UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

DMARC Record Generator

Build a valid DMARC TXT record with policy, percentage, alignment modes, and aggregate or forensic reporting addresses — with live validation, fully in-browser.

About DMARC Record Generator

The DMARC Record Generator is a 100% in-browser form that composes a syntactically valid DMARC TXT record from your chosen policy strength, reporting addresses, and alignment modes. Drop in your aggregate-report (rua) mailbox, optionally a forensic (ruf) one, pick whether the subdomain policy inherits or overrides the parent, set adkim and aspf to r (relaxed) or s (strict), and the live preview produces something like v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s ready to paste at _dmarc.<your-domain> as a TXT record. Because the DMARC RFC is permissive about tag order, the tool deliberately omits redundant tags (sp=p when same as p, pct=100, ri=86400) and validates email addresses inline. The generator never sends data anywhere — your domain and mailboxes stay in the browser.

Why use DMARC Record Generator

  • Live preview rebuilds the record on every keystroke — no syntax errors slip through.
  • Validates email addresses for rua and ruf before you publish.
  • Skips redundant tags (sp when same as p, pct when 100, ri when 86400) so the record stays short.
  • Fully in-browser — your domain and mailbox addresses never touch a server.
  • Pairs with our DMARC Record Checker to verify the published value reads back correctly.
  • Built-in copy-to-clipboard so you can paste straight into your DNS provider.

How to use DMARC Record Generator

  1. Pick a policy: none for monitor-only, quarantine to junk failing mail, reject to block at SMTP.
  2. Set the subdomain policy (sp) only if it should differ from the parent — leave on inherit otherwise.
  3. Choose a percentage if you want partial rollout — leave 100 once you trust the deployment.
  4. Enter your aggregate-report mailbox in rua — this is mandatory for visibility into failures.
  5. Optionally set ruf, adkim, aspf, and forensic options (fo) for stricter or more verbose reporting.
  6. Click Copy record and paste the result as a TXT record at _dmarc.<your-domain> in your DNS provider.

When to use DMARC Record Generator

  • When publishing DMARC for the first time on a new domain or sending subdomain.
  • While rolling out from p=none to p=quarantine to p=reject in stages.
  • After Google or Yahoo notices about bulk-sender requirements (Feb 2024 onward).
  • When you need a separate, stricter sp (subdomain policy) than your parent domain.
  • When you want to publish a forensic (ruf) report address for sample failing mail (mind the privacy tradeoff).
  • While tightening alignment from r (relaxed) to s (strict) once you trust your senders.

Examples

Recommended starter (monitor-only)

Input: p=none; rua=mailto:dmarc@example.com; pct=100

Output: v=DMARC1; p=none; rua=mailto:dmarc@example.com

Strict production policy

Input: p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s

Output: v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s

Subdomain lockdown with parent monitoring

Input: p=none; sp=reject; rua=mailto:dmarc@example.com

Output: v=DMARC1; p=none; sp=reject; rua=mailto:dmarc@example.com

Tips

  • Always start with p=none in production — observe the rua reports for at least two weeks before tightening.
  • rua mailboxes get hammered with XML — many domains use a DMARC-as-a-service forwarder rather than a real mailbox.
  • Skip ruf unless you have a genuine forensic workflow; it leaks message content per RFC 6591.
  • Use sp= to lock down sending subdomains independently — your parent can stay at p=none while sp=reject.
  • Strict alignment (s) is more secure but breaks SRS forwarding — relaxed (r) is the safer default.

Frequently Asked Questions

Is the record sent to any third party when I generate it?
No. The generator runs entirely in your browser. The domain you publish to and the mailbox addresses you enter stay client-side.
How does this compare to mxtoolbox's DMARC generator?
Functionally similar — both produce a paste-ready record. Ours is free, signup-free, lives alongside the matching checker, and prunes redundant tags so the record is shorter.
What policy should I start with?
Always p=none. Watch the aggregate (rua) reports for at least two weeks. Once your legitimate mail is aligning, raise to p=quarantine, then p=reject.
Why is rua required when DMARC technically works without it?
Without rua you publish a policy and never see whether it's working. Receivers send aggregate XML to rua daily — that's how you discover broken senders before tightening enforcement.
Can this detect a misconfigured DMARC record after I publish?
Use the matching DMARC Record Checker tool — paste your domain and it parses the published TXT, color-codes the policy, and warns about missing rua or partial pct.
What does pct mean and when should I lower it?
pct is the percentage of failing mail subject to the policy. pct=10 with p=quarantine quarantines 10% of failing mail and treats the rest as p=none — useful for slow rollout.
What does the fo tag (forensic options) control?
When forensic reports are sent: 0 = both SPF and DKIM fail; 1 = either fails; d = DKIM fails; s = SPF fails. Most domains use 0 or skip fo entirely.
What's the difference between adkim=r and adkim=s?
Relaxed (r) considers a DKIM signature on a parent domain as aligned with a subdomain From:. Strict (s) requires an exact match. Strict is more secure but breaks legitimate forwarding.

Explore the category

DMARC Record Checker Look up the DMARC TXT record at _dmarc.<domain>, parse every tag (p, sp, pct, rua, ruf, adkim, aspf), and flag missing aggregate report addresses or partial enforcement. SPF Record Generator Compose an SPF TXT record from email-provider presets, custom includes, and IP allow-lists — with a live DNS lookup counter against the RFC 7208 ten-lookup limit. SPF Record Checker Look up and parse a domain's SPF DNS record. Validates mechanisms, counts DNS lookups against the RFC 7208 ten-lookup limit, and flags soft/hard fail qualifiers. DKIM Record Checker Fetch a DKIM TXT record at <selector>._domainkey.<domain>, parse the public key tags, infer key length, and warn about short keys, revoked keys, or testing flags. MX Record Lookup Look up the Mail Exchange (MX) records for any domain to see which mail servers handle its incoming email. DNS Propagation Checker Check DNS propagation across multiple global nameservers to see how widely a recent DNS change has spread.

Glossary

DMARC
Domain-based Message Authentication, Reporting & Conformance — RFC 7489 — uses SPF and DKIM alignment to prevent visible-From spoofing.
Aggregate report (rua)
Daily XML report from receivers listing every IP, message count, and authentication result for your domain.
Forensic report (ruf)
Per-message redacted sample sent to ruf for failing mail, per RFC 6591. Privacy-sensitive — many domains skip it.
Alignment
The requirement that the visible From: domain match the SPF or DKIM identity. r (relaxed) lets subdomains match; s (strict) does not.
Subdomain policy (sp)
Optional separate policy for subdomains. Useful for locking down sending subdomains while parent stays in monitor mode.
_dmarc
The fixed DNS label at which DMARC records are published. Full path is _dmarc.<domain>, type TXT.