What is the difference between DMARC none, quarantine, and reject?

The three DMARC policies control what happens to emails that fail authentication: p=none takes no action (monitoring only, collects reports), p=quarantine sends failing emails to the recipient's spam/junk folder, and p=reject instructs the receiving server to completely block failing emails. Start with none, then progress to quarantine and finally reject as you gain confidence in your email authentication setup.

Do I need SPF and DKIM before setting up DMARC?

Yes, you should configure both SPF and DKIM records before deploying DMARC. DMARC relies on at least one of these mechanisms passing with domain alignment. SPF authorizes which IP addresses can send email for your domain, while DKIM adds a cryptographic signature to verify email integrity. Without SPF and DKIM, DMARC has nothing to evaluate and all emails would fail authentication.

How long does it take for a DMARC record to take effect?

After adding the DMARC TXT record to your DNS, it typically takes 24-48 hours for full DNS propagation. However, many large email providers (Gmail, Microsoft 365, Yahoo) will start honoring the record within a few hours. You can verify your record is live using our DMARC Checker tool. Aggregate reports usually start arriving within 24-48 hours after the record is published.

DMARC Generator

Create valid DMARC TXT records for any domain with our free DMARC generator. Configure policies, alignment modes, reporting emails, and generate copy-ready DNS records with our interactive wizard.

Free DMARC ToolDMARC Record GeneratorVisual WizardOne-Click Copy

Quick Start Presets

Choose a preset to pre-fill the form, or configure manually below.

DMARC Record Configuration

Configure essential DMARC settings. Switch to Advanced for full control.

Generated DMARC Record

Add this TXT record to your DNS zone. Copy each field individually for easy pasting into your DNS provider.

Type

TXT

Host/Name

_dmarc.yourdomain.com

Value

v=DMARC1; p=none

* For many DNS providers, enter _dmarc as the host/name — the provider appends your domain automatically.

Policy

none

DKIM

Relaxed

SPF

Relaxed

Reports

None

Record Validation

Automated checks on your generated DMARC record.

Version Tag

v=DMARC1 is present and correct

Policy Tag

Policy set to p=none

Policy Strength

Monitor only — no protection against spoofing yet

Aggregate Reporting

No rua email — you will not receive DMARC reports

Record Length

16 characters — within safe limits

Subdomain Policy

Subdomains inherit domain policy (p=none)

Tag Count

2 tags in generated record

What Is a DMARC Generator?

A DMARC generator is a free online tool that creates valid DMARC (Domain-based Message Authentication, Reporting, and Conformance) TXT records for your domain. DMARC is an email authentication protocol that builds on SPF and DKIM to protect your domain against email spoofing and phishing attacks. Without a DMARC record, receiving mail servers have no policy telling them how to handle emails that fail SPF and DKIM authentication.

Our free DMARC record generator walks you through every configuration option with an interactive wizard. Choose your enforcement policy, set alignment modes, configure reporting addresses, and generate a DMARC record that is syntactically valid and ready to deploy in your DNS. No manual editing of DMARC syntax required.

DMARC generator wizard creating DMARC TXT records with policy, alignment, and reporting options — DNS Robot's free DMARC generator creates valid DMARC TXT records with an interactive configuration wizard.

How to Generate a DMARC Record (Step by Step)

Follow these steps to create a DMARC record for your domain. Our DMARC generator automates the syntax, so you only need to make configuration decisions.

How to create a DMARC record: choose policy, configure alignment, add reporting, and deploy to DNS — How to create a DMARC record in 5 steps: from policy selection to DNS deployment.

Set Up SPF and DKIM First

Before generating a DMARC record, ensure your domain has a valid SPF record authorizing your sending servers and DKIM signing configured for email integrity. DMARC relies on at least one of these passing with domain alignment.

Choose Your DMARC Policy

Select p=none to start monitoring without affecting delivery. Once you are confident all legitimate senders pass, upgrade to p=quarantine and eventually p=reject for full protection.

Configure Reporting Addresses

Add an email address for aggregate reports (rua tag). These daily XML reports show who is sending email from your domain and whether they pass authentication. Optionally add a forensic report address (ruf) for individual failure details.

Set Alignment and Advanced Options

Choose relaxed or strict alignment for SPF (aspf) and DKIM (adkim). Optionally set subdomain policy (sp), percentage (pct), report interval (ri), and failure reporting options (fo). Our generator shows defaults for each setting.

Copy and Deploy to DNS

Copy the generated DMARC record and add it as a TXT record at _dmarc.yourdomain.com in your DNS provider. Verify it is live using our DMARC Checker. Aggregate reports typically start within 24-48 hours.

DMARC Record Tags — Complete Reference

A DMARC record consists of multiple tags that control how receiving mail servers handle unauthenticated emails from your domain. Our DMARC record generator supports all standard tags. Here is what each one does:

vVersion (Required)

Always set to v=DMARC1. This must be the first tag in the record. It identifies the TXT record as a DMARC policy. Our generator adds this automatically.

pPolicy (Required)

The domain policy: none (monitor), quarantine (spam folder), or reject (block). Controls what happens to emails failing both SPF and DKIM alignment.

spSubdomain Policy

Overrides the main policy for subdomains. If not set, subdomains inherit the parent domain's policy (p tag). Use sp=reject to block spoofed emails from subdomains you don't use for email.

ruaAggregate Report URI

Email address to receive daily aggregate reports in XML format. Format: rua=mailto:[email protected]. Reports show pass/fail stats, sending IPs, and authentication results. Highly recommended.

rufForensic Report URI

Email address for per-message failure reports. Format: ruf=mailto:[email protected]. Contains details of individual failing emails. Note: many large providers (Gmail, Yahoo) do not send forensic reports.

adkimDKIM Alignment Mode

Controls DKIM domain matching: r (relaxed, default) allows subdomains to align, s (strict) requires exact match. Relaxed is recommended for most setups.

aspfSPF Alignment Mode

Controls SPF domain matching: r (relaxed, default) allows subdomain alignment, s (strict) requires exact match between envelope sender and From header domain.

pctPercentage

Percentage of emails the policy applies to (1-100). Default is 100. Use lower values like pct=10 for gradual rollout when transitioning from quarantine to reject, allowing you to test the impact before full enforcement.

riReport Interval

Requested interval between aggregate reports in seconds. Default is 86400 (24 hours). Most providers send reports daily regardless of this setting. Rarely needs to be changed from the default value.

foFailure Reporting Options

Controls when forensic reports are generated: 0 (default: both SPF and DKIM fail), 1 (either fails), d (DKIM fails), s (SPF fails). Use fo=1 for maximum visibility.

DMARC Policies Explained

p=none (Monitor)

Takes no action on failing emails. Collects reports only. Start here to understand your email traffic before enforcing. Ideal for initial deployment to identify all legitimate senders.

p=quarantine (Spam)

Sends failing emails to the spam/junk folder. The intermediate enforcement level. Recipients can still see the email if they check spam. Use with pct for gradual rollout.

p=reject (Block)

Completely blocks emails that fail authentication. The strongest enforcement level. Only enable after confirming all legitimate senders pass SPF and DKIM with proper alignment. The ultimate goal for domain protection.

DMARC Deployment Roadmap

Week 1: Deploy SPF + DKIM

Configure SPF to authorize all sending IPs. Set up DKIM signing for all outbound mail.

Week 2: Generate DMARC with p=none

Use our DMARC generator with p=none and rua reporting. Monitor aggregate reports for 2-4 weeks.

Week 4-6: Upgrade to p=quarantine

Fix any authentication failures found in reports. Switch to quarantine with pct=25, then gradually increase.

Week 8+: Full Enforcement with p=reject

Once reports show clean results, generate a new record with p=reject; pct=100. Verify with our DMARC Checker.

DMARC vs SPF vs DKIM — How They Work Together

DMARC, SPF, and DKIM are three email authentication protocols that work together to protect your domain. Understanding how they complement each other helps you generate a DMARC record with the right alignment settings.

SPF

What it checks: Whether the sending IP is authorized for the envelope sender domain.

Record location: TXT record at the root domain.

Limitation: Does not verify the From header domain that users see. Use our SPF Checker to validate.

DKIM

What it checks: Cryptographic signature verifying email integrity and signing domain.

Record location: TXT record at selector._domainkey.domain.

Limitation: Does not tell receivers what to do when verification fails. Use our DKIM Checker to validate.

DMARC

What it does: Defines policy for emails failing SPF/DKIM and requires domain alignment.

Record location: TXT record at _dmarc.domain.

Key benefit: Ties SPF and DKIM to the From header via alignment, closing the spoofing gap. Use our DMARC Checker to validate.

DMARC Record Examples

Here are common DMARC record configurations you can generate with our tool, from basic monitoring to full enforcement:

MonitoringBasic Monitor Mode

v=DMARC1; p=none; rua=mailto:[email protected]

Collects reports without affecting delivery. Best for initial deployment.

IntermediateQuarantine with Gradual Rollout

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; aspf=r; adkim=r

Quarantines 25% of failing emails. Increase pct gradually as confidence grows.

Full EnforcementReject with Strict Alignment

v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Maximum protection with strict alignment and full reporting. The ultimate goal for enterprise domains.

DMARC deployment roadmap from monitoring with p=none through quarantine to full p=reject protection — DMARC deployment roadmap: from monitoring (p=none) through gradual enforcement (quarantine) to full protection (p=reject).

Why Your Domain Needs a DMARC Record

Without a DMARC record, anyone can send emails pretending to be from your domain. Phishing attackers exploit this to impersonate your brand, steal credentials, and distribute malware. A DMARC record tells receiving servers to check SPF and DKIM authentication and take action (quarantine or reject) when emails fail. Major email providers like Gmail, Microsoft 365, and Yahoo now require DMARC for bulk senders.

Our DMARC generator makes it easy to create a record that protects your domain and meets these requirements. Combined with the right SPF and DKIM setup, DMARC provides comprehensive email authentication. After deploying your record, verify it with our DMARC Checker and monitor your email infrastructure using the Email Header Analyzer.

Related Email Authentication Tools

DMARC Checker

Validate your existing DMARC record with 11 health checks and get a policy score.

SPF Checker

Check your SPF record with 13 validation checks and DNS lookup counting.

DKIM Checker

Verify DKIM records with auto-detection of 65+ selectors and key analysis.

SMTP Test

Test SMTP server connectivity, STARTTLS, and TLS encryption on ports 25/465/587.

Email Header Analyzer

Analyze email headers to trace delivery path and check SPF/DKIM/DMARC results.

MX Lookup

Check MX records and email provider detection for your domain.

Frequently Asked Questions About DMARC Generator

What is a DMARC generator?

A DMARC generator is an online tool that helps you create a valid DMARC TXT record for your domain. Instead of manually writing DMARC syntax, the generator provides an interactive wizard where you choose your policy, configure alignment, add reporting emails, and generate a correctly formatted record ready for DNS deployment.

How do I create a DMARC record?

Use our DMARC generator to select your policy (start with p=none), add your reporting email address (rua), configure alignment settings, and copy the generated record. Add it as a TXT record at _dmarc.yourdomain.com in your DNS. Verify with our DMARC Checker.

What DMARC policy should I start with?

Start with p=none (monitoring mode) to collect aggregate reports without affecting email delivery. Once you confirm all legitimate senders pass authentication, upgrade gradually to quarantine and then reject for full protection against domain spoofing.

Where do I add the DMARC record in DNS?

Add the generated DMARC record as a TXT record at the hostname _dmarc.yourdomain.com. For example, if your domain is example.com, create a TXT record named "_dmarc" with the generated value. Receiving servers query this location for your DMARC policy.

What is the difference between none, quarantine, and reject?

p=none takes no action (monitoring only), p=quarantine sends failing emails to spam, and p=reject completely blocks failing emails. Progress through these stages as you gain confidence in your email authentication.

Do I need SPF and DKIM before DMARC?

Yes, configure both SPF and DKIM before deploying DMARC. DMARC relies on at least one of these mechanisms passing with domain alignment. Without SPF and DKIM, DMARC has nothing to evaluate and all emails would fail.

What are DMARC aggregate reports (rua)?

Aggregate reports are daily XML reports from receiving mail servers showing statistics about emails from your domain: pass/fail counts, sending IP addresses, and authentication results. Essential for monitoring email health and identifying unauthorized senders.

What is DMARC alignment?

DMARC alignment checks whether the domain in the From header matches SPF and DKIM domains. Relaxed alignment (default) allows subdomains to match. Strict alignment requires exact match. Configure independently for SPF (aspf) and DKIM (adkim) in your generated record.

How long does DMARC take to work?

After adding the DMARC record to DNS, it takes 24-48 hours for full propagation. Large providers like Gmail and Microsoft often honor it within hours. Aggregate reports start arriving within 24-48 hours. Use our DNS Lookup to check propagation.

Is this DMARC generator free?

Yes, completely free with no registration required. Our DMARC generator supports all standard tags including policy, subdomain policy, alignment modes, aggregate and forensic reporting, percentage, report interval, and failure reporting options.

What Is a DMARC Generator?

DNS Robot's free DMARC generator creates valid DMARC TXT records with an interactive configuration wizard.

How to Generate a DMARC Record (Step by Step)

Follow these steps to create a DMARC record for your domain. Our DMARC generator automates the syntax, so you only need to make configuration decisions.

How to create a DMARC record in 5 steps: from policy selection to DNS deployment.

Set Up SPF and DKIM First

Choose Your DMARC Policy

Select p=none to start monitoring without affecting delivery. Once you are confident all legitimate senders pass, upgrade to p=quarantine and eventually p=reject for full protection.

Configure Reporting Addresses

Set Alignment and Advanced Options

Copy and Deploy to DNS

DMARC Record Tags — Complete Reference

vVersion (Required)

Always set to v=DMARC1. This must be the first tag in the record. It identifies the TXT record as a DMARC policy. Our generator adds this automatically.

pPolicy (Required)

The domain policy: none (monitor), quarantine (spam folder), or reject (block). Controls what happens to emails failing both SPF and DKIM alignment.

spSubdomain Policy

Overrides the main policy for subdomains. If not set, subdomains inherit the parent domain's policy (p tag). Use sp=reject to block spoofed emails from subdomains you don't use for email.

ruaAggregate Report URI

Email address to receive daily aggregate reports in XML format. Format: rua=mailto:[email protected]. Reports show pass/fail stats, sending IPs, and authentication results. Highly recommended.

rufForensic Report URI

adkimDKIM Alignment Mode

Controls DKIM domain matching: r (relaxed, default) allows subdomains to align, s (strict) requires exact match. Relaxed is recommended for most setups.

aspfSPF Alignment Mode

Controls SPF domain matching: r (relaxed, default) allows subdomain alignment, s (strict) requires exact match between envelope sender and From header domain.

pctPercentage

riReport Interval

Requested interval between aggregate reports in seconds. Default is 86400 (24 hours). Most providers send reports daily regardless of this setting. Rarely needs to be changed from the default value.

foFailure Reporting Options

Controls when forensic reports are generated: 0 (default: both SPF and DKIM fail), 1 (either fails), d (DKIM fails), s (SPF fails). Use fo=1 for maximum visibility.

DMARC vs SPF vs DKIM — How They Work Together

SPF

What it checks: Whether the sending IP is authorized for the envelope sender domain.

Record location: TXT record at the root domain.

Limitation: Does not verify the From header domain that users see. Use our SPF Checker to validate.

DKIM

What it checks: Cryptographic signature verifying email integrity and signing domain.

Record location: TXT record at selector._domainkey.domain.

Limitation: Does not tell receivers what to do when verification fails. Use our DKIM Checker to validate.

DMARC

What it does: Defines policy for emails failing SPF/DKIM and requires domain alignment.

Record location: TXT record at _dmarc.domain.

Key benefit: Ties SPF and DKIM to the From header via alignment, closing the spoofing gap. Use our DMARC Checker to validate.