HomeTools › DMARC Generator

DMARC Record Generator

Build a DMARC policy for your domain. Choose enforcement level, configure reporting, and copy the DNS record.

1Choose your DMARC policy

What should receiving servers do with emails that fail authentication?

none
Monitor only — deliver all emails, send reports
Start here
quarantine
Send failing emails to spam/junk folder
reject
Block failing emails entirely — strongest protection

2Configure reporting

Where should mailbox providers send authentication reports?

Receives daily XML summaries of authentication results. Strongly recommended.
Receives detailed failure reports for individual messages. Not all providers send these.

3Advanced options (optional)

Fine-tune alignment, percentage, and subdomain policy.

100%
Percentage of messages the policy applies to. Use less than 100% for gradual rollouts.
Applies to subdomains like mail.yourdomain.com. Defaults to the main policy if not set.
Strict SPF alignment (aspf=s)
Require exact domain match for SPF. Default is relaxed (subdomains allowed).
Strict DKIM alignment (adkim=s)
Require exact domain match for DKIM. Default is relaxed (subdomains allowed).

Your DMARC Record

DNS Record Type: TXT
Host / Name: _dmarc
v=DMARC1; p=none;

How to add this record

  1. Log in to your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.)
  2. Go to DNS Settings for your domain
  3. Add a new TXT record
  4. Set Name / Host to _dmarc
  5. Paste the generated DMARC record as the Value
  6. Save — propagation can take up to 48 hours
Tip: Start with p=none for 2–4 weeks while reviewing aggregate reports. Once you confirm all legitimate email sources pass authentication, move to quarantine, then reject.
Need an SPF record too? DMARC requires SPF or DKIM to work. Generate your SPF record →

Frequently Asked Questions

What is a DMARC record?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS TXT record published at _dmarc.yourdomain.com. It tells receiving mail servers what to do when emails from your domain fail SPF or DKIM authentication — deliver them, quarantine them, or reject them. It also provides a reporting mechanism so you can see who is sending email as your domain.
Should I start with p=none or p=reject?
Always start with p=none. This collects reports without affecting email delivery, letting you discover all legitimate email sources before enforcing. Jumping straight to p=reject can block emails from services you forgot to authorize. The typical progression is: none (2–4 weeks) → quarantine (2–4 weeks) → reject.
Do I need SPF and DKIM before DMARC?
Yes. DMARC evaluates the results of SPF and DKIM checks. Without at least one of them configured, DMARC has nothing to validate against and all messages will fail. Set up SPF first, then DKIM, then DMARC.
What are DMARC aggregate reports?
Aggregate reports (rua) are XML files sent daily by receiving mail servers like Gmail and Microsoft. They show which IP addresses sent email claiming to be from your domain, whether SPF and DKIM passed, and how DMARC alignment was evaluated. The raw XML is not human-friendly — use a free tool like Postmark's DMARC Digests to visualize them.
What is the difference between relaxed and strict alignment?
Relaxed alignment (default) allows subdomains to pass. For example, email from mail.yourdomain.com would align with a DMARC record on yourdomain.com. Strict alignment requires an exact domain match — only yourdomain.com would pass. Start with relaxed and only switch to strict if you need tighter control.

Keep your DMARC policy monitored

This generator builds your DMARC record. Scanward continuously monitors it — and alerts you if it gets removed, downgraded, or if your email authentication starts failing.

Monitor Your Domain Free →