction on failReportsWhen to use
p=noneDeliver normallyYesStarting out / auditing
p=quarantineMove to spamYesConfident in setup
p=rejectBlock the messageYesFully authenticated

DMARC tag reference

A DMARC record is made up of semicolon-separated tags. Only v= and p= are required — everything else is optional.

v=DMARC1
Required

Version identifier. Always DMARC1 — must be the first tag.

p=
Required

Policy for the root domain. none, quarantine, or reject.

sp=
Optional

Policy for subdomains. Inherits p= if omitted.

rua=
Optional

Comma-separated list of mailto: URIs for aggregate XML reports.

ruf=
Optional

Comma-separated list of mailto: URIs for forensic failure reports.

adkim=
Optional

DKIM alignment mode. r (relaxed, default) or s (strict).

aspf=
Optional

SPF alignment mode. r (relaxed, default) or s (strict).

pct=
Optional

Percentage of messages the policy applies to. Default 100.

fo=
Optional

Failure reporting options. 0 (both fail), 1 (either fails), d (DKIM), s (SPF). Default 0.

Frequently asked questions

Do I need SPF and DKIM before setting up DMARC?

Yes. DMARC relies on SPF and DKIM to authenticate messages. Without at least one of them in place, all your emails will fail DMARC checks. Set up SPF first, then DKIM, then deploy DMARC with p=none to monitor.

What's the difference between the aggregate (rua) and forensic (ruf) reports?

Aggregate reports (rua) are daily XML summaries showing pass/fail statistics for all mail sent using your domain. They're the most useful. Forensic reports (ruf) are per-message failure reports containing redacted email headers — many providers have stopped sending these due to privacy concerns.

Can I have more than one DMARC record?

No. You can only have one DMARC TXT record per domain at _dmarc.yourdomain.com. If multiple records exist, DMARC evaluation will fail. If you need to send reports to multiple addresses, put them in a comma-separated rua= list.

Why does the Name need to be _dmarc instead of @?

DMARC records must be published at the specific subdomain _dmarc.yourdomain.com. This is different from SPF which goes on the root domain. Some DNS providers let you enter just "_dmarc" as the name; others require the full subdomain.

What's relaxed vs strict alignment?

Relaxed alignment (the default) allows the authenticated domain to match the organizational domain — so mail.yourdomain.com aligns with yourdomain.com. Strict alignment requires an exact match. Use relaxed unless you have a specific reason for strict.

How do I know when to move from p=none to p=reject?

Review your aggregate reports (rua) for at least 2–4 weeks at p=none. Once you're confident all legitimate senders (your own servers, ESPs, CRMs) are passing authentication, move to p=quarantine for another few weeks, then p=reject.

Related free tools

SPF Record Generator

Generate a valid SPF TXT record for your domain. Select your email providers, set your enforcement policy, and copy the DNS record.

Email Signature Builder

Build a professional HTML email signature in minutes. Choose from templates, customize your branding, and copy directly into your email client.