DMARC tools

Free DMARC Record Generator

Create a valid DNS TXT record for your domain in seconds. Choose your policy, add a reporting address, and copy the result directly into your DNS, no account required.

DKIM alignment (adkim tag)
SPF alignment (aspf tag)
Forensic options (fo tag)

Please publish the following DNS TXT Record on the subdomain _dmarc.YOURDOMAIN.com

Record Type
TXT
Host
_dmarc
Value
v=DMARC1; p=none; fo=1

Add an aggregate (rua) address to start receiving reports, the point of p=none is to collect data before enforcing.

  • p=none is monitoring-only, failing mail is still delivered.
  • No rua configured, you will not receive aggregate DMARC reports.
TAG BREAKDOWN
vDMARC1Version
pnoneDomain policy
fo1Forensic options

About

The DMARC Record Generator builds a syntactically correct DNS TXT record for _dmarc.yourdomain.com. You choose enforcement policy, reporting addresses, alignment modes, and RFC 9989 tags, then copy a ready-to-publish value into your DNS.

DMARC tells mailbox providers what to do when SPF or DKIM fail for mail using your domain, and where to send aggregate reports about authentication results.

Stop domain spoofing

Define how receivers handle unauthenticated mail claiming to be from your domain.

Visibility via reports

Aggregate (rua) reports show every source sending as your domain, legitimate or not.

RFC 9989 compliant

Supports modern tags like np, t, and psd for safer gradual enforcement.

Copy-ready output

Get the exact Host and TXT Value to paste into any DNS provider.

How to use this tool

Choose your policy

Select p=none to monitor, quarantine for soft enforcement, or reject to block failing mail.

Add reporting addresses

Enter rua for daily aggregate reports. Optionally add ruf for forensic failure reports.

Configure advanced tags

Set subdomain (sp), non-existent subdomain (np), testing mode (t), and alignment (adkim/aspf).

Copy and publish

Paste the Host (_dmarc) and Value into your DNS provider, then verify with the DMARC Checker.

Understanding the results

The generator updates in real time as you change options. Review the tag breakdown to confirm each value before publishing.

Hints (blue)

Informational tips such as adding rua or explaining testing mode, not errors.

Warnings (orange)

Important notices like p=none being monitor-only or missing rua configuration.

Policy: reject / quarantine

Shown in the tag breakdown when enforcement is active, confirm all senders are aligned first.

Policy: none

Monitoring mode, mail is not blocked. Use this to collect data before tightening policy.

Important result fields

Host

Publish at _dmarc, most DNS panels append your domain automatically.

Value

The full DMARC TXT string starting with v=DMARC1.

Tag breakdown

Explains each tag in the generated record with RFC 9989 status badges.

p / sp / np

Root, existing subdomain, and non-existent subdomain policies.

rua / ruf

Where aggregate and forensic DMARC reports are delivered.

Best practices & recommendations

Start with p=none

Monitor for 1-2 weeks with rua configured before moving to quarantine or reject.

Always configure rua

Without aggregate reports you cannot see misaligned senders or fix authentication gaps.

Use relaxed alignment first

Begin with adkim=r and aspf=r to avoid breaking forwarded mail, then tighten gradually.

Verify after publishing

Use the DMARC Checker to confirm the record is live and syntactically valid in DNS.

Frequently asked questions

It builds a valid DMARC DNS TXT record from your chosen policy and options, so you avoid syntax errors when publishing to DNS.

A common monitor-only record: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; adkim=r; aspf=r; fo=1;

Always start with p=none. Review aggregate reports, fix SPF/DKIM for all legitimate senders, then move to quarantine and finally reject.

np (RFC 9989) sets policy for subdomains that have never sent mail, useful to block typosquatting on unused subdomain names.

t=y asks receivers to apply a softer policy during rollout. Remove it once you are ready for full enforcement.

rua (aggregate) is strongly recommended. ruf (forensic) is optional and can generate high volume, many teams skip it initially.

RFC 9989 deprecates pct in favor of t=y for gradual rollout. Use testing mode instead of partial percentage enforcement.

Run this check once, or have it watched 24/7.

SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.

Start monitoring free All free tools