Menu
Fix deliverability Security Pricing
Theme
Free tool

DMARC record generator.

Build a safe DMARC record step by step. Every tag explained in plain English, with a copy-paste record at the end.

DMARC tag reference

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. Each tag controls a different aspect of how receiving mail servers handle unauthenticated messages.

Tag
Required
What it does
v=DMARC1
Required
Version identifier. Must be the first tag in every DMARC record.
p=
Required
Policy: none (monitor), quarantine (send to spam), reject (block). Start with none, move to reject once aligned.
rua=
Recommended
Aggregate report destination. Format: mailto:dmarc@yourdomain.com. You'll receive daily XML reports showing who sends mail as your domain.
ruf=
Optional
Forensic report destination. Sends individual failure reports. Many providers don't support this, so rua is more reliable.
sp=
Optional
Subdomain policy. If omitted, subdomains inherit the p= policy. Set separately if subdomains send mail differently.
pct=
Optional
Percentage of messages the policy applies to (1-100). Useful for gradual rollout: start at pct=10, increase as you confirm alignment.
aspf=
Optional
SPF alignment mode: r (relaxed, allows subdomains) or s (strict, exact match). Default is r.
adkim=
Optional
DKIM alignment mode: r (relaxed) or s (strict). Default is r. Relaxed allows signing with a parent domain.

Safe rollout records

Here are recommended records for each stage of DMARC deployment. Copy the one that matches where you are.

Step 1 Monitor only (start here)
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; aspf=r; adkim=r

Collects reports without affecting mail delivery. Run for 2-4 weeks to understand your traffic.

Step 2 Gradual quarantine
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com; aspf=r; adkim=r

Sends 25% of failing mail to spam. Increase pct to 50, 75, then 100 as you confirm alignment.

Step 3 Full reject (goal)
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; aspf=r; adkim=r

Blocks all unauthenticated mail. Best protection against spoofing.

Related tools
Need help rolling out DMARC?
DNS Doctors can draft your DMARC records, monitor alignment, and guide you from p=none to p=reject.
Learn more