Free DMARC Record Generator
Create a valid DNS TXT record for your domain in seconds. Choose your policy, add a reporting address, and copy the result directly into your DNS — no account required.
Create a valid DNS TXT record for your domain in seconds. Choose your policy, add a reporting address, and copy the result directly into your DNS — no account required.
Please publish the following DNS TXT Record on the subdomain _dmarc.YOURDOMAIN.com
0+
Organisations worldwide0+
Fortune 100 and governments0+
countries servedDMARC stands for Domain-based Message Authentication, Reporting, and Conformance. A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that tells email receivers how to handle messages that fail SPF or DKIM authentication. It protects your domain from spoofing, improves email deliverability, and gives you visibility into who’s sending mail on your behalf.
For a deeper dive, see our:
Our DMARC generator automates record creation so you never worry about syntax errors. Choose your policy, set reporting addresses, and adjust advanced options like subdomain behavior and alignment modes.
The tool validates every field and outputs a ready-to-publish DNS TXT record. Unlike manual record builders, you get RFC 9989 compliance out of the box, including support for new tags like np and t.
Generate your DMARC record in 5 simple steps:
Select none (monitor), quarantine (soft), or reject (enforce) for your root domain. For new domains, start with p=none to monitor traffic before enforcement.
Enter your RUA email for aggregate reports. Optional but strongly recommended as reports show you everything happening with your domain's authentication.
Define subdomain behavior with the sp tag. Leave blank to inherit the root policy, or set explicitly for gradual rollout.
Add failure reporting (RUF), set alignment modes (adkim/aspf for strict or relaxed), and choose forensic triggers (fo).
Click Generate. Copy the output and paste it into your DNS provider. Done.
First-time users? See our guide for a field-by-field walkthrough and best practices.
A DMARC record is built from tags. Each tag controls a specific aspect of your policy and enforcement. Below is a complete reference for all RFC 9989-compliant tags, including new additions and deprecated options.
| Tag | Purpose | Example | Required? | Status |
|---|---|---|---|---|
| v | Version | v=DMARC1 | Yes | Current |
| p | Root domain policy | p=none | Yes | Current |
| sp | Subdomain policy | sp=reject | Optional | Current |
| np | Non-existent subdomain policy | np=reject | Optional | NEW (RFC 9989) |
| rua | Aggregate reports email | rua=mailto:[email protected] | Optional but recommended | Current |
| ruf | Failure reports email | ruf=mailto:[email protected] | Optional | Current |
| adkim | DKIM alignment | adkim=s | Optional | Current |
| aspf | SPF alignment | aspf=r | Optional | Current |
| fo | Forensic options | fo=1 | Optional | Current |
| t | Testing mode | t=y | Optional | NEW (RFC 9989) |
| psd | Public Suffix Domain flag | psd=y | Optional | NEW (RFC 9989) |
| pct | Percentage policy progression | pct=100 | Optional | Deprecated |
| rf | Report format | rf=afrf | Optional | Deprecated |
| ri | Report interval | ri=86400 | Optional | Deprecated |
p=none → p=quarantine → p=reject. DMARC has three policy tags that control enforcement at different domain levels:
| Policy Tag | Values | Usage |
|---|---|---|
| p | none, quarantine, reject | This is your primary policy, the default for your entire organization. |
| sp | none, quarantine, reject | Controls behavior for subdomains (e.g., mail.company.com, marketing.company.com). If omitted, subdomains inherit the root p policy. Use this to enforce gradually on subdomains before tightening the root. |
| np | none, quarantine, reject | Controls behavior for subdomains that have never sent mail. Prevents typosquatters from exploiting your domain namespace. Set independently of sp to protect unused subdomains from abuse. |
Every hosting provider has their own specific steps to publish a DMARC record. To learn more, you can consider contacting their support. Here's the general process:
Access your DNS management console — Log into your domain registrar or hosting provider's control panel.
Create a new TXT record — Add a new DNS record to your domain's DNS zone file.
Set the record type to "TXT" — Ensure the record type is set to TXT, not A, CNAME, or MX.
Set the host/name to "_dmarc" — The host field should be exactly "_dmarc" (without quotes).
Paste your generated record value — Copy and paste the entire DMARC record value from our generator tool into the Value field.
Save and verify — Hit save once published. Your DMARC record may take up to 72 hours to propagate through DNS, though it often activates faster. Verify your record is live using our free DMARC Checker Tool.
Avoid these pitfalls when deploying DMARC:
Starting at p=reject immediately — You'll block legitimate mail if authentication isn't fully aligned. Always start at p=none to monitor, then move through quarantine to reject over weeks or months.
Omitting the rua (report) email — Without reports, you won't see what's happening. Aggregate reports are essential to spot misaligned sources and legitimate mail failing authentication.
Using only strict alignment modes too early — Setting both adkim=s and aspf=s immediately breaks forwarded mail and third-party senders. Start relaxed (r), tighten gradually as you align sources.
Ignoring subdomains with sp — If you don't set sp, all subdomains inherit your root policy, which may be too strict. Define subdomain behavior explicitly for controlled rollout.
Setting pct=0 without RFC 9989 compatibility — Mail receivers don't understand pct. In RFC 9989 systems, use t=y to signal gradual rollout instead.
Activating DMARC is just step one. Here’s your roadmap:
Use our free DMARC Checker to confirm your record is live and syntactically correct. This takes seconds and prevents debugging headaches later.
Start receiving daily aggregate reports to your RUA email. Parse them using our DMARC Analyzer to understand your email flow and spot misaligned sources.
Ensure SPF and DKIM records are also configured correctly. DMARC enforcement depends on both being functional. Use our SPF Checker and DKIM Checker.
After 1–2 weeks of clean reports, escalate from p=none → p=quarantine → p=reject. Don't rush enforcement; misaligned legitimate mail gets blocked and causes user complaints.
Set up real-time alerts for unauthenticated mail claiming to be from your domain. This catches active impersonation before it reaches your users' inboxes.
Identify all legitimate mail sources (marketing platforms, payment processors, notification systems, etc.) and ensure they authenticate via SPF or DKIM.
Instantly verify if your DMARC record is live, valid, and free of syntax errors using our free lookup tool.
DMARC Checker →PowerDMARC's hosted DMARC guides you safely from monitoring to full p=reject enforcement with real-time visibility.
Hosted DMARC →PowerDMARC automatically parses aggregate reports and alerts you when new senders appear or authentication issues arise.
Start Free →CEO, Channel Next
“PowerDMARC’s MSP partner program provides cutting-edge solutions to protect our clients’ email domains from cyber threats, while also opening up a new revenue stream and enhancing our service offerings.”