DMARC Record Generator

Secure your email domain from spoofing, phishing, and hijacking. Build a custom DNS TXT DMARC record using our interactive wizard to manage authentication policies, reporting, and message alignment safely.

🔒 Basic Parameters

_dmarc.

The domain you want to secure. The DMARC DNS host name will become _dmarc.example.com.

Determines how receiving email servers handle messages that fail authentication tests.

Configure a separate policy for any subdomains of this domain.

✉️ Reporting Destinations

DMARC reports provide absolute visibility. Specify email destinations where mailbox providers can deliver reports. Comma-separate for multiple addresses.

Receives daily XML summaries of email authentication success and failures. High value.

Receives individual diagnostic emails immediately when a message fails verification.

⚙️ Advanced Parameters

Determines how strictly the SPF domain must match the sender From domain header.

Determines how strictly the DKIM domain must match the sender From domain header.

100%

Specifies the percentage of messages failing authentication subject to the DMARC policy.

Requested frequency of aggregate report generation in seconds. Presets are provided below.

📋 Compiled DMARC Record

TXT Format

🛠️ Registrar DNS Configuration Guidance

Add this new TXT record inside your domain hosting panel or registrar dashboard (e.g. Cloudflare, AWS Route 53, Namecheap, GoDaddy).

Record Type TXT
Host / Name _dmarc.example.com
TTL (Time to Live) 3600
TXT Value / Content
v=DMARC1; p=none; pct=100;

Deep Dive into DMARC Record Architecture

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a robust security protocol designed to mitigate domain spoofing, spoofed inbound emails, and brand phishing attacks. While older security policies like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) independently authenticate sending servers and header integrity, they lack standard mechanisms to govern verification failures or notify domain owners. DMARC serves as the unified governance layer, coordinating both protocols and giving administrators total control over outbound message policies.

DMARC establishes authentication rules based on a concept known as domain alignment. It requires that the domain visible inside the user's "Header From" field matches (aligns with) the domain validated by either SPF (via the Return-Path or envelope domain) or DKIM (via the signature domain). If a message fails alignment checks, DMARC tells receiving mail systems exactly how to handle the message based on your published policy: Monitor Only (none), Junk Folder (quarantine), or outright blocking (reject).

Relaxed vs. Strict Alignment Modes

DMARC allows administrators to fine-tune how strictly domains must match using the aspf (SPF alignment) and adkim (DKIM alignment) tags. The chosen mode significantly impacts email delivery from subdomain networks:

  • Relaxed Alignment (aspf=r; adkim=r): The default mode. The DMARC check passes if the From header and the verified SPF/DKIM domains share the same root organizational domain. For instance, an email sent from marketing.example.com with an SPF record authenticated under example.com will align successfully.
  • Strict Alignment (aspf=s; adkim=s): Requires an absolute, character-for-character match between the From domain and the authenticated SPF/DKIM domains. For example, if the From domain is marketing.example.com, the SPF return-path must also resolve to marketing.example.com. This mode is excellent for high-security environments but demands perfect synchronicity across all email platforms.

Before vs. After: Implementing DMARC Records

The following configurations demonstrate how DMARC transitions your domain from an unmonitored security posture to a strict authenticated lock-down.

Before: Incomplete Setup (Vulnerable Domain) 
; Querying DMARC for unprotecteddomain.com
$ dig txt _dmarc.unprotecteddomain.com +short
; [No record returned - Domain vulnerable to outbound phishing]

Without a published policy, hackers can easily impersonate your exact root domain to send malicious phishing sequences, with zero feedback sent to your IT team.

After: Strict Enforcement (Secured Domain) 
; Secured DMARC TXT record under host _dmarc
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; aspf=r; adkim=r;"

Receiving mail gateways will block 100% of emails that fail alignment checks, while delivering daily aggregate XML activity reports back to your administrator.

DMARC Deployment Use Cases and Policy Paths

Administrators must deploy different configurations as they migrate from initial monitoring to full enforcement:

Deployment Stage Tag Configuration Purpose Risk Assessment
1. Monitoring & Audit v=DMARC1; p=none; rua=mailto:[email protected]; Collects authentication reports without affecting email flows. Zero risk of legitimate email blockages.
2. Active Staging v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]; Routes 10% of unauthorized emails to Spam folders for validation checking. Low risk; minor impact on unaligned corporate mailers.
3. Complete Lockdown v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; adkim=s; aspf=s; Blocks 100% of unauthorized traffic under strict alignment checking rules. High risk; requires perfect alignment across all third-party systems.

Troubleshooting Common DMARC Pitfalls & Validation Failures

Deploying DMARC requires coordination with your SPF and DKIM profiles. Avoid these common production mistakes:

Issue 1: Alignment Failure with Third-Party Senders (e.g. Mailchimp, HubSpot)

Symptoms: Legitimate newsletters or marketing campaigns fail DMARC checks, even though your SPF record includes the ESP.
Fix: This is a classic alignment issue. While the ESP's servers pass SPF, they use their own return-path domain (e.g., mcsv.net), which does not align with your visible From domain. To resolve this, configure a custom DKIM signature inside your ESP dashboard. Since DKIM uses your domain name, DMARC will align via DKIM, resulting in a successful pass.

Issue 2: Broken External Reporting Destinations

Symptoms: You configure DMARC to send reports to an external analysis service, but no XML files are delivered.
Fix: Check if the destination domain has authorized your reports. The reporting domain must publish a TXT record at `yourdomain.com._report._dmarc.externaldomain.com` with the value `v=DMARC1` to prove they accept report data from your system.

Issue 3: Publishing Multiple DMARC Records

Symptoms: Receiving servers ignore your DMARC configurations completely and fail to generate reports.
Fix: A domain can only publish one DMARC TXT record under the `_dmarc` hostname. Audit your DNS record sheets and delete redundant lines, consolidating all tags (p, pct, rua) into a single TXT entry.

Best Practices for Hardening DMARC Deployments

  • Always Start at p=none: Never skip the monitoring phase. Even if you believe your email configurations are perfect, legacy scripts or internal notifications may send unaligned emails.
  • Audit XML Reports Regularly: Utilize third-party aggregation tools to parse the daily XML aggregate reports. Look out for unknown IP addresses attempting to spoof your domain.
  • Configure DKIM as Your primary Anchor: Because forwarders (like mailing lists or email aliases) modify the envelope sender domain, SPF checks often fail during transit. DKIM signatures survive forwarders, keeping your DMARC alignment intact.
  • Match Your SPF/DKIM Alignment Policies: Relaxed alignment is recommended for most organizations. Strict alignment should only be enabled after verifying that all subdomains send perfectly matched mail streams.

Frequently Asked Questions

What is a DMARC record and how does it prevent domain spoofing attacks?

A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record is a public DNS TXT record that establishes a binding policy for email validation across your domain. It works by unifying two older authentication protocols, SPF and DKIM, and requiring that the domain visible to recipients in the From header aligns with the domains verified by those underlying protocols. When an inbound mail exchanger parses a message, it references the DMARC record to determine the exact action to execute—monitoring, quarantining, or outright blocking—if the checks fail. This comprehensive enforcement layer effectively stops malicious actors from spoofing your brand name in phishing campaigns, protecting your digital integrity.

What is the difference between p=none, p=quarantine, and p=reject policies in DMARC?

The DMARC policy tag (p) dictates how receiving email systems must handle messages that fail alignment checks. A policy of None (p=none) serves purely for monitoring; it allows failing messages to reach the recipient normally while generating detailed daily XML reports, which is the perfect initial staging phase. The Quarantine (p=quarantine) policy increases restriction, instructing mail systems to route failing messages directly to the recipient's Spam or Junk folder to prevent direct exposure. Finally, the Reject (p=reject) policy provides the ultimate level of security, instructing gateway servers to drop unauthorized emails immediately, ensuring they are never delivered in any form.

What are the aggregate (rua) and forensic (ruf) reporting tags, and how do they benefit security?

The DMARC reporting tags are critical instruments for tracking domain authorization states and identifying active spoofing vectors. The rua tag defines the destination email address (prefixed by mailto:) where mailbox providers send daily XML aggregate reports detailing the volume of emails dispatched, their originating IP addresses, and their SPF/DKIM verification results. The ruf tag designates the mailbox for real-time forensic reports, which compile full, redacted copies of individual messages that fail authentication checks to help identify specific forging signatures. Deploying these tags provides domain administrators with total visibility into their email ecosystem, exposing both legacy corporate mailers and rogue sender nodes.

What is DMARC domain alignment and how do relaxed and strict modes differ?

DMARC alignment is the mandatory security relationship requiring that the domain displayed in the visible "From" address matches the domain validated by SPF or DKIM. Alignment checks can be independently configured as relaxed (r) or strict (s) for both SPF (aspf) and DKIM (adkim) verification phases. Under relaxed alignment mode, which is the default, the DMARC check passes if the From header and the verified SPF/DKIM domains share the same root organizational domain (e.g., mail.yourdomain.com aligns with yourdomain.com). Under strict alignment mode, the subdomains must match exactly, requiring a perfect domain-to-domain match, which blocks unauthorized subdomains but requires meticulous record management across all external mail systems.

How does the percentage (pct) tag function during a DMARC policy rollout?

The percentage tag (pct) allows domain administrators to gradually roll out DMARC enforcement policies (quarantine or reject) by applying the policy to a designated fraction of failing emails. For example, deploying p=quarantine; pct=10 instructs receiving servers to apply the quarantine filter to only 10% of unauthorized messages, while the remaining 90% default to a harmless "none" monitoring status. This phased deployment strategy enables IT teams to test their email configurations under a light security model, ensuring that legitimate third-party services are properly authenticated before increasing the threshold to pct=100 and locking down the domain.

What is the DMARC external destination reporting verification protocol, and why does it matter?

The DMARC external destination reporting protocol (governed by RFC 7489) prevents domain owners from flooding third-party networks with unsolicited daily XML reports. If you configure DMARC reports for your domain to go to an address on an external domain (e.g., rua=mailto:[email protected]), the destination domain must publish a specific validation TXT record to prove it accepts those reports. This validation record must be published at the host yourdomain.com._report._dmarc.externaldomain.com with the value v=DMARC1. Without this explicit verification record, receiving servers will refuse to send aggregate reports to the external address, rendering your tracking channels completely blind.

How does DMARC tie SPF and DKIM together into a single, cohesive defensive framework?

While SPF authorizes outbound servers by IP address and DKIM validates content integrity using mathematical signatures, both protocols operate independently and lack the ability to declare domain ownership policies. A malicious sender can easily pass SPF by hosting a mailing server under their own domain and then signing the message with a valid DKIM key, while still forging your brand's name in the visible "From" header. DMARC bridges this gap by requiring domain alignment, validating that either the SPF sending domain or the DKIM signing domain matches the domain in the "From" header. It then instructs the receiving server exactly how to govern failures based on the unified policy, closing the critical spoofing loopholes.

🌐 Network, DNS & JSON Utilities

🔗 URL Parser

Audit, parse, and edit URL query parameters and schemes dynamically.
💻 User Agent Parser

Decode browser user agent strings to identify layout engines and OS details.
🚀 cURL Generator

Generate clean HTTP request curl command payloads for local terminal execution.
📧 SPF Generator

Construct TXT SPF domain authorization records to validate outbound server IPs.
🛡️ DMARC Generator

Generate domain policies and reporting frameworks to block malicious spoofing.
🔍 JSONPath Evaluator

Filter, parse, and extract specific nodes from nested JSON data tree graphs.