Skip to content
🔐Security ScannerPopular·📊Traffic AnalyzerNew·🌐DNS LookupPopular·🔑Password GeneratorPopular·📋JSON FormatterTrending·🔍SSL CheckerPopular·🛡️Phishing CheckerNew·💱Currency ConverterTrending·📧DMARC CheckerPopular·🖼️Image CompressorTrending·📱QR Code GeneratorPopular·🔗Domain ScannerNew·
ToolZilla

DMARC RecordGenerator

Build a valid DMARC policy step by step — configure enforcement, alignment, and reporting URIs, then copy the ready-made TXT record.

Configuration

Policy Strength

Strong — Unauthorized Mail Rejected

100%

100% applies the policy to all messages. Lower values let you ramp up gradually.

Strict requires an exact domain match; relaxed allows sub-domains.

Strict requires the Return-Path domain to match exactly.

Daily XML summaries will be sent here. mailto: is added automatically.

Per-failure reports (optional, not all receivers support this).

Seconds between aggregate reports. Default is 86400 (24 hours).

Generated DMARC Record

DNS Record Name_dmarc.example.com
Record TypeTXT
Record Valuev=DMARC1; p=reject
Full TXT Record
_dmarc.example.com IN TXT "v=DMARC1; p=reject"

Implementation Steps

  1. Ensure SPF and DKIM are already configured and passing for your domain.
  2. Log in to your DNS provider and create a TXT record with the name _dmarc.example.com.
  3. Paste the record value shown above as the TXT record content.
  4. Start with p=none to monitor results via aggregate reports before enforcing.
  5. Review daily aggregate reports (rua), verify legitimate senders pass SPF/DKIM, then gradually increase the policy to quarantine → reject.
  6. Use the percentage slider (pct=) to ramp up enforcement gradually — e.g. 10% → 50% → 100%.

Frequently Asked Questions

What is DMARC and why do I need it?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM. It tells receiving mail servers what to do with messages that fail authentication checks and where to send reports, helping protect your domain from spoofing and phishing.

What is the difference between none, quarantine and reject policies?

With 'none', failing messages are still delivered — useful for monitoring. 'Quarantine' tells receivers to treat failures as suspicious (often moved to spam). 'Reject' instructs receivers to block the message entirely. Start with 'none' and move toward 'reject' once you have confidence in your setup.

What are aggregate (rua) and forensic (ruf) reports?

Aggregate reports (rua) are XML summaries sent daily showing authentication results for your domain. Forensic reports (ruf) are individual failure reports with more detail. Most organisations start with aggregate reports; forensic reports are less commonly supported by receivers.

How long does it take for DMARC changes to take effect?

DNS changes typically propagate within minutes to a few hours. However, receivers cache DMARC policies, and aggregate reports are usually sent once per day, so it may take 24–48 hours to see the full impact of a change.

Can I use this tool offline?

Yes. The entire record is generated in your browser — no API calls or server processing involved. Your configuration data never leaves your device.

Complete Guide: How to Use the DMARC Record Generator

Generate a DMARC policy record for your domain with our interactive wizard. Configure policy mode, subdomain policy, alignment settings, and reporting addresses. The tool builds the complete TXT record and provides implementation instructions.

Step-by-Step Instructions

  1. 1

    Choose your policy mode

    Select p=none (monitor only), p=quarantine (send failures to spam), or p=reject (block failures). Start with none for new implementations.

  2. 2

    Configure alignment

    Set DKIM alignment (adkim=) and SPF alignment (aspf=) to 'relaxed' (r) or 'strict' (s). Relaxed allows subdomain matching.

  3. 3

    Set reporting addresses

    Enter the email addresses for aggregate reports (rua=) and forensic reports (ruf=). These are essential for monitoring.

  4. 4

    Copy and publish

    Copy the generated record and add it as a TXT record at _dmarc.yourdomain.com in your DNS.

Common Use Cases

  • Email protection — implement DMARC to prevent domain spoofing and phishing attacks
  • Compliance — meet email authentication requirements for NIST, PCI DSS, or industry regulations
  • BIMI preparation — generate the required DMARC policy (quarantine or reject) needed for BIMI logo display
  • Monitoring — set up DMARC in monitor mode to understand your email authentication landscape
  • Policy upgrade — generate a stricter policy after monitoring shows clean results
  • Multi-domain — create consistent DMARC policies across all your organization's domains

Pro Tips

💡Always start with p=none and rua= reporting. Monitor reports for 2-4 weeks before moving to quarantine.
💡Use a dedicated DMARC report analyzer (like ours) to parse the XML aggregate reports into readable dashboards.
💡Set sp= (subdomain policy) separately if subdomains send email differently from your root domain.
💡The fo= tag controls when forensic reports are generated: fo=1 sends a report if any authentication check fails.

Related Tools

🔍

Website Security Scanner

Scan a website for security headers, HTTPS config, cookie flags, and common vulnerabilities.

🕵️

Domain Intelligence Scanner

Full domain recon — WHOIS age, DNS records, SSL status, security headers, tech stack detection.

🚀

Load Testing

Stress test any website with up to 200 virtual users. Get latency, throughput, error rates and a full downloadable report.

📡

Web Traffic Analyzer

Deep-scan any website — detect technologies, audit SEO, check performance, security headers, DNS, accessibility and content analytics.