Skip to main content
Protect your domain reputation today
contact@simpledmarc.comSupport
SimpleDMARC

DMARC Record Generator — Create a Valid DMARC Record for Your Domain

Create a custom DMARC record to protect your domain from spoofing and phishing.

What action receiver should take if authentication fails.

Email address to receive daily aggregate reports.

Why You Need a DMARC Record

Every domain that sends email should have a DMARC record. It is the control layer that ties SPF and DKIM together and tells the world what should happen when someone attempts to send unauthorized email from your domain. Without DMARC, even if you have SPF and DKIM configured, there is no policy enforcement — receiving servers may still accept spoofed messages. Major mailbox providers including Google, Yahoo, and Microsoft now require DMARC for bulk senders, and compliance frameworks such as PCI DSS 4.0 mandate DMARC enforcement for organizations handling payment data.

How Our DMARC Generator Works

Our generator walks you through each DMARC tag with plain-language explanations. Start by selecting your policy level — 'none' for initial monitoring, 'quarantine' for intermediate enforcement, or 'reject' for full protection. Add your aggregate reporting address (rua) so you receive daily XML reports showing who is sending email from your domain. Optionally configure forensic reporting (ruf), subdomain policy (sp), alignment modes, and percentage rollout. The tool validates every input in real time and outputs a ready-to-publish TXT record that you can paste directly into your DNS provider.

Step-by-Step: From Monitoring to Enforcement

We recommend a phased approach to DMARC deployment. Start with p=none and a valid rua address. Monitor aggregate reports for 2 to 4 weeks to identify all legitimate email sources — your primary mail server, marketing platforms, CRM transactional email, support ticket systems, and any other authorized senders. Fix SPF and DKIM alignment for each source. Then use this generator to create an updated record with p=quarantine at pct=10, gradually increasing the percentage as you confirm no legitimate email is affected. Once you reach pct=100 at quarantine with zero false positives, generate your final record at p=reject.

Common Mistakes to Avoid

The most frequent mistake is deploying p=reject without first monitoring aggregate reports — this can block legitimate email from authorized third-party senders that lack proper SPF or DKIM alignment. Other common errors include: forgetting to add external report authorization when the rua address is on a different domain, setting pct to a very low value and forgetting to increase it over time, using strict alignment (adkim=s, aspf=s) prematurely before confirming all senders align at the organizational domain level, and publishing a DMARC record on subdomains that are already covered by the parent domain's sp= tag. Our generator prevents most of these mistakes with built-in validation and contextual warnings.

Tag Reference

The following tags/parameters are checked or generated by this tool:

Tag

Description

v=DMARC1

Required protocol version declaration. Must be the first tag in the record.

p=none

Monitor-only policy. No enforcement action taken. Use during initial deployment to collect data.

p=quarantine

Intermediate enforcement. Failing messages are treated as suspicious (typically routed to spam/junk).

p=reject

Full enforcement. Failing messages are blocked by the receiving server. Maximum protection.

rua=mailto:

Aggregate reporting URI. Specifies where daily XML reports are delivered. Critical for visibility.

ruf=mailto:

Forensic reporting URI. Receives per-message failure details. Limited mailbox provider support.

sp=

Subdomain policy override. Set independently from the organizational domain policy.

pct=

Percentage rollout (1-100). Apply the policy to a subset of traffic during gradual enforcement.

adkim=

DKIM alignment mode. Relaxed (r) allows subdomain matching. Strict (s) requires exact domain match.

aspf=

SPF alignment mode. Relaxed (r) or strict (s). Controls From header vs envelope sender matching.

Frequently Asked Questions

Where do I publish my DMARC record?
Publish the generated TXT record in your domain's DNS zone at the host/name _dmarc (full entry: _dmarc.yourdomain.com). The value is the complete record string starting with v=DMARC1.
Should I start with p=none or p=reject?
Always start with p=none to collect aggregate reports and identify all legitimate senders. Jumping directly to reject can block your own authorized email if any source lacks proper SPF or DKIM alignment.
What is the rua tag and why is it important?
The rua tag specifies the email address where aggregate (XML) reports are sent. These reports show every IP that sends email from your domain, whether messages pass or fail authentication, and what volume each source generates. Without rua, you have no visibility.
How long should I stay at p=none?
Typically 2 to 4 weeks is sufficient for most domains. The goal is to collect enough report data to identify all legitimate senders and fix any SPF/DKIM alignment issues before moving to quarantine.
What is percentage rollout (pct)?
The pct tag lets you apply your DMARC policy to a percentage of failing messages. Setting pct=25 at p=quarantine means only 25% of failing messages are quarantined; the rest are treated as p=none. This allows gradual enforcement.
Can I use an external email for rua reports?
Yes, but the external domain must authorize your domain to send reports to it. This requires a TXT record at yourdomain.com._report._dmarc.externaldomain.com with the value v=DMARC1. Without this, reports are silently dropped.
Do subdomains need separate DMARC records?
Not always. Subdomains inherit the parent domain's DMARC policy unless you set an sp= tag or publish a separate DMARC record on the subdomain. Use sp=reject on the parent to protect all subdomains at once.
What happens if my DMARC record has syntax errors?
Receiving servers will ignore a malformed DMARC record entirely, treating the domain as having no DMARC policy. Use our DMARC Checker to validate syntax after publishing.

Related Tools

DMARC Record Checker

Verify your DMARC record, check for syntax errors, and test your email security.

Try Tool

SPF Record Checker

Check for the 10-lookup limit, syntax errors, and authorized IP addresses.

Try Tool

DKIM Record Checker

Verify your DomainKeys Identified Mail public key and selector syntax.

Try Tool
What is DMARC & How It Works
Free DMARC Record Generator — Create Your Policy in Seconds | SimpleDMARC