DMARC Record Generator.
A DMARC record generator builds and validates the DNS TXT record that tells receiving mail servers how to handle emails failing SPF or DKIM authentication on your domain. Without DMARC, attackers can spoof your domain to send phishing emails to your customers. This free tool lets you check your existing DMARC record for misconfigured tags, invalid policies, and missing reporting URIs, or generate a new RFC 7489-compliant record using an interactive policy builder. DMARC is the enforcement layer that ties SPF and DKIM together, preventing spoofing and giving you visibility into unauthorized senders.
Enter your email to receive a copy of your results and share them with your team.
How to Use This Tool
Check Existing DMARC
Enter your domain name in the "Check Existing" tab. The tool queries the _dmarc TXT record on your domain, fully parses all DMARC tags, validates enum values and URI formats, and provides specific recommendations for any issues found.
Generate New DMARC
Switch to the "Generate New" tab. Select your policy level, configure alignment settings, add reporting URIs, and customize failure options. Copy the generated record and add it as a TXT record at _dmarc.yourdomain.com in your DNS provider.
How DMARC Authentication Works
Email Received
A receiving mail server gets an email claiming to be from your domain and checks SPF and DKIM authentication results.
DMARC Lookup
The server queries DNS for a TXT record at _dmarc.yourdomain.com to find your published DMARC policy.
Alignment Check
DMARC verifies that either SPF or DKIM passes AND the domain aligns with the From header (relaxed or strict per your settings).
Policy Applied
If alignment fails, the server applies your policy: none (deliver and report), quarantine (spam folder), or reject (bounce). Reports are sent to your rua/ruf addresses.
Frequently Asked Questions
What is a DMARC record and why do I need one?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record that tells receiving mail servers how to handle emails that fail SPF or DKIM authentication. Without DMARC, attackers can spoof your domain to send phishing emails to your customers and partners. DMARC lets you enforce a policy (none, quarantine, or reject) and receive aggregate reports showing who is sending email on behalf of your domain. It is the final layer of the SPF + DKIM + DMARC authentication stack that every domain should have configured.
How do I set up DMARC for the first time?
Start by publishing a DMARC record with a policy of p=none and a reporting URI (rua) to collect data. Use our Generate New tab to build the record, then add it as a TXT record at _dmarc.yourdomain.com in your DNS provider. Monitor the aggregate reports for 2-4 weeks to identify all legitimate email sources. Once you confirm all legitimate senders pass SPF and DKIM, gradually increase enforcement by moving to p=quarantine and then p=reject.
What is the difference between p=none, p=quarantine, and p=reject?
The p= tag sets the DMARC policy that receiving servers should apply to emails failing authentication. p=none is monitoring-only and does not affect delivery, making it ideal for initial deployment. p=quarantine tells receivers to treat failing messages as suspicious, typically routing them to the spam folder. p=reject instructs receivers to outright reject failing messages. Best practice is to start with p=none, move to p=quarantine with a low pct value, and eventually enforce p=reject at pct=100 once you are confident all legitimate email passes authentication.
What are DMARC aggregate reports (rua) and how do I read them?
DMARC aggregate reports are XML files sent daily by receiving mail servers to the email address specified in your rua tag. They contain data about every email sent using your domain, including source IP addresses, SPF and DKIM pass/fail results, and the volume of messages. While the raw XML can be hard to read, free services like Google Postmaster Tools and dedicated DMARC report analyzers can parse and visualize the data. These reports are essential for identifying unauthorized senders and verifying your authentication setup before enforcing stricter policies.
Can DMARC break my email delivery?
Yes, if implemented incorrectly. Moving directly to p=reject without first monitoring with p=none can block legitimate emails from services that send on your behalf, such as marketing platforms, CRM systems, or third-party notifications. This is why the recommended approach is to start with p=none and a rua reporting address, analyze reports to identify all legitimate senders, ensure they pass SPF and DKIM alignment, and then gradually ramp up enforcement using the pct tag before moving to full reject.
Related DNS Tools
SPF Record Generator & Validator
Generate and validate SPF records for your domain to improve email deliverability and prevent spoofing.
Use Tool → Email InfrastructureDKIM Record Checker
Verify DKIM DNS records for your domain to ensure email authentication is properly configured.
Use Tool → Email InfrastructureDomain Health Checker
Run a comprehensive health scan combining SPF, DKIM, DMARC, MX, and blacklist checks in one report.
Use Tool → Email InfrastructureMX Record Lookup
Look up MX records for any domain to see which mail servers handle its email delivery.
Use Tool →We Build Enterprise Email Infrastructure
Our Email Infrastructure Setup service handles SPF, DKIM, DMARC, and full email authentication setup. Starting at $5K for complete DNS authentication and deliverability optimization.
Learn About Email Infrastructure SetupLearn More
Cold Email Deliverability: Why Emails Land in Spam
Diagnose the five root causes of deliverability failures including DMARC misconfiguration, with concrete fixes.
How to Build Cold Email Infrastructure That Scales
Complete DNS authentication setup including DMARC, domain procurement, and sending architecture for scale.
Domain Warming Strategy: The Complete 2026 Guide
DMARC policy progression during warming: start with p=none, move to quarantine, then reject as reputation builds.