DMARC Record Generator & Parser
Email AuthGenerate a valid DMARC (Domain-based Message Authentication, Reporting & Conformance) DNS TXT record. DMARC tells receivers what to do when SPF or DKIM fails — and where to send aggregate and forensic reports about your domain's email traffic.
Policy p=
Subdomain Policy sp=
Optional. If unset, subdomains inherit the main policy. Set explicitly only if you want different behavior for subdomains.
Rollout Percentage pct=
Apply the policy to this percentage of failing messages. Use 10/25/50/100 to ramp up gradually. Default is 100.
Reporting Addresses
Daily XML summaries of pass/fail counts. Most domains use a DMARC analytics service here.
Per-message failure samples. Most providers no longer send these for privacy reasons — usually unused.
Alignment Mode
Generated DMARC Record
v=DMARC1; p=none
TXT · Host: _dmarc · TTL: 3600example.com, the full DNS name is _dmarc.example.com.Parse an Existing DMARC Record
Paste a DMARC TXT record to see what it does in plain English.
What is a DMARC record?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record that ties together SPF and DKIM. It does two things: tells receiving mail servers what to do when authentication fails (do nothing, quarantine, or reject), and gives you a reporting address so you can see which IPs are sending mail claiming to be from your domain — including spoofers.
DMARC is published at _dmarc.yourdomain.com — note the underscore-prefixed subdomain, unlike SPF which goes on the apex. Defined by RFC 7489.
DMARC tag reference
| Tag | Required? | Purpose |
|---|---|---|
| v | Yes | Version. Must be DMARC1 and must come first. |
| p | Yes | Policy: none, quarantine, or reject. |
| sp | No | Subdomain policy. Defaults to the value of p. |
| pct | No | Apply the policy to this percentage of failing messages. Default 100. |
| rua | No | Where to send aggregate (XML) reports. mailto: URI. |
| ruf | No | Where to send forensic (per-message) reports. Most providers don't send these. |
| aspf | No | SPF alignment: r (relaxed, default) or s (strict). |
| adkim | No | DKIM alignment: r (relaxed, default) or s (strict). |
| fo | No | Failure reporting options: 0, 1, d, s. |
| ri | No | Reporting interval in seconds. Default 86400 (1 day). |
The recommended DMARC rollout
- Publish SPF and DKIM first. DMARC checks those — without them, every message fails alignment.
- Start with
p=none. Setrua=to a real mailbox or DMARC analytics service. Watch reports for 2-4 weeks. - Identify legitimate senders failing alignment. Add them to your SPF or fix DKIM signing for them.
- Move to
p=quarantine; pct=10. Watch reports for another week or two. - Increase
pctgradually — 25, 50, 100 — until quarantine is at 100% with no legitimate failures. - Move to
p=reject. This is the end state, and is required by Gmail and Yahoo's bulk-sender rules from February 2024 onward for senders of more than 5,000 messages/day.
Frequently Asked Questions
What's the difference between p=none, p=quarantine, and p=reject?
none = monitor only, take no action; quarantine = send failing mail to the spam folder; reject = bounce failing mail outright. Always start with none, end at reject.
What does relaxed vs strict alignment mean?
Relaxed (r) lets the SPF/DKIM domain be a subdomain of the From-header domain — so mail.example.com can authenticate example.com. Strict (s) requires the exact same domain. Most domains stay on relaxed.
Where do aggregate reports go?
Receiving servers send a daily XML report to the address in rua=. They're parseable but verbose — most users send them to a DMARC analytics service (Postmark DMARC Digests, dmarcian, Valimail, EasyDMARC) that converts them to a dashboard.
Can I use a third-party email for the rua= address?
Yes, but if it's outside your domain, you need an authorization record on that domain: example.com._report._dmarc.thirdparty.com with value v=DMARC1. Most analytics services document this; Cloudflare and Google Postmaster Tools do it automatically.
What happens if I don't publish DMARC?
Without DMARC, receivers fall back to whatever heuristics they use. Gmail and Yahoo's bulk-sender requirements (Feb 2024) require any sender of 5,000+ messages/day to publish at least p=none. Without it, mail is increasingly rate-limited or sent to spam.
Set up the full email-auth stack: SPF record generator · DKIM record generator · HTTP security headers.