DMARC Record Generator — Create a Valid DMARC Record for Your Domain

Publish the generated TXT record in your domain's DNS zone at the host/name _dmarc (full entry: _dmarc.yourdomain.com). The value is the complete record string starting with v=DMARC1.

Always start with p=none to collect aggregate reports and identify all legitimate senders. Jumping directly to reject can block your own authorized email if any source lacks proper SPF or DKIM alignment.

The rua tag specifies the email address where aggregate (XML) reports are sent. These reports show every IP that sends email from your domain, whether messages pass or fail authentication, and what volume each source generates. Without rua, you have no visibility.

Typically 2 to 4 weeks is sufficient for most domains. The goal is to collect enough report data to identify all legitimate senders and fix any SPF/DKIM alignment issues before moving to quarantine.

The pct tag lets you apply your DMARC policy to a percentage of failing messages. Setting pct=25 at p=quarantine means only 25% of failing messages are quarantined; the rest are treated as p=none. This allows gradual enforcement.

Yes, but the external domain must authorize your domain to send reports to it. This requires a TXT record at yourdomain.com._report._dmarc.externaldomain.com with the value v=DMARC1. Without this, reports are silently dropped.

Not always. Subdomains inherit the parent domain's DMARC policy unless you set an sp= tag or publish a separate DMARC record on the subdomain. Use sp=reject on the parent to protect all subdomains at once.

Receiving servers will ignore a malformed DMARC record entirely, treating the domain as having no DMARC policy. Use our DMARC Checker to validate syntax after publishing.