DMARC Record Generator
Build a valid DMARC TXT record for your domain in seconds. Select your settings, copy the record, and paste it into your DNS provider.
Not sure which policy to choose?
DMARC settings
Used only to show the DNS hostname. No lookup is performed.
Daily XML reports showing who sent email for your domain.
Individual failure reports. Many servers no longer send these.
Start with 10 when first enforcing. Increase to 100 gradually.
Generated DMARC record
Add this TXT record to your DNS:
_dmarc.yourdomain.com
Record value:
v=DMARC1; p=none
What each field means
Step-by-step: add DMARC to your DNS provider
Log into your domain registrar or DNS provider
Open Cloudflare, GoDaddy, Namecheap, or wherever you manage DNS for your domain.
Go to DNS management / DNS records
Find the section where you add or edit DNS records for your domain.
Add a new TXT record
Hostname / Name: _dmarc (some providers require the full _dmarc.yourdomain.com). Type: TXT. Value: v=DMARC1; p=none. TTL: 3600 (1 hour) or default.
Save and wait 1 to 4 hours for propagation
DNS changes are not instant. Allow at least one hour before checking that the record is live.
Verify your DMARC record
Use the SPF DKIM DMARC Checker to confirm the record appears correctly in DNS. SPF DKIM DMARC Checker
How to create a DMARC record step by step
To create a DMARC record, use the generator above: select your policy (start with p=none), enter a reporting email address, and copy the generated TXT record. Then log into your DNS provider and add a TXT record at the hostname _dmarc.yourdomain.com with the generated value.
The most common mistake is jumping straight to p=reject without first running p=none to identify all legitimate email sources. If any of your transactional email services, marketing tools, or third-party senders are not covered by your SPF record, a p=reject policy will block those emails permanently. Always monitor with p=none for at least two weeks before enforcing.
What DMARC policy should I start with?
Start with p=none. This monitoring mode collects DMARC reports without affecting email delivery. Set up a reporting email (rua=) and review the daily reports for 2 to 4 weeks to identify every service sending email for your domain. Only move to p=quarantine or p=reject once all legitimate senders pass SPF or DKIM.
The progression is: p=none (monitor) to p=quarantine; pct=10 (soft enforce on 10%) to p=quarantine; pct=100 (full quarantine) to p=reject (full enforcement). Each step should run for at least one to two weeks before moving forward. The generator above has a quick-select wizard that sets the right combination of policy and pct for each stage.
Where do I paste the DMARC record in my DNS?
Add the DMARC record as a TXT record at the hostname _dmarc.yourdomain.com in your DNS provider. The hostname is always _dmarc followed by your domain. The record value is the string starting with "v=DMARC1" generated above.
In Cloudflare, go to DNS > Add record > Type: TXT > Name: _dmarc > Content: paste the record. In GoDaddy, go to DNS Management > Add > TXT > Host: _dmarc > TXT Value: paste. In Namecheap, go to Advanced DNS > Add New Record > TXT Record > Host: _dmarc > Value: paste. After saving, changes take 1 to 4 hours to propagate. Verify using the SPF DKIM DMARC Checker.
Frequently asked questions about DMARC records
What is a DMARC record and why do I need one?
A DMARC record is a DNS TXT record that tells receiving mail servers what to do when an email fails SPF or DKIM checks. Without DMARC, your domain can be spoofed by phishing attackers. Google and Yahoo made DMARC mandatory for bulk senders in 2024.
What is the difference between DMARC p=none, p=quarantine, and p=reject?
p=none means monitor only, emails are delivered regardless of authentication result. p=quarantine sends failing emails to spam. p=reject blocks failing emails entirely. Start with p=none to monitor, then move to quarantine, then reject once you are confident all legitimate emails pass.
Where do I add my DMARC record?
Add a DNS TXT record at the hostname _dmarc.yourdomain.com in your domain registrar or DNS provider (Cloudflare, GoDaddy, Namecheap, etc.). The record value is the DMARC string generated by this tool. Changes take 1 to 4 hours to propagate.
What should I put as the DMARC reporting email?
Use an email address at your domain that you monitor regularly, like dmarc-reports@yourdomain.com. DMARC aggregate reports (rua) arrive daily as XML files summarizing which servers sent email for your domain. Third-party services like Postmark or DMARCLY can parse these reports automatically.
What is DMARC alignment?
DMARC alignment checks whether the domain in the email From header matches the domain used for SPF or DKIM. Relaxed alignment (r) allows subdomains to pass. Strict alignment (s) requires an exact domain match. Relaxed is recommended for most senders.
How do I know my DMARC record is working?
After adding the record, use the SPF DKIM DMARC Checker to verify it appears correctly in DNS. Then wait 24 to 48 hours for the first aggregate reports to arrive at your rua email address. The reports confirm which emails are passing and failing DMARC.
Can I have multiple DMARC records?
No. You can only have one DMARC record per domain. If you add a second DMARC record, both will fail and DMARC will not be enforced. If you need to change your DMARC policy, edit the existing record rather than adding a new one.
What is the ruf tag in a DMARC record?
The ruf tag sets the email address for forensic failure reports. Unlike aggregate reports (rua), forensic reports contain details about individual failed emails. Many receiving servers no longer send forensic reports for privacy reasons, so ruf is optional and less commonly used.
Should I set DMARC for subdomains separately?
Your main domain DMARC record covers subdomains by default. You can set a different policy for subdomains using the sp= tag. For example, p=quarantine; sp=reject applies quarantine to the main domain and reject to all subdomains.
What percentage should I set for DMARC pct tag?
The pct tag sets what percentage of failing emails the policy applies to (1 to 100). Start at pct=10 when first enforcing quarantine or reject, then gradually increase to 100 as you confirm no legitimate emails are failing. The generator above defaults to 100 for full enforcement.
Related tools
Pair your DMARC record with these tools to verify DNS authentication and improve email deliverability before sending campaigns.