DMARC Record Generator
Create a DMARC record for your domain. Configure your policy, reporting addresses, and alignment settings.
About DMARC Records
A DMARC record is a DNS TXT entry that you publish at _dmarc.yourdomain.com. It instructs receiving mail servers on how to handle messages that fail SPF or DKIM authentication checks. Without a DMARC record, inbox providers have no explicit instructions for dealing with unauthenticated mail claiming to be from your domain, leaving you vulnerable to spoofing and phishing attacks.
DMARC supports three policy levels. p=noneis the monitoring-only stage — it collects reports without affecting delivery. p=quarantine routes failing messages to the recipient's spam folder. p=reject blocks failing messages outright. Most organizations start at p=none, review aggregate reports to identify all legitimate senders, and gradually progress toward p=reject.
The rua tag specifies where aggregate reports are sent. These daily XML reports from inbox providers summarize authentication results across all messages received from your domain, giving you visibility into authorized and unauthorized senders. The optional ruf tag specifies an address for forensic reports, which contain details about individual failing messages.
Alignment settings (aspf and adkim) control how strictly the domain in the From header must match the domains authenticated by SPF and DKIM. Relaxed alignment allows subdomain matches, while strict alignment requires an exact match. The pct tag lets you apply the policy to a percentage of messages, useful for gradually rolling out a stricter policy without risking all of your mail at once.
Frequently Asked Questions
What is a DMARC record?
A DMARC record is a DNS TXT entry published at _dmarc.yourdomain.com that tells receiving mail servers how to handle emails that fail SPF or DKIM authentication checks. It specifies a policy (none, quarantine, or reject), alignment requirements, and reporting addresses where authentication results are sent.
Which DMARC policy should I start with?
Start with p=none. This monitoring-only policy lets you collect aggregate reports without affecting mail delivery. Once you have reviewed your reports and confirmed all legitimate senders pass authentication, move to p=quarantine and then to p=reject. Jumping straight to p=reject without monitoring risks blocking legitimate email.
What is the rua tag?
The rua tag specifies the email address where aggregate DMARC reports should be sent. Inbox providers send these XML reports daily, summarizing authentication results for all emails received from your domain. They show which IP addresses are sending mail on your behalf and whether those messages pass or fail SPF and DKIM. The format is rua=mailto:dmarc-reports@yourdomain.com.
Should I use strict or relaxed alignment?
Relaxed alignment is the default and works for most organizations. It allows subdomains to pass alignment checks against the parent domain (e.g., mail from news.example.com passes alignment for example.com). Strict alignment requires an exact domain match and is more secure but can break legitimate mail flows from subdomains. Start with relaxed and only switch to strict once you have confirmed all your sending sources align correctly.
Need Continuous DMARC Monitoring?
Generating a DMARC record is the first step. Inbox Insignia continuously monitors your DMARC, SPF, and DKIM records, parses your aggregate reports, and alerts you when something changes or breaks.