Skip to main content
CaptainDNS
NEW·Email security and deliverability monitoring. Get alerted the moment a score change or DNS record puts your domain at risk.Learn more

DMARC Generator

Create a DMARC record online and stop email spoofing in 30 seconds

Want to stop email spoofing on your domain? Create a DMARC record in 30 seconds. Configure policy, alignment, and reports, then copy the record and publish. No syntax to memorize.

1Your domain

The record will be published at _dmarc.yourdomain. We check whether one already exists.

Does this domain send email?
2Where do you want to land?

Pick your goal. The tool will tell you where to start so you reach it without breaking your email.

Without reports, DMARC is blind: you cannot tell whether you can tighten. This is the fuel of the transition.

3Advanced optionsOptional
Subdomains, alignment, forensic reports, test mode

Without sp, subdomains inherit the main policy. Force sp=reject on subdomains that do not send.

np (DMARCbis) protects subdomains that do not exist. np=reject is a risk-free anti-spoofing quick win: no legitimate message ever leaves a non-existent subdomain.

Test mode (t)

Automatic DMARC monitoring

Automatically receive DMARC reports and monitor your domain's email authentication compliance in real time.

Set up DMARC monitoring

Configurable Policy

Choose none (monitor), quarantine (spam folder) or reject (block). Set a different policy for subdomains if needed.

SPF and DKIM Alignment

Configure relaxed or strict alignment for SPF and DKIM. Strict alignment strengthens protection once your flows are stabilized.

Aggregate Reports (RUA)

Receive daily reports on sending sources, pass/fail rates and failures. Essential to map your flows before tightening policy.

Forensic Reports (RUF)

Get details on each individual failure. Useful for diagnosing specific issues (few providers send these).

Gradual Rollout

Ramp up through DMARCbis stages: none to observe, quarantine in test mode (t=y), enforced quarantine (t=n), then reject. Minimize false positive risks.

Why generate a DMARC record?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the protocol that completes SPF and DKIM to protect your domain against email spoofing and phishing. Without a DMARC policy, anyone can send emails impersonating your domain.

Three reasons to have DMARC:

  • Brand protection → Prevent fraudsters from using your domain for phishing
  • Complete visibility → Receive reports on who sends emails from your domain
  • Better deliverability → Providers (Gmail, Microsoft) favor domains with DMARC

How to use the generator in 3 steps

Step 1: Enter your domain

Enter your organizational domain exactly as it appears in your email addresses (e.g., captaindns.com). The tool automatically generates the full DNS name: _dmarc.captaindns.com.

Step 2: Configure options

Main policy (p): What to do with failing emails?

  • none: Monitor without blocking (recommended to start)
  • quarantine: Send to spam
  • reject: Block completely

Alignment (adkim, aspf): How to verify domain matching?

  • relaxed (r): Subdomains accepted (recommended)
  • strict (s): Exact match required

Reports (rua, ruf): Where to receive statistics?

  • Add mailto:dmarc@yourdomain.com for aggregate reports

Step 3: Copy and publish

The generator produces the complete DNS record. Copy it to your DNS management interface:

  • Name: _dmarc.yourdomain.com
  • Type: TXT
  • Value: The generated record

The recommended approach is "see before you block": start in observation mode to map your sending flows, then tighten the policy without risking blocked legitimate mail. The tool detects any DMARC record already present on your domain and tells you whether to add it, replace it, or leave it as is (add, replace or no_change).

What exactly is DMARC?

DMARC is a DNS policy that tells mail servers:

  1. What to check: Does SPF or DKIM pass AND align with the visible domain?
  2. What to do on failure: Monitor (none), spam (quarantine), or block (reject)
  3. Where to report: Email addresses for receiving statistics

Example DMARC record:

_dmarc.captaindns.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@captaindns.com; adkim=r; aspf=r"

Decoded:

  • v=DMARC1: Protocol version (required)
  • p=quarantine: Policy = send to spam
  • rua=mailto:...: Address for aggregate reports
  • adkim=r: DKIM alignment relaxed
  • aspf=r: SPF alignment relaxed

All DMARC tags explained

Required tags

TagValuesDescription
vDMARC1Protocol version. Always DMARC1.
pnone / quarantine / rejectPolicy for main domain.

Common optional tags

TagValuesDescription
spnone / quarantine / rejectPolicy for existing subdomains. Inherits from p if absent.
npnone / quarantine / rejectPolicy for non-existent subdomains (DMARCbis). No default, set it explicitly.
ruamailto:addressAddresses for aggregate reports (daily).
rufmailto:addressAddresses for forensic reports (per failure).
adkimr (relaxed) / s (strict)DKIM alignment mode. Defaults to r.
aspfr (relaxed) / s (strict)SPF alignment mode. Defaults to r.

Advanced tags

TagValuesDescription
fo0 / 1 / d / sForensic report generation options. Defaults to 0.
ty / nDMARCbis test mode. t=y tells receivers not to enforce the policy during observation. Defaults to n.

Tags deprecated by DMARCbis

These tags are removed by DMARCbis and should no longer be configured in a new record:

TagStatusReplacement
pctDeprecatedUse the phased transition (none, quarantine with t=y, quarantine, reject).
riDeprecatedReport interval fixed at 24h, no longer tunable.
rfDeprecatedForensic report format, no practical use today.

Practical use cases

Case 1: New domain with no history

Goal: Protect a domain that's starting to send emails.

Recommended configuration:

v=DMARC1; p=none; rua=mailto:dmarc@captaindns.com; adkim=r; aspf=r

Next steps:

  1. Monitor reports for 2-4 weeks
  2. Identify all legitimate sources
  3. Move to p=quarantine; t=y (test, not enforced), then drop t=y once reports are clean
  4. Finish with p=reject

Case 2: Domain with multiple services (CRM, newsletter, transactional)

Goal: Protect without breaking existing flows.

Initial configuration:

v=DMARC1; p=none; sp=none; rua=mailto:dmarc@captaindns.com; adkim=r; aspf=r

Diagnosis via RUA reports:

  • List all IPs/domains sending
  • Verify each source has SPF and DKIM configured
  • Identify unauthorized sources (potential spoofing)

Gradual rollout:

v=DMARC1; p=quarantine; t=y; rua=mailto:dmarc@captaindns.com

Once reports show no more legitimate failures, drop t=y to enforce quarantine, then move to p=reject.

Case 3: Domain that doesn't send emails

Goal: Prevent any fraudulent use of a "parked" domain.

Direct strict configuration:

v=DMARC1; p=reject; sp=reject; np=reject; adkim=s; aspf=s

No observation phase needed if the domain should never send legitimate emails. np=reject also blocks any non-existent subdomain.

Common mistakes to avoid

MistakeProblemSolution
Two DMARC recordsConflict, policy ignoredOne record per domain only
Forgetting mailto:Reports not sentrua=mailto:address@domain.com
Jumping straight to rejectBlocking legitimate emailsStart with p=none, then quarantine
Ignoring reportsNo visibility on issuesAnalyze RUA weekly
Strict alignment too earlyFailures if subdomains or third-party servicesKeep r (relaxed) until complete inventory

Deployment best practices

Phase 1: Observation (2-4 weeks)

v=DMARC1; p=none; rua=mailto:dmarc@captaindns.com; adkim=r; aspf=r
  • Collect reports
  • Identify all legitimate sources
  • Fix SPF/DKIM for non-aligned sources

Phase 2: Quarantine in test mode

v=DMARC1; p=quarantine; t=y; rua=mailto:dmarc@captaindns.com
  • t=y asks receivers not to enforce the policy while still reporting
  • Confirm in RUA reports that no legitimate source still fails
  • Once reports are clean, drop t=y to actually enforce quarantine

Phase 3: Reject

v=DMARC1; p=reject; sp=reject; np=reject; rua=mailto:dmarc@captaindns.com; adkim=r; aspf=r
  • Maximum protection
  • Optionally move to strict alignment (adkim=s; aspf=s)

FAQ - Frequently asked questions

Q: What is a DMARC record?

A: DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record that tells mail servers how to handle emails that fail SPF and DKIM checks. It protects your domain against spoofing and phishing.

Q: What DMARC policy should I start with?

A: Always start with p=none. This policy doesn't impact delivery but sends you reports. Analyze these reports for 2-4 weeks to identify all legitimate flows before moving to quarantine then reject.

Q: What's the difference between RUA and RUF?

A:

  • RUA (Reporting URI for Aggregate): Daily aggregate reports with global statistics
  • RUF (Reporting URI for Forensic): Detailed reports per individual failure

RUA is essential and supported by all. RUF is optional and rarely supported by providers.

Q: How does DMARC alignment work?

A: Alignment checks that the visible domain (From:) matches the domain authenticated by SPF or DKIM:

  • Relaxed (r): mail.captaindns.com aligns with captaindns.com
  • Strict (s): Exact match required

Q: Can I have multiple DMARC records?

A: No. Only one DMARC record is allowed per domain. Multiple records cause errors. Edit the existing one rather than adding a new one.

Q: How long before DMARC is active?

A: The record is active once DNS propagates (minutes to 48h). First RUA reports arrive within 24-48h after emails are sent from your domain.

Q: How do I receive reports for an external domain?

A: If your RUA address is on another domain, that domain must authorize you with:

yourdomain._report._dmarc.report-domain.com TXT "v=DMARC1"

Prepare for DMARCbis

DMARCbis is the upcoming IETF Proposed Standard that replaces RFC 7489. It introduces new tags (np, t, psd), removes deprecated tags (pct, rf, ri), and replaces the Public Suffix List with a DNS tree walk algorithm. Check your domain's readiness with the DMARCbis Checker or generate a compliant record with the DMARCbis Migration Tool.

Complementary tools

ToolPurpose
DMARC Record CheckVerify your existing DMARC record
DMARC ValidatorValidate a DMARC record syntax before DNS publication
DMARC Report AnalyzerAnalyze DMARC aggregate reports received by email
DMARC MonitoringAutomated, ongoing DMARC monitoring for your domains
DMARCbis CheckerCheck your domain's readiness for DMARCbis
DMARCbis MigrationGenerate a DMARCbis-compliant record
SPF GeneratorCreate a valid SPF record
DKIM GeneratorCreate your DKIM keys (RSA/Ed25519)
DKIM Record CheckVerify your DKIM signature
Mail TesterTest your email deliverability
Phishing URL CheckerCheck if a URL is used in phishing campaigns

Useful resources