Free tool

DMARC Record Generator

Every parameter explained. Build a complete, correct record and copy it straight to your DNS.

v
Version
Always DMARC1. Identifies the record as a DMARC policy. Must be the first tag.
p
Policy required
What receivers do with email that fails DMARC alignment. Start with none to collect data, then move to quarantine or reject once you're confident all legitimate senders are covered.
sp
Subdomain policy often overlooked
Applies to subdomains that don't have their own DMARC record (e.g. mail.example.com, promo.example.com). If omitted, subdomains inherit the main p policy. Set to reject early — attackers love sending from subdomains like secure.yourbank.com.
adkim
DKIM alignment
Controls how strictly the DKIM signing domain must match the From: header domain. Relaxed allows subdomains to align (e.g. mail.example.com aligns with example.com). Strict requires an exact match.
aspf
SPF alignment
Controls how strictly the SPF envelope-from (Return-Path) domain must match the From: header domain. Relaxed is nearly always the right choice — strict breaks many legitimate sending setups like mailing lists and forwarding.
pct
Percentage
What percentage of failing messages the policy is applied to. The rest are treated as if the policy were none. Useful for a gradual rollout — start at 10, watch your reports, increase until you reach 100. Has no effect when p=none.
%
rua
Aggregate report address
Where ISPs (Gmail, Outlook, Yahoo…) send daily XML reports summarising which servers sent email for your domain and whether it passed DMARC. Highly recommended — without this you're flying blind. You can list multiple addresses separated by commas.
ruf
Forensic report address privacy note
Where ISPs send failure reports — message-level samples of individual emails that failed DMARC. Useful for debugging misconfigurations and catching spoofing attempts. Note: these reports may contain full email headers and sometimes body content. Many ISPs no longer send them. Leave blank if privacy is a concern or you don't need per-message detail.
ri
Report interval
How often (in seconds) you'd like aggregate reports. The default is 86400 (24 hours). Most ISPs ignore this and send once daily regardless. Only change this if you have a specific reason — leave at default for normal use.
Check domain health score
DMARC, SPF, DKIM — instant security grade
SPF Record Generator
Build a safe SPF record with live lookup counter
Your DNS record
Add as a TXT record at _dmarc.yourdomain.com
v=DMARC1; p=none
How to install
  1. Log in to your DNS provider (Cloudflare, Namecheap, cPanel…)
  2. Search for an existing TXT record named _dmarc.yourdomain.com — if one exists, edit it; if not, create a new TXT record
  3. Set Name to _dmarc.yourdomain.com
  4. Paste the record above as the Value
  5. Set TTL to 3600 (1 hour) or your provider's default
  6. Save — allow up to 48 h for propagation