DNS & Security Utilities

DMARC Record Generator

Build compliant domain email security policies. Create standard DMARC TXT record configs with reporting tags and alignment rules.

System administrators, postmasters, and security developers need to implement email validation rules to stop domain spoofing attacks. This browser-based wizard generates compliant DMARC DNS configurations to satisfy modern mail guidelines. When to use it: When setting up a new domain email server, addressing spam delivery issues, or hardening company domains against phishing. What it solves: Avoids incorrect reporting prefixes, syntax gaps, and alignment tag configuration mistakes. Why it matters: Major mailbox providers like Google and Yahoo require active DMARC validation tags to accept bulk emails.

DMARC DNS Options

100%

DNS TXT Record Output

Host/Name _dmarc.example.com
Record Type TXT
TXT Value
 

Record Parameters Breakdown

How DMARC DNS Records Protect Domains

When an email server receives a message from your domain, it executes SPF and DKIM checks to confirm the sender\'s identity. The receiving server then evaluates your DMARC DNS settings to align these results.

DMARC requires either SPF or DKIM to align. SPF aligns if the Return-Path domain matches the visible "From" header. DKIM aligns if the signature domain matches the "From" header. Your DMARC policy tells the receiving server whether to accept, spam-box (quarantine), or reject the email if both authentications fail.

Before & After DNS Configuration Examples

❌ Before (No DMARC published)

No _dmarc TXT record in your DNS settings. Spam senders can spoof your email address without trigger blocks.

;; Domain query details
example.com. IN TXT ?
;; No records found containing v=DMARC1

✅ After (Active quarantine policy with reporting)

Publishing _dmarc TXT record forces receiving servers to quarantine failed emails and route daily XML reports.

Host: _dmarc
Type: TXT
Value: v=DMARC1; p=quarantine; pct=100; rua=mailto:reports@example.com; adkim=r; aspf=r

Industry Use Cases

Developer Workflows SEO Strategies Operations & Teams
Validate DNS settings for bulk transactional email senders (SMTP relays). Ensure marketing newsletter domains maintain good reputation flags to keep search index ratings clean. Fulfill email compliance checks for enterprise security certifications.
Audit subdomain email server settings to prevent rogue mail nodes from running. Audit domain parameters before migrating to third-party customer support portals. Route daily aggregate XML logs to dedicated mailboxes for analysis.

Common DMARC DNS Mistakes

Publishing Multiple DMARC Records

Domains can only contain one TXT record starting with v=DMARC1. Publishing multiple records makes them both invalid, removing security protections.

Missing the mailto: Schema Prefix

The rua and ruf tags must declare full URI schemas. Writing rua=dmarc@company.com instead of rua=mailto:dmarc@company.com stops report delivery.

DMARC Rollout Best Practices

  • Start with None: Begin with p=none to gather reports and verify your SPF and DKIM alignment without impacting deliverability.
  • Check Reports Weekly: Audit reports to locate missing SPF or DKIM parameters on your newsletters and CRM systems.
  • Increase pct Gradually: Transition to p=quarantine starting with a lower percentage (e.g. pct=10) before moving to 100%.
  • Enforce Reject: Finalize your rollout with p=reject once all sending sources are fully aligned.

Frequently Asked Questions

What is a DMARC record and why does my domain need one?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that uses SPF and DKIM to protect your domain from spoofing and phishing attacks. By publishing a DMARC TXT record in your DNS, you tell receiving mail servers how to handle emails that fail verification. It also enables receiving servers to send XML reports back to you detailing who is sending emails on behalf of your domain.

What is the difference between DMARC policy levels: none, quarantine, and reject?

The policy tag (p) defines what action receivers should take with failed emails. "none" collects reports without affecting email delivery, which is ideal for initial setup and audit phases. "quarantine" sends failing emails directly to the recipient's spam or junk folder to prevent them from reaching the inbox. "reject" blocks the email entirely, instructing the receiving mail server to bounce or delete the message outright.

What are rua and ruf email addresses in a DMARC record?

The rua tag specifies the mailto destination address for aggregate XML reports, which summarize sending sources and validation rates daily. The ruf tag sets the destination for forensic failure reports, which contain detailed headers and payloads for individual emails that failed authentication. Most domain admins use dedicated mailboxes (e.g. dmarc-reports@mydomain.com) or external parser services to handle these large XML flows.

What are relaxed versus strict alignment modes for SPF and DKIM?

Alignment modes determine how closely the domain in the "From" header must match the domains authenticated by SPF (Return-Path) and DKIM (Signature domain). "relaxed" mode (r) allows subdomains to match the root domain (e.g. news.domain.com aligns with domain.com). "strict" mode (s) requires an exact domain match, which increases spoofing security but requires careful configuration of third-party newsletter tools.

How does the pct parameter work in a DMARC policy?

The pct (percentage) tag controls the fraction of failed email messages subjected to your selected policy. For example, if you set p=quarantine and pct=25, only 25% of failing emails will be sent to the spam folder, while the other 75% will be delivered to inboxes. This lets you roll out security policies incrementally to avoid accidental blocks.

Can I have multiple DMARC records on a single domain?

No, a domain must have exactly one DMARC TXT record in its DNS settings. If you publish multiple DMARC records, receiving email servers will ignore all of them, disabling DMARC protection entirely. If you need to send reports to multiple destinations, you can list multiple email addresses separated by commas in a single rua or ruf tag.

How do I publish the generated DMARC record to my DNS?

Log in to your DNS provider (e.g. Cloudflare, Namecheap, or GoDaddy), add a new TXT record, set the Host name to "_dmarc" or "_dmarc.yourdomain.com", paste the generated record string into the Value/Content field, and save the settings. The DNS changes will propagate worldwide, usually taking between a few minutes and 24 hours.