DMARC DNS Record Generator
Generate online DMARC TXT records with rollout policies, alignment tags, report URIs, DNS zone labels, receiver authorization, and deployment checks.{{ result.summaryTitle }}
| Item | Value | Copy |
|---|---|---|
| {{ row.label }} |
{{ row.value }}
{{ row.value }}
{{ row.value }}
|
| DNS item | Value | Copy |
|---|---|---|
| {{ row.label }} |
{{ row.value }}
{{ row.value }}
{{ row.value }}
{{ row.note }}
|
| Receiver zone | Relative label | Owner FQDN | Use / TXT value | Copy |
|---|---|---|---|---|
| {{ row.zoneHost }} | {{ row.relativeLabel }} | {{ row.owner }} |
{{ row.useFor }}
{{ row.txtValue }}
|
| Tag | Effective value | Publish state | Why it matters | Copy |
|---|---|---|---|---|
| {{ row.tag }} | {{ row.value }} | {{ row.publishState }} | {{ row.note }} |
| Check | Status | Detail | Copy |
|---|---|---|---|
| {{ row.label }} | {{ row.badgeText }} | {{ row.detail }} |
| Guidance item | Detail | Copy |
|---|---|---|
| {{ row.label }} | {{ row.detail }} |
By copying or publishing this embed code, you are responsible for how the tool appears and is used on your website.
- The embedded tool is provided for general informational and utility purposes only. It is not professional, legal, financial, medical, safety, or compliance advice.
- Results depend on the inputs, browser behavior, available data sources, and the current version of the tool. Review important results before relying on them.
- You are responsible for the surrounding page context, labels, instructions, privacy notices, accessibility, and any laws or policies that apply to your website.
- Do not embed the tool in a misleading, unlawful, harmful, or security-sensitive context.
- Simplified Tools may update, limit, suspend, or remove tools and embed behavior without prior notice.
- Analytics, network requests, cookies, browser storage, third-party services, and query parameters may apply depending on the tool and the embedding page.
If these terms do not work for your use case, do not embed the tool.
Introduction
DMARC lets a domain publish how receivers should handle mail that fails authentication alignment. It ties SPF and DKIM results back to the visible From domain, then asks receivers to monitor, quarantine, or reject messages that do not align.
A good DMARC record is more than p=reject. It needs the correct owner name, report destinations, rollout percentage, subdomain policy, alignment mode, and failure-report settings. Report addresses outside the policy domain may also need receiver authorization in DNS.
The safest deployment path usually starts with monitoring, studies aggregate reports, then moves enforcement upward only after legitimate senders are aligned.
Technical Details
A DMARC policy record is a TXT record published at _dmarc.example.com. The required tags are version v=DMARC1 and policy p. Optional tags such as sp, pct, rua, ruf, adkim, aspf, fo, and ri refine rollout and reporting behavior.
| p=none | monitor without requesting enforcement |
| p=quarantine | ask receivers to treat failing aligned mail as suspicious |
| p=reject | ask receivers to reject failing aligned mail |
| pct | sampled enforcement percentage for quarantine or reject |
| rua / ruf | aggregate and failure-report mailto destinations |
The generator normalizes domains, strips a pasted _dmarc owner when present, converts Unicode labels to DNS A-labels, and converts bare report mailboxes to mailto: URIs. It builds publish records, zone labels, receiver authorization records for external destinations, a tag map, deployment checks, notes, and JSON.
Everyday Use & Decision Guide
Start with p=none and an aggregate report address when you are discovering senders. Move to quarantine or reject after reports show that real mail is authenticated and aligned. Use pct when you want a gradual enforcement ramp instead of all failing traffic at once.
- Use DMARC Publish Records for the final TXT value and zone-file snippet.
- Use DNS Zone Labels when your DNS provider asks for a host field instead of a full owner name.
- Use Receiver Authorization Records if reports go to another organizational domain.
- Use DMARC Tag Map to confirm which defaults were omitted or made explicit.
- Use DMARC Deployment Checks before publishing a stricter policy.
Do not use strict alignment because it sounds stronger unless you know your legitimate senders already align that way. Strict DKIM or SPF alignment can break real mail from common third-party platforms.
Step-by-Step Guide
- Enter the domain that will publish DMARC.
- Select the policy, subdomain policy, enforcement percentage, and aggregate report destinations.
- Open Advanced for rollout presets, failure reports, DKIM and SPF alignment, failure options, report interval, and explicit defaults.
- Review deployment checks and authorization records.
- Copy the publish row or export CSV, DOCX, or JSON for the DNS change ticket.
Interpreting Results
DMARC Publish Records contains the value to publish. The owner should be the generated _dmarc name, not the bare domain.
Receiver Authorization Records appear only when report destinations are outside the policy domain or organizational-domain match. Publish those records in the receiver's DNS zone if the receiver requires external report authorization.
DMARC Rollout Steps is advisory. The final timing depends on mail volume, report coverage, and how quickly every legitimate sender can be fixed.
Worked Examples
Monitoring launch. Enter example.com, choose p=none, and set rua=mailto:dmarc@example.com. The publish tab creates a monitoring TXT record suitable for collecting aggregate reports.
Partial quarantine. Set policy to quarantine and pct=25. The tag map shows sampled enforcement, which helps limit blast radius while remaining senders are fixed.
External reporting. If aggregate reports go to dmarc@vendor.example, the authorization tab shows the extra DNS TXT owner and value that may be required in the receiver zone.
FAQ
Does DMARC pass require both SPF and DKIM?
No. DMARC can pass when either SPF or DKIM authenticates and aligns with the visible From domain.
Why does the generator remove _dmarc from my input?
The owner label is added automatically. Removing a pasted prefix prevents publishing at _dmarc._dmarc.example.com.
Should I publish failure reports?
Use ruf carefully. Failure reports can contain message details, and many receivers limit or do not send them.
What does pct=100 mean?
It asks receivers to apply the selected quarantine or reject policy to all messages that fail DMARC, subject to receiver local policy.
Glossary
- Alignment
- A match between the visible From domain and the authenticated SPF or DKIM domain.
- rua
- Aggregate report URI tag.
- ruf
- Failure report URI tag.
- Organizational domain
- The registrable domain boundary used when comparing related report destinations.
References
- RFC 7489: DMARC, RFC Editor.
- DMARC specifications, dmarc.org.