DMARC Record Generator
Configure your policy, alignment, reporting addresses, and rollout percentage. Copy the DNS TXT record straight into your domain provider.
What is DMARC and why your domain needs it in 2026
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the protocol that combines SPF and DKIM with alignment checking and a published policy. Without DMARC, even a perfectly configured SPF and DKIM setup leaves your domain spoofable in the visible From header, because SPF only validates the envelope and DKIM only validates a signature.
Since Google and Yahoo's February 2024 bulk-sender rules, DMARC is required for any domain sending more than 5,000 messages per day. Even at lower volumes, missing or weak DMARC tanks inbox placement and lets scammers send phishing email that looks like it came from you. The 2026 baseline is p=quarantine minimum, with the industry moving steadily toward p=reject.
How to roll DMARC out safely
Never start at p=reject. You will black-hole legitimate mail from senders you forgot about (the marketing team's HubSpot, the support team's Zendesk, the dev team's transactional Postmark). Roll out in three phases over 8 to 12 weeks.
Phase 1: p=none with rua reporting (monitor mode). Receive aggregate reports for 2 to 4 weeks. Identify every legitimate sender hitting your domain. Fix SPF and DKIM for any that fail alignment.
Phase 2: p=quarantine with pct=10, then 25, 50, 100 over 2 to 4 weeks. Quarantine routes failing mail to spam folders so users still get it. Monitor reports for false positives.
Phase 3: p=reject at pct=100. Mail failing alignment is blocked at the receiving server. This is the destination, and where the protection actually kicks in.
Understanding alignment (the part everyone gets wrong)
DMARC passes when at least one of SPF or DKIM both pass AND align with the From domain. Alignment means the domain in the From header matches the domain that passed SPF or DKIM, not just any pass anywhere.
Relaxed alignment (the default) requires only the organizational domain to match (mail.example.com matches example.com). Strict alignment requires an exact subdomain match. Most senders should use relaxed for both aspf and adkim; switch to strict only if you have audited every sending subdomain.
Reading rua aggregate reports
Once your record is live, receivers send daily XML aggregate reports to the rua address. Each report contains source IPs, sending volume, SPF and DKIM results, and DMARC disposition. Manually parsing these is painful; tools like Postmark DMARC Digest, dmarcian, EasyDMARC, or Valimail Monitor turn them into a dashboard.
Pay attention to high-volume sources you do not recognize. Those are either forgotten legitimate senders (fix SPF/DKIM) or spoofers riding your domain (move policy to quarantine/reject to shut them out).
Frequently asked questions
Is this DMARC generator free?
+
Yes, free with no signup or rate limit. Configure the policy in the form and copy the resulting TXT record straight into your DNS provider.
Where do I publish the DMARC record?
+
Publish the TXT record at _dmarc.yourdomain.com (the underscore is required). Set type to TXT and paste the generated string as the value. TTL of 3600 is standard.
Should I start with p=none, quarantine, or reject?
+
Always start with p=none for at least 2 to 4 weeks. This is monitor mode: you collect data on who is sending mail as you without affecting delivery. Only after fixing alignment for every legitimate sender should you move to quarantine, then reject.
What does pct=10 mean in DMARC?
+
pct=10 tells receivers to apply your policy (quarantine or reject) to only 10 percent of failing mail. It is the staged rollout knob. Bump it 10 to 25 to 50 to 100 over several weeks as you confirm no legitimate mail is being affected.
What's the difference between rua and ruf?
+
rua is aggregate reporting (daily XML rollups, used by everyone). ruf is forensic per-message reports (immediate, contains message details). Most receivers only send rua. ruf is rare but worth setting if you want individual failure samples.
Do I need DMARC if I have SPF and DKIM?
+
Yes. SPF protects the envelope return-path; DKIM signs a portion of the message. Neither prevents an attacker from putting your domain in the visible From header. DMARC adds the alignment check that ties SPF/DKIM passes to the From domain and publishes the policy receivers should enforce.
Can DMARC break my mailing list mail?
+
Yes if a list rewrites the From header (rare) but more commonly if it forwards without rewriting Sender (common). Use a sender-rewriting list service or set p=quarantine with pct=10 first to surface these failures via rua reports before moving to reject.
What is BIMI and how does it relate to DMARC?
+
BIMI (Brand Indicators for Message Identification) displays your verified logo in supporting inboxes (Gmail, Apple Mail, Yahoo). It requires DMARC at p=quarantine or p=reject with pct=100 and a Verified Mark Certificate (VMC). DMARC is the prerequisite; BIMI is the visible reward.
Stop guessing, start shipping.
Navigent runs deliverability, lead-data, and multichannel outreach in one workspace. Start free, no credit card.