DMARC has been part of the email authentication stack since 2012, but most senders treated it as optional for years. That changed in early 2024 when Google and Yahoo announced new requirements making SPF, DKIM, and DMARC mandatory for bulk senders. Suddenly, setting up a DMARC record wasn’t a nice-to-have, it was table stakes for getting your email delivered.
Use this free DMARC record generator to build a valid DNS TXT record based on your settings. Choose your policy, add your reporting addresses, and copy the output directly into your DNS zone. No guessing the syntax.
Your Domain
_dmarc.example.com.
Policy (p)
Defines what receiving servers should do with email that fails DMARC authentication.
Reporting
Where to send DMARC reports. Both fields are optional but strongly recommended — without them you won't know if something is broken.
Advanced Options
The defaults are appropriate for most senders. Adjust only if you have a specific reason to.
p=.
adkim)
aspf)
ruf= is set.
Your DMARC Record
v=DMARC1; p=none;
How to publish this record
- Log in to your DNS provider (Cloudflare, Namecheap, GoDaddy, Route 53, etc.)
- Create a new TXT record with the host set to
_dmarc(not the root domain). - Paste the generated value above into the Value / Content field.
- Set TTL to 3600 (1 hour) or leave as default.
- Save and allow up to 48 hours for propagation.
Tip: Start with p=none and a reporting address, monitor for a few weeks, then move to quarantine and finally reject.
Existing Record Lookup
Check whether a domain already has a DMARC record published.
How to use this DMARC record generator
The tool asks for a few key inputs. Here’s what each one means:
- Policy (p=): The core of any DMARC record. Choose
noneto start monitoring,quarantineto send suspicious emails to spam, orrejectto block unauthenticated mail outright. - Reporting address (rua=): Where aggregate reports get sent. This is the email address that receives daily summaries of authentication activity across your domain. Use it.
- Forensic reporting address (ruf=): Where individual failure reports go. These are more detailed but not all receivers send them due to privacy concerns.
- Subdomain policy (sp=): If you want a different policy for subdomains than your main domain, set it here. Useful if your subdomains have different sending setups.
- Percentage (pct=): What share of mail the policy applies to. Defaults to 100. Some senders lower this during a phased rollout, more on that below.
Once you’ve configured your settings, copy the generated record and add it as a TXT record in your DNS, on the host _dmarc.yourdomain.com.
What is a DMARC record and why does it matter?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It’s a DNS record that tells receiving mail servers what to do when an incoming message fails SPF or DKIM authentication.
Think of SPF and DKIM as the authentication checks. DMARC is the policy that acts on those results.
Without a DMARC record, even a failed authentication check might result in delivery. The receiving server has no instruction. With DMARC in place, you’re telling Gmail, Outlook, and every other provider: “If this email doesn’t pass authentication, here’s exactly what to do with it.”
That’s meaningful for two reasons. First, it protects your domain from being spoofed. If someone tries to send phishing emails pretending to be you, a p=reject policy stops those emails from reaching inboxes. Second, it builds your domain’s authentication reputation over time — which matters for deliverability.
I’ve seen senders skip DMARC entirely because they had SPF and DKIM configured and figured they were done. They weren’t. The authentication triangle only closes when all three are in place.
Understanding DMARC policy levels
p=none — Start here.
Monitor mode. DMARC reports get sent to your rua address, but no action is taken on failing mail. This is where every sender should begin, because your first reports will almost certainly surface legitimate sending sources you forgot about: your CRM, a transactional email provider you set up years ago, a third-party form tool. None of that should fail before you know about it.
Spend a few weeks at p=none. Read the reports. Fix the gaps.
p=quarantine — The middle ground.
Emails that fail DMARC go to the spam folder instead of the inbox. It’s a softer enforcement than rejection, recipients can still find the mail if they look, but it signals to mailbox providers that you’re serious about authentication. Move here once you’re confident your legitimate sending sources are all passing.
p=reject — The gold standard.
Unauthenticated mail is rejected outright. It never reaches the recipient. This is the level Google, Microsoft, and every major security-minded organization recommends as the eventual goal.
Don’t rush to p=reject. I’ve watched senders jump straight to it and then spend two weeks troubleshooting why a critical transactional flow stopped working. The rollout exists for a reason: none → quarantine → reject, with reporting reviewed at each step.
DMARC alignment: a detail worth knowing
One thing the generator handles automatically but is worth understanding: DMARC doesn’t just require SPF or DKIM to pass, it requires alignment. The domain in the From: header needs to match (or be a subdomain of) the domain used in SPF or DKIM signing.
This is why sending through an ESP that hasn’t properly configured custom authentication for your domain can cause DMARC failures even if their SPF technically passes. The alignment check is what catches that.
Relaxed alignment (the default) allows subdomain matches. Strict alignment requires an exact domain match. For most senders, relaxed is the right call.
Frequently asked questions
What’s the difference between DMARC, SPF, and DKIM?
They work together but do different things. SPF (Sender Policy Framework) lists the IP addresses authorized to send mail from your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages that receivers can verify. DMARC ties them together: it defines what happens when either check fails, and who gets notified.
You need all three for a complete authentication setup.
How long does DMARC take to propagate?
DNS changes typically propagate within a few hours, though it can take up to 48 hours in some cases. You won’t see DMARC reports immediately, most providers send aggregate reports once per day, covering the previous 24 hours of activity.
Do I need DMARC if I’m not a bulk sender?
Yes, for a different reason: protection. Even low-volume domains get spoofed. If someone can send phishing emails that appear to come from your domain, your brand reputation takes the hit, not just with email providers, but with the people who receive those emails. DMARC with p=reject closes that door.
What are DMARC aggregate reports (rua)?
Aggregate reports are XML files sent to your rua address by receiving mail servers. They summarize the authentication results for mail claiming to be from your domain over a 24-hour period. They show you which sending sources passed or failed SPF and DKIM, and how much volume came from each.
You’ll want a DMARC report analyzer tool to make sense of them, the raw XML isn’t particularly readable.
What does pct= do in a DMARC record?
The pct tag controls what percentage of mail the policy is applied to. pct=100 (the default) means the policy applies to all mail. Setting pct=10 during a rollout means only 10% of failing mail gets quarantined or rejected — useful for testing without full exposure. Once you’re confident in your setup, bring it to 100.
Can I have multiple DMARC records?
No. You can only have one DMARC record per domain, published as a single TXT record at _dmarc.yourdomain.com. Multiple records will cause errors. If you need to report to multiple addresses, separate them with commas within a single rua= tag.
Getting your DMARC record right is a solid first step. The next one is making sure everything else in your authentication setup is working alongside it. Our free Email Deliverability Test checks your SPF, DKIM, and DMARC configuration all at once, so you can see the full picture.
And if you send personalized campaigns through Alterable, strong domain authentication is what gives your content the best chance of reaching the inbox. It’s the infrastructure everything else sits on.