DMARC Record Generator
Create a valid DMARC record in a few clicks to use it in your DNS.
DMARC Tag Explanations
DMARC Record Checker will display the following tags.
|v (required)||The version tag. The only allowed value is "DMARC1". If it's incorrect or the tag is missing, the DMARC record will be ignored.|
|p (required)||The DMARC policy. Allowed values are "none", "quarantine", or "reject". The default is "none," which takes no action against non-authenticated emails. It only helps collect DMARC reports and gain insight into your current email flows and their authentication status. "quarantine" marks the failed emails as suspicious, while "reject" blocks them.|
|rua||Aggregate report sending destination. It's the "mailto:" URI that ESPs use to send failure reports. The tag is optional, but you won’t receive reports if you skip it.|
|ruf||Forensic (Failure) report sending destination. It's the "mailto:" URI that ESPs use to send failure reports. The tag is optional, but you won’t receive reports if you skip it.|
|sp||The subdomain policy. The subdomain inherits the domain policy tag (p=) explained above unless specifically defined here. Like the domain policy, the allowed values are "none," "quarantine," or "reject." This option isn't widely used nowadays.|
|adkim||The DKIM signature alignment. This tag follows the alignment between the DKIM domain and the parent Header From domain. Allowed values are "r" (relaxed) or "s" (strict). "r" is the default and allows a partial match, while the "s" tag requires the domains to be the same.|
|aspf||The SPF alignment. This tag follows the alignment between the SPF domain (the sender) and the Header From domain. Allowed values are "r" (relaxed) or "s" (strict). "r" is the default, and allows a partial match, while the "s" tag requires the domains to be exactly the same.|
|fo||Forensic reporting options. Allowed values are "0," "1," "d," and "s." "0" is the default value, which generates a forensic report when both SPF and DKIM fail to produce an aligned pass. If either of the protocol outcomes is something other than pass, use "1." "d" generates a report when DKIM is invalid, while "s" does the same for SPF. Define the ruf tag to receive forensic reports.|
|rf||The reporting format for failure reports. Allowed values are "afrf" and "iodef".|
|pct||The percentage tag. This tag works on domains with a "quarantine" or "reject" policy only. It marks the percentage of failed emails a given policy should be applied to. The rest falls under a lower policy. For example, if "pct=70," on a domain with a "quarantine" policy, it applies only 70% of the time. The remaining 30% goes under "p=none". Similarly, if "p=reject" and "pct=70," "reject" applies to 70% of failed emails, and 30% go into "quarantine."|
|ri||Reporting interval. Marks the frequency of received XML reports in seconds. The default is 86400 (once a day). Regardless of the set interval, in most cases, ISPs send the reports at different intervals (usually once a day).|
Want To Simplify
Implementation and Monitoring?
Generate Your Valid DMARC Record
Having a valid DMARC record in your DNS can be the difference between a protected email infrastructure and searching for means to pay a ransom to hackers.
While you can create a DMARC record manually (if you know the right syntax), generating one with a DMARC record wizard is much quicker, easier, and error-free.Using EasyDMARC’s DMARC record generator is the quickest way to obtain a DMARC record that meets your specifications of the right policy, reporting domains, and other optional tags.
EasyDMARC’s DMARC record generator is helpful if your DMARC checker results show that you’re missing the record or it contains any errors. It’s also irreplaceable for record updates during a policy change or adding more report recipients.Once you generate the DMARC record, you’re just a step away from starting to monitor your email environment. Placing the generated record in your DNS will let you start digging into the domain infrastructure and fixing all the issues one by one.
Frequently Asked Questions
What Is a DMARC Record Generator?
EasyDMARC’s DMARC Record Generator allows you to create a valid DMARC Record in a few clicks. The generated syntax will meet all your specifications and be ready to publish on your DNS.
How To Generate DMARC Record?
If you’re using EasyDMARC’s DMARC Record Generator tool, the process should be a breeze:
- Input your domain and select the policy you’d like to apply (More about policies here)
- Add the email addresses you wish to use for DMARC reporting (Aggregate and Failure)
- Click "Generate"
Please note that other fields in our tool are for finetuning optional or default tags. You can skip them and still have a perfectly usable DMARC record.
How To Implement a DMARC Record on Your Domain?
Once the record has been generated, copy it and head to the DNS zone of your domain. Add a new TXT or CNAME record and paste the provided record.
Note: With the majority of DNS providers (ex., GoDaddy), the domain part will be added automatically in the Host/Name field, so adding only _dmarc is enough.
What’s the DMARC Record Format?
TXT is the accepted DMARC record format if you’re dealing with it manually. To use EasyDMARC’s managed solution, you should choose the CNAME format.
What is DMARC Domain Alignment?
Domain alignment is the core DMARC concept. Alignment happens when the domain name in the email's "From" header matches the sender email domain. As a result, DMARC passes, indicating that it was a legitimate email.
DMARC domain alignment helps protect against spoofing, impersonation attacks, business email compromise, and phishing.
How Does DMARC Work With Subdomains?
Subdomains inherit DMARC specifications from the parent domain unless otherwise specified.
For example, if the parent domain has a “reject” policy, the subdomain will take it. However, if you configure the subdomain separately, the system won’t override the manual DMARC setup.
Can I Add DMARC Record Without SPF or DKIM?
You can add the record, but it won’t work appropriately.
DMARC is based on SPF and DKIM. For it to pass, an email must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. If both are missing, DMARC will fail.