FREEDMARC generator · no sign-up

DMARC Record Generator

Choose a policy, add a report address, and get a valid v=DMARC1 TXT record for _dmarc.yourdomain.com — with defaults that let you roll out safely from monitoring to full enforcement.

Domain

Policy

Aggregate report address (rua) — recommended

›Advanced options

Forensic report address (ruf)

Subdomain policy (sp)

Percentage applied (pct)

DKIM alignment (adkim)

SPF alignment (aspf)

Report when (fo)

Your DMARC record

TypeTXTHost / name_dmarc

Value

v=DMARC1; p=none

No aggregate (rua) address set. DMARC is only useful once you receive reports — add one so you can see who's sending as your domain before you enforce.

How to use it

Enter your domain and start with policy none — this changes nothing about delivery.
Add an aggregate (rua) address. This is where the daily reports of who sends as your domain are sent.
Publish the record as a TXT record at the host _dmarc.
Watch the reports for a few weeks, fix any legitimate senders that fail, then escalate to quarantine and finally reject.

The DMARC rollout, in order

p=none — monitoring. You receive reports but delivery is untouched. Stay here until your mail is clean.
p=quarantine — failing mail goes to spam. Optionally ramp with pct (e.g. 25, then 50).
p=reject— failing mail is blocked. The goal state, once you’re confident.

Alignment and why it matters

DMARC only passes when SPF or DKIM not only pass but align — the domain they authenticate matches the From: domain. relaxed alignment (the default) accepts subdomains; strict requires an exact match. Most senders should leave both on relaxed. So before DMARC can do anything useful, make sure your SPF and DKIM are in place and aligned.

rua vs ruf

ruaaggregate reports are daily XML summaries of pass/fail counts by source — this is what you’ll actually use to find unauthorized or misconfigured senders. ruf forensic reports contain individual failing messages, but most major mailbox providers no longer send them, so don’t rely on them.

Frequently asked questions

What is a DMARC record?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record at _dmarc.yourdomain.com that tells receivers what to do with mail that fails SPF and DKIM alignment, and where to send reports about it.

Where do I publish the DMARC record?

Publish it as a TXT record on the host _dmarc (so the full name is _dmarc.yourdomain.com). The generator shows the exact host and value to paste into your DNS provider.

Which policy should I start with?

Start with p=none and an aggregate (rua) report address. That changes nothing about delivery but lets you see who is sending as your domain. Once your legitimate mail passes, move to p=quarantine and then p=reject.

What is the difference between rua and ruf?

rua receives aggregate reports — daily XML summaries of pass/fail counts, which is what you'll actually use. ruf receives per-message forensic reports, but most major receivers no longer send these for privacy reasons.

SPF Record Generator

DMARC needs SPF (or DKIM) to align. Build a valid SPF record first.

Email deliverability, handled

How SenderKit authenticates and delivers your transactional email for you.

Authentication set. Now ship the email.

SenderKit sends your transactional email, SMS, and push from one API — with SPF, DKIM, and DMARC handled for you. Free up to 3,000 messages a month.

Start for free How deliverability works

By creating an account, you agree to our Terms.