How long does DMARC setup take?

Creating your DMARC record takes about 5 minutes. After adding it to your DNS, allow 5-30 minutes for DNS propagation. You'll start receiving reports within 24-48 hours.

What happens if I make a mistake in my DMARC record?

Our generator validates your DMARC record in real-time to prevent syntax errors. If you need to make changes after deployment, simply update the TXT record in your DNS settings with a new record from our generator.

What's the difference between 'none', 'quarantine', and 'reject' policies?

Policy 'none' monitors email activity without blocking anything (recommended for beginners). Policy 'quarantine' sends suspicious emails to spam folders. Policy 'reject' asks receivers to reject failing messages, but receivers still combine DMARC with their own local analysis. Start with 'none' and progress based on your reports.

Can I change my DMARC policy later?

Yes, you can update your DMARC policy anytime. Simply generate a new record with our tool and update the TXT record in your DNS settings. Changes take effect within 5-30 minutes.

Do I need DMARC if I use Gmail or Microsoft 365?

Yes. Even with trusted email providers, DMARC protects your domain from spoofing and phishing. Gmail and Microsoft 365 support DMARC and recommend its implementation for all domains.

10,000+ Free DMARC Checks Daily

Free Tool

Free DMARC record generator

Build your v=DMARC1 TXT record in 60 seconds — copy, paste into DNS, done.

Standards basis: Advice based on RFC 9989 for DMARC policy records, RFC 9990 for aggregate reports, and RFC 9991 for failure reports. Historical RFC 7489 behavior is called out where relevant.

Build a valid DMARC TXT record to protect your domain from spoofing and improve email deliverability. Our DMARC builder generates valid DNS records with real-time validation.

No signup required. Real-time validation.

Policy Configuration

Policy (p) - Recommended

Start with "none" to gather data without risking email loss. Learn more

Subdomain Policy (sp) - Optional

Non-existent Subdomain Policy (np) - Optional

Use np only when you want a separate policy for subdomain names that do not exist in DNS.

Testing mode (t=y) Asks receivers to apply the next-lower policy while you test. Omit it when you are ready for the selected policy.

Reporting (Where to send data)

Aggregate Report URIs (rua)

Receive daily summaries of who is sending email as you. Separate multiple emails with commas.

Let us handle your reports — get a monitoring address now! →

Forensic Report URIs (ruf) - Optional

Failure Options (fo) - Optional

0 - All checks fail (default) 1 - Any check fails

Advanced Alignment (Optional)

DKIM Alignment

SPF Alignment

Generated Record

_dmarc TXT

TXT Record: _dmarc.[domain]

v=DMARC1; p=none;

How to Deploy

1 Login to your DNS provider (GoDaddy, Cloudflare, Namecheap, etc).
2 Create a TXT record.
3 Host: _dmarc
4 Value: Paste the record above.

Verification

Test your configuration

How DMARC lives in your DNS

An 8-minute walkthrough of the DNS record you just generated.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email security protocol that protects your domain from being used for phishing and email spoofing.

It builds upon two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). DMARC allows you to specify how email receivers should handle emails that fail authentication, and provides reporting capabilities so you can monitor who is sending email on your behalf.

Read our complete DMARC introduction →

Why a DMARC generator is only step zero →

How DMARC Works

DMARC works by connecting two authentication mechanisms (SPF and DKIM) with a policy layer and reporting system. Here's the process:

Email is Sent

When someone sends an email claiming to be from your domain, the receiving server checks your DMARC record.

Authentication Check

The receiver verifies if the email passes SPF (sender IP is authorized) and/or DKIM (cryptographic signature is valid).

Alignment Verification

DMARC checks if the authenticated domains align with the 'From' address domain the recipient sees.

Policy Application

Based on your DMARC policy (none, quarantine, or reject), the receiver handles emails that fail authentication.

Report Generation

Receivers send aggregate reports showing authentication results, and forensic emails (failure reports) with details about individual messages that failed DMARC checks.

Why Your Domain Needs DMARC

Email authentication is no longer optional. Here's why implementing DMARC is critical for your organization:

Stop Email Spoofing

Prevent attackers from sending phishing emails that appear to come from your domain. Without DMARC, anyone can forge your email address.

Protect Your Brand Reputation

When criminals spoof your domain, recipients associate the fraud with your brand. DMARC stops this damage before it starts.

Improve Email Deliverability

Major email providers like Gmail and Microsoft prioritize authenticated emails. DMARC helps ensure your legitimate emails reach the inbox.

Meet Compliance Requirements

Many industries and government regulations now require DMARC. Google and Yahoo require it for bulk senders as of February 2024.

Gain Visibility Into Your Email

DMARC reports reveal who is sending email as you, helping you identify both legitimate services you forgot about and unauthorized senders.

Enable BIMI for Brand Logos

To display your logo next to emails in supporting clients like Gmail, you need DMARC enforcement. BIMI requires p=quarantine or p=reject.

Common DMARC Mistakes to Avoid

When implementing DMARC, avoid these common pitfalls that can impact your email deliverability or leave you unprotected:

Starting with p=reject

Jumping straight to a reject policy can block legitimate email from services you forgot to authenticate. Always start with p=none to monitor first.

Forgetting Third-Party Senders

Marketing platforms, CRMs, and transactional email services all send on your behalf. Ensure each one is properly configured for SPF and DKIM before enforcing DMARC.

Not Monitoring DMARC Reports

Without reviewing reports, you won't know if legitimate email is failing. Use a DMARC monitoring service to analyze reports automatically.

Using Invalid Email for Reports

The rua email address must be valid and accessible. If you can't receive reports, you're flying blind.

Ignoring Subdomains

By default, subdomains inherit your DMARC policy. If you have services on subdomains, consider using the sp= tag to set a specific subdomain policy.

Frequently Asked Questions

Will DMARC break my email delivery?

No, provided you start safely. We recommend starting with policy p=none. This "monitoring mode" ensures no legitimate email is blocked while you gather data. Once you are confident all your legitimate senders (like Mailchimp, Salesforce, Google Workspace) are authenticating correctly, you can move to p=quarantine or p=reject.

What is the difference between the policies?

None (p=none): Monitors traffic. No action taken against failing emails. Start here.

Quarantine (p=quarantine): Emails failing checks are sent to the recipient's spam folder.

Reject (p=reject): Asks receivers to reject failing messages, while receivers still make the final disposition decision.

Do I need DMARC for Gmail or Outlook?

Yes. While Google and Microsoft protect their infrastructure, they can't stop someone from spoofing your custom domain unless you publish a DMARC record. In fact, starting Feb 2024, Google and Yahoo require DMARC for bulk senders.

How long does it take for DMARC to start working?

Once you add your DMARC TXT record to your DNS, it typically propagates within 5-30 minutes. You'll start receiving aggregate reports within 24-48 hours. However, reaching full enforcement (p=reject) should be a gradual process over weeks or months as you verify all legitimate senders.

What's the difference between SPF, DKIM, and DMARC?

SPF verifies that emails come from authorized IP addresses. DKIM adds a cryptographic signature to prove the email hasn't been tampered with. DMARC ties them together by checking that authenticated domains align with the visible 'From' address and defines what to do with failures.

Can I have multiple DMARC records?

No. You should only have one DMARC TXT record at _dmarc.yourdomain.com. Having multiple records will cause unpredictable behavior, as receivers may pick any one of them. If you need to send reports to multiple addresses, separate them with commas in a single rua= tag.

Should I still use the pct= tag?

No for new records. RFC 9989 made pct historic. Use p=none for monitoring, then p=quarantine, and use t=y only when you need a temporary test mode for the next-lower policy.

Should I use relaxed or strict alignment?

Relaxed alignment (the default) allows subdomains to pass. For example, mail.example.com aligns with example.com. Strict alignment requires exact domain matches. Most organizations should start with relaxed alignment unless you have specific security requirements that mandate strict matching.

Is a DMARC generator, DMARC builder, DMARC creator, or DMARC record maker the same thing?

Yes. DMARC generator, DMARC record generator, DMARC builder, DMARC creator, DMARC maker, DMARC wizard, and DMARC policy generator all describe the same type of tool: a form-based way to produce a valid v=DMARC1 TXT record without writing the syntax by hand. The free tool above supports every variant and validates the output in real time.

How do I generate a free DMARC record step-by-step?

To generate a DMARC record with the tool above:

Enter your domain in the field at the top.
Choose the policy — start with p=none to monitor safely before enforcing.
Add a reporting address in the rua field. Use our free monitoring address to avoid an overflowing inbox.
Optionally set adkim/aspf alignment and a subdomain policy with sp=.
Copy the generated record and paste it as a TXT record at _dmarc.yourdomain.com in your DNS provider.

What's the difference between a DMARC generator, a DMARC policy generator, and a DMARC TXT record generator?

They are the same tool. A DMARC record is always published as a DNS TXT record, so DMARC TXT record generator is the literal technical name. DMARC policy generator emphasizes that the generated record declares a policy (p=none, quarantine, or reject). DMARC generator is the short name most people use. All three produce the same v=DMARC1 string.

Complete your email authentication

DMARC works with SPF and DKIM. Create your SPF record next, or display your brand logo with BIMI (requires DMARC enforcement).

Create SPF Record BIMI Record Generator