DNS records and worldwide DNS propagation checker

DMARC Record Generator

Suggested Record:

The below record is updated as you modify the fields.

Type: TXT
Host/Name: _dmarc.
Value: v=DMARC1;
* Note: For many DNS hosting providers, you'll type "_dmarc" as the host/name, and the tool adds/append your domain name automatically.View Technical Details
Current Record:
DMARC Record Details

About DMARC Record Generator

Generating the DMARC record is not complex, although the important part is that its syntax should correspond with DMARC standards. Our free DMARC record generator helps you to create a DMARC record easily. Further, you can use our DMARC record checker to validate your DMARC record.

What is a DMARC record, and why is it important?

DMARC, the short form of Domain-based Message Authentication, Reporting, and Conformance, is the TXT record added to your domain DNS records to publish the DMARC.

DMARC is a protocol that works with SPF and DKIM to ensure the authentication of the emails. It protects your domain from any abusive activity. Protects your domain from hackers and other attackers from spoofing and gives you the ability to monitor and control it. It ensures that phishing emails and malware cannot be sent from your email address. The DMARC also supplements SMTP, a simple mail transfer protocol to send the email. Because the SMTP does not itself include any mechanism or practices to define policies for email authentication.

How does a DMARC record work?

DMARC checks SPF and DKIM records of the coming email. If it passes the test, it goes through. But, if there is an error, suppose the received mail fails the test, the recipient server implements the DMARC policy. Later on, the recipient can send the report to the domain owner about such incidents.

Based on the DMARC record's content, the recipient mail server

  1. Allow the email to continue delivery.
  2. Quarantine the email.
  3. Reject the email.

Usually, the policy, p=none is preferred. It's the least restrictive policy that ensures email delivery. With that policy, you can get the reports if something is misconfigured or someone else is using your domain for spoofing purposes.

Using "p=quarantine" or "p=reject" may even put your sent emails to spam or rejected if your DMARC record is misconfigured.

Thus, start with the p=none policy. If you start to get suspicious sending reports, change that to p=quarantine policy.

How does a DMARC work with subdomains?

Usually, the DMARC policy set for the organizational domain is applied to all its subdomains unless the domain owner publishes the DMARC record for a specific domain. The domain owner may publish the separate DMARC policy for all subdomains with the "sp" tag. Its syntax is the same as the "p" tag. The sp=none means whatever the policy is adopted for the main domain. The subdomain follows the policy of "none."

For example, if the example.com DMARC's policy is p=reject. But the DMARC policy of email.example.com is sp=none. Then the hackers and attackers can impersonate the brand and can cause problems.

How to create a free DMARC record?

Our DMARC record generator makes the process relatively easy. It facilitates you to create your own error-free DMARC DNS record for your domain.

  • To create a DMARC record for your domain or subdomain, please follow the below-provided instructions.
  • Open the DMARC Record Generator.
  • Enter the domain name in the space provided for that purpose.
  • Click on the "DMARC Generate" button.
  • A form will appear that you need to fill.
  • Select the Policy/Reporting Mode. Three options are there.
    • None: Treat the email as the same, as it would be without any DMARC validation.
    • Quarantine: Accept the email but place it somewhere else other than the recipient's inbox.
    • Reject: Reject the email that fails DMARC validation.
  • Select the percentage of the mails on which you want to apply the DMARC policy. The pct value is in integers ranging from 1 to 100, with 100 being the default if no pct tag is included in the DMARC record. Suppose a DMARC record with p=reject; pct=60 rejects 60% of the emails that fail DMARC authentication. The remaining 40% fall to the following lower policy in the sequence that is quarantine. Kindly note that the pct tag does not work on the "none" policy.
  • In the "Email" section, enter the email address where you want to send the DMARC reports and select the "Size" and "Unit."
  • In the "Forensic Email" section, enter the email address where you want to send the Forensic reports and select the "Size" and "Unit."
  • If you want more options, like to create the DMARC Policy for the subdomains, then click on the "Show Advanced" text for more options.

How to add a DMARC record?

For adding the DMARC record, you have to edit the DNS records of your domain. The DNS records are the set of instructions for the server, where to find the site's content, like email mailbox, and more. To edit your domain DNS records.

  • Access your DNS as an administrator.
  • It's easy to add a DMARC record to your DNS. Go to the DNS records screen, and click on add record to add DMARC record.
  • DMARC record is a TXT record, so select the "Type" as TXT.
  • In the "Name" field, type "_dmarc." with the period (dot) at the end. Some hosts do not require "dot," so you can select which one your host prefers.
  • In the larger field, generally, the "Content" field, add the DMARC record. Suppose we have the following DMARC syntax. "v=DMARC1; p=reject; rua=mailto:[email protected]"
  • Select the TTL (Time to Live) value (the expiration date of your DNS record). Generally, it prefers to remain at the "Auto" setting.
  • Save your DMARC record to add that rule to your DNS records.


Who can use the DMARC records?

Anyone who owns a domain and uses that domain to send emails through a separate email server or provider needs to create a DMARC record on your domain for that provider. But, if you are using an email provider that you do not control, like Gmail, you do not need to create a DMARC record.

Can we create a DMARC record without SPF and DKIM?

Yes, you can, but creating a DMARC record along with SPF and DKIM records is recommended if your email provider requires them. Not all require it. For that, you need to read the setup documentation of your email provider.

Why did my DMARC record checks fail?

That usually happens if your DMARC records are not fully propagated. Usually, it takes 48 to 72 hours for the DNS records changes to take effect. After the propagation time, use a DMARC record validator to validate your DMARC record. If still facing the problem, then use domain DNS health check for complete DNS diagnosis.

Do I need a DMARC record generator?

The simple answer is YES. Rather than manually creating the DMARC record, it's better to use a DMARC record generator for an error-free DMARC DNS record for your domain or subdomain.

What are the standard tags used in a DMARC record?

Some common tags include

  • v= is a required tag. It is used for the Protocol version, for example, v=DMARC1. The version should always be DMARC1. An incorrect or missing DMARC version will cause the DMARC record to be ignored, which makes the DMARC record ineffective.
  • p= is a required tag. It is used for assigning the policy, for example, p=quarantine.
  • pct= is an optional tag. It is used for assigning the
  • % of messages subjected to filtering that fails the DMARC test, for example, pct=20.
  • rua= is an optional tag. It is used for Reporting UTI of the aggregate report, for example, rua=mailto:[email protected].
  • sp= is an optional tag. It is used for defining the policy for the subdomains, for example, sp=r.
  • aspf= is an optional tag. It is used for the alignment mode for SPF, for example, aspf=r.