Skip to main content
DMARC

DMARC Record Generator

Build a valid DMARC TXT record with the right policy, reporting, and alignment settings. All generation runs in your browser -- nothing is sent to our servers.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol defined in RFC 9989. It builds on SPF and DKIM by adding a policy layer: domain owners publish a DNS TXT record at _dmarc.example.com that tells receiving mail servers what to do when a message fails both SPF and DKIM alignment checks.

A DMARC record starts with v=DMARC1 followed by a semicolon-separated list of tags. The two required elements are the version tag and the policy (p=). Everything else is optional but strongly recommended -- especially the rua tag, which specifies where to send aggregate reports so you can monitor authentication results.

Organizations typically start with p=none to gather data, then gradually tighten to quarantine and finally reject as they confirm all legitimate senders pass authentication. The pct tag lets you apply the policy to a percentage of failing messages during rollout.

DMARC Tag Reference

Tag Required Description
v Yes Version. Must be DMARC1 and must be the first tag.
p Yes Domain policy: none, quarantine, or reject.
sp No Subdomain policy. Inherits from p if absent.
rua No Aggregate report URI(s) for daily XML reports.
ruf No Forensic report URI(s) for per-message failure reports.
adkim No DKIM alignment: r (relaxed) or s (strict).
aspf No SPF alignment: r (relaxed) or s (strict).
pct No Percentage of failing messages the policy applies to (0-100).
fo No Failure reporting options: 0 (all fail), 1 (any fail), d (DKIM), s (SPF).
ri No Requested aggregate report interval in seconds (default 86400).

Get the full picture with DMARCguard

Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.

Start Free

or compare plans