Clicky

DMARC Record Generator Tool

Generate a DMARC record for your domain

A DMARC record instructs mailbox providers how to handle messages from your domain that fail SPF or DKIM authentication.

Start with a low percentage and increase gradually. This will allow you to slowly test stronger authentication policies without impacting legitimate emails. For example, you could start with 10%. That will instruct email providers to quarantine/reject a random 10% of emails and the remaining 90% of emails will not be impacted.
If using a DMARC monitoring service they will provide a unique email address where aggregate DMARC reports will be sent for processing.
Individual failure reports, or Forensic Reports, are copies of individual pieces of email that fail the DMARC check.

Setup DMARC Record

Follow our step-by-step instructions to setup your new DMARC record.

Now that you've successfully generated your DMARC record, complete the setup by creating a TXT record for your domain. The process will be similar for most domain registrars and hosting providers with some small differences.

  1. Log into your Account
  2. Navigate to the Domains page
  3. You should see a list of all your domains; click on the domain
  4. Click on DNS or Edit DNS
  5. Then click on Host Records or Edit Host Records
  6. Now you will have the option to create a new record
  7. For the record Type select TXT
  8. For the Host/Name field — copy and paste the DMARC Record Host or Name we generated for you
  9. For the Content/Value field — copy and paste the DMARC Record Content or Value we generated for you
  10. For the TTL field leave it as-is to use the default value
  11. Click Save to complete your updates (allow up to 48 hours for your DNS changes to take full effect globally)

Below is an example DMARC record to guide you.

DMARC Compliance Explained

DMARC compliance will prevent malicious actors from abusing your domain reputation which can in turn impact your deliverability.

Becoming DMARC compliant involves more than just adding a TXT record to your DNS records. It's a process that can take several weeks to months, depending on your sending volume, email marketing platform or email delivery provider who send email on your behalf.

This is what a typical DMARC compliance process looks like:

  1. Add a DMARC record to your domain host records with a policy of p=none
  2. Collect data from DMARC reports using a monitoring service for several weeks or months depending on your organization
  3. Perform an audit and adjust your SPF & DKIM records if neccessary to bring your domain into alignment
  4. Collect more data from DMARC reports for several weeks or months depending on your organization
  5. Perform an audit, adjust your SPF & DKIM records if neccessary and enforce a stricter DMARC policy of p=quarantine
  6. Continue collecting data from DMARC reports for several weeks or months depending on your organization
  7. Perform a final audit, adjust your SPF & DKIM records if neccessary and enforce the strictest DMARC policy of p=reject
  8. Continue collecting DMARC reports and monitoring your sending habits

The goal of becoming DMARC complaint is to eventually enforce a policy of p=reject. Setting a reject policy will ensure that all malicious email is stopped. The recipient of the intended malicious email will never become aware of the email in the first place, as it will never get sent to a spam or quarantine folder. Since it's completely blocked, emails are never delivered and end-users cannot be tricked into clicking on a malicious link or opening a dangerous attachment.

The downside is if legitimate emails are failing authentication and emails get rejected, the receiver will never know they are not receiving the intended email. For organizations not actively using a reporting system to monitor authentication, it could take months to discover that legitimate email is not being delivered, potentially hurting marketing programs or other opportunities to engage with prospects, customers and partners. This is why it's important to take DMARC compliance step-by-step, use a monitoring service and incrementally enforce a stricter DMARC policy.

Choose a DMARC monitoring service

Before creating your DMARC record start by choosing a monitoring service to process reports and monitor DMARC compliance.

Postmark Free or $10/month https://dmarc.postmarkapp.com/
Dmarcian Free up to 2 domains or $24/m https://dmarcian.com/pricing/
Dmarcly Basic plan $17.99/month https://dmarcly.com/pricing
Powerdmarc Free or $8/month https://powerdmarc.com/power-dmarc-pricing-policy/

DMARC Frequently Asked Questions

Questions frequently asked by our users regarding DMARC records and compliance

What is a DMARC Record Generator?

A DMARC Record Generator is a tool that enables you to easily create a valid DMARC record with just a few clicks. By using this tool, you can specify your requirements and preferences, allowing the generator to create a customized syntax that adheres to these specifications. Once generated, the DMARC Record is ready to be published on your domain DNS, providing enhanced protection and authentication for your email domain.

Can I add a DMARC Record without SPF or DKIM?

Yes, you can add a DMARC record without SPF or DKIM, but for the DMARC policy to be enforced effectively, emails must pass either SPF authentication and alignment or DKIM authentication and alignment. If both SPF and DKIM are missing, the DMARC policy will not be able to properly authenticate the email, leading to a failed DMARC result.

How does DMARC work with subdomains?

DMARC specifications for subdomains are typically inherited from the parent domain by default unless they are specifically configured separately. In the absence of specific configuration for a subdomain, it will adopt the DMARC policy set at the parent domain level. This means that if the parent domain has a certain DMARC policy in place, such as "reject", the subdomain will automatically adhere to this policy.

However, there is a provision for subdomains to have their own independent DMARC configurations. If a subdomain is configured separately from the parent domain, the system will respect the manual DMARC setup for that particular subdomain. In such cases, the DMARC policy implemented at the subdomain level will take precedence over any inherited policies from the parent domain.

What is DMARC Domain Alignment?

DMARC Domain Alignment is a fundamental principle of DMARC (Domain-based Message Authentication, Reporting, and Conformance) that focuses on ensuring consistency between the domain indicated in the email's 'From' header and the actual domain of the sender's email address. In simpler terms, alignment occurs when the domain in the 'From' header matches the domain used by the sender, thus establishing the authenticity and legitimacy of the email. This alignment is crucial for DMARC to validate the email as genuine and prevent various malicious activities such as spoofing, impersonation attacks, business email compromise, and phishing. By maintaining alignment, DMARC enhances email security by providing a layer of protection against these harmful practices.