Free DMARC Record Generator

Create a valid DNS TXT record for your domain in seconds. Choose your policy, add a reporting address, and copy the result directly into your DNS — no account required.





Please publish the following DNS TXT Record on the subdomain _dmarc.YOURDOMAIN.com

Record Type:
TXT
Host:
_dmarc
Value:
v=DMARC1; p=none;
Click here for more information about how to publish a DMARC record.
Tag breakdown

0+

Organisations worldwide

0+

Fortune 100 and governments

0+

countries served

What is a DMARC Record?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that tells email receivers how to handle messages that fail SPF or DKIM authentication. It protects your domain from spoofing, improves email deliverability, and gives you visibility into who’s sending mail on your behalf.

For a deeper dive, see our:

DMARC Generator Tool Explained

Our DMARC generator automates record creation so you never worry about syntax errors. Choose your policy, set reporting addresses, and adjust advanced options like subdomain behavior and alignment modes. 

The tool validates every field and outputs a ready-to-publish DNS TXT record. Unlike manual record builders, you get RFC 9989 compliance out of the box, including support for new tags like np and t.

How to Use This DMARC Generator

Generate your DMARC record in 5 simple steps:

1
Choose Your Policy

Select none (monitor), quarantine (soft), or reject (enforce) for your root domain. For new domains, start with p=none to monitor traffic before enforcement.

2
Add Reporting Address

Enter your RUA email for aggregate reports. Optional but strongly recommended as reports show you everything happening with your domain's authentication.

3
Set Subdomain Policy

Define subdomain behavior with the sp tag. Leave blank to inherit the root policy, or set explicitly for gradual rollout.

4
Configure Advanced Fields

Add failure reporting (RUF), set alignment modes (adkim/aspf for strict or relaxed), and choose forensic triggers (fo).

5
Generate & Copy

Click Generate. Copy the output and paste it into your DNS provider. Done.

First-time users? See our guide for a field-by-field walkthrough and best practices.

DMARC Tag Reference: Complete Guide to Every Field

A DMARC record is built from tags. Each tag controls a specific aspect of your policy and enforcement. Below is a complete reference for all RFC 9989-compliant tags, including new additions and deprecated options.

Tag Purpose Example Required? Status
v Version v=DMARC1 Yes Current
p Root domain policy p=none Yes Current
sp Subdomain policy sp=reject Optional Current
np Non-existent subdomain policy np=reject Optional NEW (RFC 9989)
rua Aggregate reports email rua=mailto:[email protected] Optional but recommended Current
ruf Failure reports email ruf=mailto:[email protected] Optional Current
adkim DKIM alignment adkim=s Optional Current
aspf SPF alignment aspf=r Optional Current
fo Forensic options fo=1 Optional Current
t Testing mode t=y Optional NEW (RFC 9989)
psd Public Suffix Domain flag psd=y Optional NEW (RFC 9989)
pct Percentage policy progression pct=100 Optional Deprecated
rf Report format rf=afrf Optional Deprecated
ri Report interval ri=86400 Optional Deprecated

Example 1: Monitor-Only (New Domain)

v=DMARC1; p=none; rua=mailto:[email protected]; adkim=r; aspf=r; fo=1;

What this does:

  • p=none: Monitor mode, no enforcement yet.
  • rua=mailto:...: Send daily aggregate reports to this email.
  • adkim=r, aspf=r: Use relaxed alignment (more forgiving for forwarded mail and third-party senders).
  • fo=1: Send forensic reports on failures.
Next step: Once reports show clean authentication for 1–2 weeks, upgrade from p=nonep=quarantinep=reject.

Example 2: Enforce (Mature Deployment)

v=DMARC1; p=reject; sp=quarantine; np=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=s; aspf=s; t=y; fo=0;

What this does:

  • p=reject: Enforce on root domain, reject misaligned mail.
  • sp=quarantine: Soft-reject existing subdomains (they inherit if not explicitly set).
  • np=reject: Strict enforcement on new subdomains (blocks typosquatters).
  • rua= & ruf=: Receive both aggregate and forensic reports.
  • adkim=s, aspf=s: Strict alignment (exact domain match required).
  • t=y: Tagged for RFC 9989 monitoring mode (better compatibility with modern receivers).
  • fo=0: Don't send forensic reports on every failure (reduces noise).
Use this configuration once your organization has aligned all legitimate senders.

DMARC Policies Explained: p, sp, and np

DMARC has three policy tags that control enforcement at different domain levels:

Policy Tag Values Usage
p none, quarantine, reject This is your primary policy, the default for your entire organization.
sp none, quarantine, reject Controls behavior for subdomains (e.g., mail.company.com, marketing.company.com). If omitted, subdomains inherit the root p policy. Use this to enforce gradually on subdomains before tightening the root.
np none, quarantine, reject Controls behavior for subdomains that have never sent mail. Prevents typosquatters from exploiting your domain namespace. Set independently of sp to protect unused subdomains from abuse.

Typical Progression to Prevent Deliverability Issues

Start: p=none (monitor only; no enforcement)
Move to: p=quarantine + sp=none (soft-reject root; monitor subdomains)
Escalate to: p=reject + sp=quarantine (enforce root; soft-reject subdomains)

How to Publish Your DMARC Record

Every hosting provider has their own specific steps to publish a DMARC record. To learn more, you can consider contacting their support. Here's the general process:

Access your DNS management console — Log into your domain registrar or hosting provider's control panel.

Create a new TXT record — Add a new DNS record to your domain's DNS zone file.

Set the record type to "TXT" — Ensure the record type is set to TXT, not A, CNAME, or MX.

Set the host/name to "_dmarc" — The host field should be exactly "_dmarc" (without quotes).

Paste your generated record value — Copy and paste the entire DMARC record value from our generator tool into the Value field.

Save and verify — Hit save once published. Your DMARC record may take up to 72 hours to propagate through DNS, though it often activates faster. Verify your record is live using our free DMARC Checker Tool.

Common DMARC Record Mistakes to Avoid

Avoid these pitfalls when deploying DMARC:

Starting at p=reject immediately — You'll block legitimate mail if authentication isn't fully aligned. Always start at p=none to monitor, then move through quarantine to reject over weeks or months.

Omitting the rua (report) email — Without reports, you won't see what's happening. Aggregate reports are essential to spot misaligned sources and legitimate mail failing authentication.

Using only strict alignment modes too early — Setting both adkim=s and aspf=s immediately breaks forwarded mail and third-party senders. Start relaxed (r), tighten gradually as you align sources.

Ignoring subdomains with sp — If you don't set sp, all subdomains inherit your root policy, which may be too strict. Define subdomain behavior explicitly for controlled rollout.

Setting pct=0 without RFC 9989 compatibility — Mail receivers don't understand pct. In RFC 9989 systems, use t=y to signal gradual rollout instead.

What to Do After Generating Your DMARC Record

Activating DMARC is just step one. Here’s your roadmap:

Verify Publication

Use our free DMARC Checker to confirm your record is live and syntactically correct. This takes seconds and prevents debugging headaches later.

Monitor Aggregate Reports

Start receiving daily aggregate reports to your RUA email. Parse them using our DMARC Analyzer to understand your email flow and spot misaligned sources.

Check SPF and DKIM Setup

Ensure SPF and DKIM records are also configured correctly. DMARC enforcement depends on both being functional. Use our SPF Checker and DKIM Checker.

Gradual Policy Enforcement

After 1–2 weeks of clean reports, escalate from p=none → p=quarantine → p=reject. Don't rush enforcement; misaligned legitimate mail gets blocked and causes user complaints.

Enable Spoofing Alerts

Set up real-time alerts for unauthenticated mail claiming to be from your domain. This catches active impersonation before it reaches your users' inboxes.

Audit Third-Party Senders

Identify all legitimate mail sources (marketing platforms, payment processors, notification systems, etc.) and ensure they authenticate via SPF or DKIM.

Ready for hands-off management? Upgrade to PowerDMARC's Hosted DMARC Service for:

  • 24/7 monitoring
  • Automated enforcement recommendations
  • Detailed forensics
  • Threat intelligence insights

Check your DMARC record?

Instantly verify if your DMARC record is live, valid, and free of syntax errors using our free lookup tool.

DMARC Checker

At p=none? Move to enforcement.

PowerDMARC's hosted DMARC guides you safely from monitoring to full p=reject enforcement with real-time visibility.

Hosted DMARC

Want ongoing monitoring?

PowerDMARC automatically parses aggregate reports and alerts you when new senders appear or authentication issues arise.

Start Free

What Our Clients & Partners Say About Us

Belgin Abraham
Belgin Abraham

CEO, Channel Next

“PowerDMARC’s MSP partner program provides cutting-edge solutions to protect our clients’ email domains from cyber threats, while also opening up a new revenue stream and enhancing our service offerings.”

Frequently Asked Questions

What is a DMARC generator?
A tool that creates a valid DMARC DNS TXT record based on your settings, ready to copy and paste into your DNS provider. No syntax errors, no guesswork, just fill in your policy and reporting email, hit generate, and you're done.
How do I generate a DMARC record?
Choose your policy (none, quarantine, or reject), add a reporting email, select alignment modes, and click Generate. Our tool validates every field and outputs the ready-to-publish record. See the 5-step guide above for detailed instructions.
What is an example of a DMARC record?
Here's a monitor-mode example: v=DMARC1; p=none; rua=mailto:[email protected]; This starts in monitoring mode (p=none), and sends daily reports (rua).
What is DMARC for beginners?
DMARC is a standard that lets you tell email receivers how to handle messages that fail authentication checks. It stops attackers from impersonating your domain and shows you who's sending mail on your behalf.

Stop domain abuse once and for all with your very own DMARC policy generator!