How long does DMARC setup take?

Creating your DMARC record takes about 5 minutes. After adding it to your DNS, allow 5-30 minutes for DNS propagation. You'll start receiving reports within 24-48 hours.

What happens if I make a mistake in my DMARC record?

Our generator validates your DMARC record in real-time to prevent syntax errors. If you need to make changes after deployment, simply update the TXT record in your DNS settings with a new record from our generator.

What's the difference between 'none', 'quarantine', and 'reject' policies?

Policy 'none' monitors email activity without blocking anything (recommended for beginners). Policy 'quarantine' sends suspicious emails to spam folders. Policy 'reject' asks receivers to reject failing messages, but receivers still combine DMARC with their own local analysis. Start with 'none' and progress based on your reports.

Can I change my DMARC policy later?

Yes, you can update your DMARC policy anytime. Simply generate a new record with our tool and update the TXT record in your DNS settings. Changes take effect within 5-30 minutes.

Do I need DMARC if I use Gmail or Microsoft 365?

Yes. Even with trusted email providers, DMARC protects your domain from spoofing and phishing. Gmail and Microsoft 365 support DMARC and recommend its implementation for all domains.

Should I still use the pct= tag in DMARC?

No, not in new records. RFC 9989 (May 2026) removed the pct tag, along with rf and ri. To roll out enforcement gradually, start at p=none, move to p=quarantine, then p=reject, and use t=y to have receivers apply the next-lower policy while you test. Records still start with v=DMARC1, so the change is backward-compatible.

What does a DMARC record look like?

A DMARC record is one line of DNS text that starts with v=DMARC1 and a policy, for example v=DMARC1; p=none; rua=mailto:dmarc@example.com. It is published as a TXT record at the host _dmarc, so the full name is _dmarc.yourdomain.com. The tags set the policy (p, sp, np), where reports are sent (rua, ruf), and how strictly senders must align (adkim, aspf).

10,000+ Free DMARC Checks Daily

Free Tool

Free DMARC record generator

Name: Free DMARC Generator
Author: DMARCTrust

Build your v=DMARC1 TXT record in 60 seconds. Copy it, paste it into DNS, done.

Standards basis: Advice based on RFC 9989 for DMARC policy records, RFC 9990 for aggregate reports, and RFC 9991 for failure reports. Historical RFC 7489 behavior is called out where relevant.

Build a valid DMARC TXT record to protect your domain from spoofing and improve email deliverability. Our DMARC builder generates valid DNS records with real-time validation.

No signup required. Real-time validation.

Policy configuration

Policy (p) - Recommended

Start with "none" to gather data without risking email loss. Learn more

Subdomain Policy (sp) - Optional

Non-existent Subdomain Policy (np) - Optional

Use np only when you want a separate policy for subdomain names that do not exist in DNS.

Testing mode (t=y) Asks receivers to apply the next-lower policy while you test. Omit it when you are ready for the selected policy.

Reporting (where to send data)

Aggregate Report URIs (rua)

Receive daily summaries of who is sending email as you. Separate multiple emails with commas.

Create a free account and we issue your own reporting address. Paste it here as your rua value, and we parse the daily reports for you.

Use a free DMARCTrust reporting address

Failure Report URIs (ruf) - Optional

Failure Options (fo) - Optional

0 - All checks fail (default) 1 - Any check fails

Advanced alignment (Optional)

DKIM Alignment

SPF Alignment

Generated record

_dmarc TXT

TXT Record: _dmarc.[domain]

v=DMARC1; p=none;

How to deploy

1 Login to your DNS provider (GoDaddy, Cloudflare, Namecheap, etc).
2 Create a TXT record.
3 Host: _dmarc
4 Value: Paste the record above.

Verification

Test your configuration

No rua yet? Get a free reporting address and skip the setup

DMARC reports arrive as raw XML, one file per receiver, every day. We collect them at your reporting address, parse them, and show you who is sending as your domain and what is passing or failing. Free for one domain.

Start monitoring free

How DMARC lives in your DNS

An 8-minute walkthrough of the DNS record you just generated.

DMARC record examples you can copy and paste

Here is what a working DMARC record looks like. Each example is a complete record that is valid under RFC 9989, the current DMARC standard. Swap example.com for your domain and the mailto: address for one you control, then paste it as a TXT record at _dmarc.yourdomain.com. For what each tag does, see the reference below.

Safe monitoring start (the first record to publish)

Begin here. p=none takes no action on your mail, so nothing breaks while you collect reports and track down every legitimate sender.

v=DMARC1; p=none; rua=mailto:[email protected]

Full enforcement

Publish this once your reports show every real sender passing. Receivers are asked to reject mail that fails authentication. Want exact domain matches instead of the relaxed default? Add adkim=s; aspf=s, but only after you have confirmed your subdomains and providers still align.

v=DMARC1; p=reject; rua=mailto:[email protected]

Parked or no-mail domain

For a domain that never sends email. Reject mail at the domain (p), at existing subdomains (sp), and at names that do not exist (np), so no one can send as you.

v=DMARC1; p=reject; sp=reject; np=reject; rua=mailto:[email protected]

Different policy for subdomains

Keep tuning the main domain at p=none while asking receivers to reject mail from any subdomain. Useful when your subdomains should never send but the main domain still needs work.

v=DMARC1; p=none; sp=reject; rua=mailto:[email protected]

Gmail or Microsoft 365 sender

The same record works whether you send through Google Workspace or Microsoft 365. DMARC lives in your DNS, not at the provider. Set up SPF and DKIM for the provider first, then start at p=none.

v=DMARC1; p=none; rua=mailto:[email protected]

Each record is one line. Publish it at the host _dmarc, so the full name reads _dmarc.yourdomain.com, with type TXT. Keep one DMARC record per domain.

DMARC settings explained: every tag in your record

A DMARC record is a list of tags separated by semicolons. This table covers every tag the generator above can produce, with the full set of values each tag accepts under RFC 9989, the current DMARC standard. Tags you leave at their default are dropped from the record to keep it short.

Tag	What it does	Allowed values	Default
`v`	Version. Comes first and is always DMARC1.	DMARC1	Required
`p`	Policy for the domain. Tells receivers how to handle mail that fails DMARC.	none, quarantine, reject	none
`sp`	Policy for existing subdomains. Leave it off and subdomains follow the p policy.	none, quarantine, reject	follows p
`np`	Policy for non-existent subdomains, meaning names that do not resolve in DNS. RFC 9989 added this tag.	none, quarantine, reject	follows sp, then p
`t`	Test mode. t=y asks receivers to apply the next-lower policy while you test, so reject acts like quarantine and quarantine acts like none.	y, n	n
`adkim`	DKIM alignment. Relaxed lets a subdomain align with the parent domain; strict wants an exact match.	r, s	r
`aspf`	SPF alignment. Relaxed lets a subdomain align with the parent domain; strict wants an exact match.	r, s	r
`rua`	Where to send aggregate reports, the daily summaries of who is sending as your domain. One or more mailto: addresses.	mailto: URIs	none sent
`ruf`	Where to send failure reports, formerly called forensic reports, with per-message detail for mail that failed. Many receivers no longer send these for privacy reasons.	mailto: URIs	none sent
`fo`	Failure-report options. 0 reports only when every check fails, 1 when any check fails, d requests a report on any DKIM signature failure, s on any SPF failure (d and s follow RFC 6651/6652). Ignored unless ruf is set.	0, 1, d, s	0

Removed by RFC 9989: the pct, rf, and ri tags are no longer part of the standard. This generator does not emit them. For a staged rollout, use t=y in place of the old pct tag.

Read the full DMARC tag reference, including the psd tag →

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email security protocol that protects your domain from being used for phishing and email spoofing.

It builds upon two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). DMARC allows you to specify how email receivers should handle emails that fail authentication, and provides reporting capabilities so you can monitor who is sending email on your behalf.

Read our complete DMARC introduction →

Why a DMARC generator is only step zero →

Generating the record is one step. Our DMARC setup checklist walks you through the full rollout, from p=none to p=reject without breaking legitimate mail.

How DMARC works

DMARC works by connecting two authentication mechanisms (SPF and DKIM) with a policy layer and reporting system. Here's the process:

Email is sent

When someone sends an email claiming to be from your domain, the receiving server checks your DMARC record.

Authentication check

The receiver verifies if the email passes SPF (sender IP is authorized) and/or DKIM (cryptographic signature is valid).

Alignment verification

DMARC checks if the authenticated domains align with the 'From' address domain the recipient sees.

Policy application

Based on your DMARC policy (none, quarantine, or reject), the receiver handles emails that fail authentication.

Report generation

Receivers send aggregate reports showing authentication results, and failure reports (formerly called forensic reports) with details about individual messages that failed DMARC checks.

How to set up DMARC: from this record to safe enforcement

Setting up DMARC is not one switch. You publish a monitoring record, watch the reports, fix any senders that fail, then tighten the policy in steps. Here is the safe path from the record above to full enforcement.

Copy the record

Start with a p=none record from the generator above and add your rua= reporting address. p=none changes nothing about how your mail is delivered.

Publish it as a TXT record at _dmarc

In your DNS provider, create a TXT record with host _dmarc and the generated value. The full name becomes _dmarc.yourdomain.com. Keep one DMARC record.

Wait for propagation

DNS changes usually take effect within 5 to 30 minutes. After that, your record is live and receivers can read your policy.

Collect and read your reports

Aggregate (rua) reports start arriving within 24 to 48 hours. They show every source sending as your domain and whether SPF and DKIM pass. Authenticate any legitimate sender that is failing.

Tighten the policy in steps

Once your real senders pass, move from p=none to p=quarantine, then to p=reject. To rehearse a stricter policy before you enforce it, add t=y so receivers apply the next-lower policy while you confirm nothing breaks.

Want the full rollout checklist, with timing and the traps that catch people? Follow our DMARC setup checklist.

Why a generated record is only step zero

Generating the record is the easy part. The work starts after you publish it, because DMARC's value is in the reports, and those reports do not arrive in a form a person can read. Aggregate reports land as raw XML, one file per receiver, every day. A handful of senders turns into dozens of files a week, piling up in whatever inbox you put in your rua= tag.

We know this because DMARCTrust receives and parses exactly those files. Our mail server accepts the reports the big receivers send, then a streaming parser turns each XML file into a clear view of who is sending as your domain and what is passing or failing. Point your rua= at a free DMARCTrust reporting address and you get that view instead of an inbox full of XML. Free for one domain, no credit card.

How the DMARC standard changed under RFC 9989, 9990, and 9991 →

Why your domain needs DMARC

Email authentication is no longer optional. Here's why implementing DMARC is critical for your organization:

Stop email spoofing

Prevent attackers from sending phishing emails that appear to come from your domain. Without DMARC, anyone can forge your email address.

Protect your brand reputation

When criminals spoof your domain, recipients associate the fraud with your brand. DMARC stops this damage before it starts.

Improve email deliverability

Major email providers like Gmail and Microsoft prioritize authenticated emails. DMARC helps ensure your legitimate emails reach the inbox.

Meet compliance requirements

Many industries and government regulations now require DMARC. Google and Yahoo require it for bulk senders as of February 2024.

Gain visibility into your email

DMARC reports reveal who is sending email as you, helping you identify both legitimate services you forgot about and unauthorized senders.

Enable BIMI for brand logos

To display your logo next to emails in supporting clients like Gmail, you need DMARC enforcement. BIMI requires p=quarantine or p=reject.

Common DMARC mistakes to avoid

When implementing DMARC, avoid these common pitfalls that can impact your email deliverability or leave you unprotected:

Starting with p=reject

Jumping straight to a reject policy can block legitimate email from services you forgot to authenticate. Always start with p=none to monitor first.

Forgetting third-party senders

Marketing platforms, CRMs, and transactional email services all send on your behalf. Ensure each one is properly configured for SPF and DKIM before enforcing DMARC.

Not monitoring DMARC reports

Without reviewing reports, you won't know if legitimate email is failing. Use a DMARC monitoring service to analyze reports automatically.

Using an invalid email for reports

The rua email address must be valid and accessible. If you can't receive reports, you're flying blind.

Ignoring subdomains

By default, subdomains inherit your DMARC policy. If you have services on subdomains, consider using the sp= tag to set a specific subdomain policy.

Still using the pct tag

RFC 9989 removed the pct tag from the DMARC standard. New records should leave it out. For a staged rollout, use t=y so receivers apply the next-lower policy while you test, in place of the old percentage approach.

Frequently Asked Questions

Will DMARC break my email delivery?

No, provided you start safely. We recommend starting with policy p=none. This "monitoring mode" ensures no legitimate email is blocked while you gather data. Once you are confident all your legitimate senders (like Mailchimp, Salesforce, Google Workspace) are authenticating correctly, you can move to p=quarantine or p=reject.

What is the difference between the policies?

None (p=none): Monitors traffic. No action taken against failing emails. Start here.

Quarantine (p=quarantine): Emails failing checks are sent to the recipient's spam folder.

Reject (p=reject): Asks receivers to reject failing messages, while receivers still make the final disposition decision.

Do I need DMARC for Gmail or Outlook?

Yes. While Google and Microsoft protect their infrastructure, they can't stop someone from spoofing your custom domain unless you publish a DMARC record. In fact, starting Feb 2024, Google and Yahoo require DMARC for bulk senders.

How long does it take for DMARC to start working?

Once you add your DMARC TXT record to your DNS, it typically propagates within 5-30 minutes. You'll start receiving aggregate reports within 24-48 hours. However, reaching full enforcement (p=reject) should be a gradual process over weeks or months as you verify all legitimate senders.

What's the difference between SPF, DKIM, and DMARC?

SPF verifies that emails come from authorized IP addresses. DKIM adds a cryptographic signature to prove the email hasn't been tampered with. DMARC ties them together by checking that authenticated domains align with the visible 'From' address and defines what to do with failures.

Can I have multiple DMARC records?

No. You should only have one DMARC TXT record at _dmarc.yourdomain.com. Having multiple records will cause unpredictable behavior, as receivers may pick any one of them. If you need to send reports to multiple addresses, separate them with commas in a single rua= tag.

Should I still use the pct= tag?

No, not in new records. The DMARC standard was revised in May 2026 by RFC 9989 (core protocol), RFC 9990 (aggregate reports), and RFC 9991 (failure reports), and RFC 9989 removed the pct tag. To roll out a stricter policy gradually, use p=none first, then p=quarantine, and add t=y when you want receivers to apply the next-lower policy while you test. Records still start with v=DMARC1, so the change is backward-compatible.

Should I use relaxed or strict alignment?

Relaxed alignment (the default) allows subdomains to pass. For example, mail.example.com aligns with example.com. Strict alignment requires exact domain matches. Most organizations should start with relaxed alignment unless you have specific security requirements that mandate strict matching.

Is a DMARC generator, DMARC builder, DMARC creator, or DMARC record maker the same thing?

Yes. DMARC generator, DMARC record generator, DMARC builder, DMARC creator, DMARC maker, DMARC wizard, and DMARC policy generator all describe the same type of tool: a form-based way to produce a valid v=DMARC1 TXT record without writing the syntax by hand. The free tool above supports every variant and validates the output in real time.

How do I generate a free DMARC record step-by-step?

To generate a DMARC record with the tool above:

Enter your domain in the field at the top.
Choose the policy, starting with p=none to monitor safely before enforcing.
Add a reporting address in the rua field. Use our free monitoring address to avoid an overflowing inbox.
Optionally set adkim/aspf alignment and a subdomain policy with sp=.
Copy the generated record and paste it as a TXT record at _dmarc.yourdomain.com in your DNS provider.

What's the difference between a DMARC generator, a DMARC policy generator, and a DMARC TXT record generator?

They are the same tool. A DMARC record is always published as a DNS TXT record, so DMARC TXT record generator is the literal technical name. DMARC policy generator emphasizes that the generated record declares a policy (p=none, quarantine, or reject). DMARC generator is the short name most people use. All three produce the same v=DMARC1 string.

Complete your email authentication

DMARC works with SPF and DKIM. Create your SPF record next, or display your brand logo with BIMI (requires DMARC enforcement).

Create SPF Record BIMI Record Generator Check a domain's DMARC