Free DMARC generator
Build a DMARC record, step by step
Choose how strict you want to be right now — you can always tighten it later as you confirm your setup is clean.
Policy
Uncheck this if you have subdomains that send mail differently and shouldn't be covered by this policy yet.
Without this, you have no visibility into who's sending as your domain. Strongly recommended even at p=none.
Your DMARC record
v=DMARC1; p=none; fo=1;To publish this:
Add a TXT record at _dmarc.yourdomain.com with the value above. DMARC only enforces alignment with SPF and DKIM, so make sure both of those are set up correctly before moving past p=none.
After publishing, verify it with the DMARC checker.
The policy journey, in short
DMARC is meant to be adopted gradually: publish at p=none to start collecting reports, review those reports to confirm every legitimate sender is passing SPF or DKIM, then move to quarantine and eventually rejectonce you're confident nothing legitimate will be caught.
Skipping straight to reject on a domain that's never been checked is the most common way DMARC adoption goes wrong — it can silently block real customer-facing mail (invoices, password resets) that was never properly authenticated. The gradual path exists specifically to avoid that.
Common questions
Should I start with p=none, quarantine, or reject?+
Start with none if this is your first DMARC record. It publishes the policy and starts collecting reports without risking any legitimate mail — you move to quarantine, then reject, only after reviewing those reports and confirming every real sender is properly authenticated.
What does the pct= value actually do?+
It tells receivers to apply your policy (quarantine or reject) to only that percentage of mail that fails the check, chosen at random. Ramping from a low percentage up to 100% over time limits how much legitimate mail could be affected if something in your setup turns out to be misconfigured.
Do I need the report email address?+
Technically no — DMARC works without it. Practically, yes: without a report address, you have no way to see who is sending mail as your domain, which defeats much of the point of setting DMARC up in the first place.
What's the difference between the main policy and the subdomain policy?+
The main policy (p=) covers your exact domain. Subdomains inherit that same policy automatically unless you set a separate one (sp=). This matters if, say, a marketing tool sends from a subdomain in a way your main domain doesn't, and you want to treat that differently.
I published this and now legitimate mail is failing. What happened?+
DMARC only enforces what SPF and DKIM already report — it doesn't create new failures on its own. If mail starts failing after publishing, it's very likely that sender was never properly authenticated in the first place and DMARC has just made that visible. Move back to p=none temporarily, check your SPF and DKIM setup for that sender, then try again.
More free checks