Free Tool
Create your DMARC policy in minutes
Build a valid DMARC TXT record to protect your domain from spoofing and improve email deliverability. Our DMARC builder generates valid DNS records with real-time validation.
No signup required. Real-time validation.
Start with "none" to gather data without risking email loss. Learn more
Receive daily summaries of who is sending email as you. Separate multiple emails with commas.
v=DMARC1; p=none;
_dmarc
Verification
Test your configurationDMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email security protocol that protects your domain from being used for phishing and email spoofing.
It builds upon two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). DMARC allows you to specify how email receivers should handle emails that fail authentication, and provides reporting capabilities so you can monitor who is sending email on your behalf.
DMARC works by connecting two authentication mechanisms (SPF and DKIM) with a policy layer and reporting system. Here's the process:
When someone sends an email claiming to be from your domain, the receiving server checks your DMARC record.
The receiver verifies if the email passes SPF (sender IP is authorized) and/or DKIM (cryptographic signature is valid).
DMARC checks if the authenticated domains align with the 'From' address domain the recipient sees.
Based on your DMARC policy (none, quarantine, or reject), the receiver handles emails that fail authentication.
Receivers send aggregate reports showing authentication results, and forensic emails (failure reports) with details about individual messages that failed DMARC checks.
Email authentication is no longer optional. Here's why implementing DMARC is critical for your organization:
Prevent attackers from sending phishing emails that appear to come from your domain. Without DMARC, anyone can forge your email address.
When criminals spoof your domain, recipients associate the fraud with your brand. DMARC stops this damage before it starts.
Major email providers like Gmail and Microsoft prioritize authenticated emails. DMARC helps ensure your legitimate emails reach the inbox.
Many industries and government regulations now require DMARC. Google and Yahoo require it for bulk senders as of February 2024.
DMARC reports reveal who is sending email as you, helping you identify both legitimate services you forgot about and unauthorized senders.
To display your logo next to emails in supporting clients like Gmail, you need DMARC enforcement. BIMI requires p=quarantine or p=reject.
When implementing DMARC, avoid these common pitfalls that can impact your email deliverability or leave you unprotected:
Jumping straight to a reject policy can block legitimate email from services you forgot to authenticate. Always start with p=none to monitor first.
Marketing platforms, CRMs, and transactional email services all send on your behalf. Ensure each one is properly configured for SPF and DKIM before enforcing DMARC.
Without reviewing reports, you won't know if legitimate email is failing. Use a DMARC monitoring service to analyze reports automatically.
The rua email address must be valid and accessible. If you can't receive reports, you're flying blind.
By default, subdomains inherit your DMARC policy. If you have services on subdomains, consider using the sp= tag to set a specific subdomain policy.
No, provided you start safely. We recommend starting with policy p=none. This "monitoring mode" ensures no legitimate email is blocked while you gather data. Once you are confident all your legitimate senders (like Mailchimp, Salesforce, Google Workspace) are authenticating correctly, you can move to p=quarantine or p=reject.
None (p=none): Monitors traffic. No action taken against failing emails. Start here.
Quarantine (p=quarantine): Emails failing checks are sent to the recipient's spam folder.
Reject (p=reject): Emails failing checks are blocked completely. Maximum security.
Yes. While Google and Microsoft protect their infrastructure, they can't stop someone from spoofing your custom domain unless you publish a DMARC record. In fact, starting Feb 2024, Google and Yahoo require DMARC for bulk senders.
Once you add your DMARC TXT record to your DNS, it typically propagates within 5-30 minutes. You'll start receiving aggregate reports within 24-48 hours. However, reaching full enforcement (p=reject) should be a gradual process over weeks or months as you verify all legitimate senders.
SPF verifies that emails come from authorized IP addresses. DKIM adds a cryptographic signature to prove the email hasn't been tampered with. DMARC ties them together by checking that authenticated domains align with the visible 'From' address and defines what to do with failures.
No. You should only have one DMARC TXT record at _dmarc.yourdomain.com. Having multiple records will cause unpredictable behavior, as receivers may pick any one of them. If you need to send reports to multiple addresses, separate them with commas in a single rua= tag.
The pct= tag lets you apply your policy to only a percentage of emails. When moving from p=none to p=quarantine, start with pct=10 or pct=25, monitor reports for issues, then gradually increase to 100. Once stable, you can remove the pct tag entirely (it defaults to 100).
Relaxed alignment (the default) allows subdomains to pass. For example, mail.example.com aligns with example.com. Strict alignment requires exact domain matches. Most organizations should start with relaxed alignment unless you have specific security requirements that mandate strict matching.
DMARC works with SPF and DKIM. Create your SPF record next, or display your brand logo with BIMI (requires DMARC enforcement).
We use cookies to enhance your experience, analyze site traffic, and for marketing purposes. You can choose which cookies to allow. Learn more in our Cookie Policy.
Manage your cookie preferences below. Essential cookies are always active as they are required for the website to function.
Required for the website to function. Cannot be disabled.
Help us understand how visitors interact with our website.
Used to measure advertising effectiveness and show relevant ads.
Learn more about how we use cookies in our Cookie Policy.