Skip to main content

New

Test your email deliverability

Send a test email and get a complete diagnosis of your SPF, DKIM and DMARC authentication in seconds.

  • Real send test
  • Instant diagnosis
  • No signup required
Run the test

DMARC Generator

Create a DMARC record online and stop email spoofing in 30 seconds

Want to stop email spoofing on your domain? Create a DMARC record in 30 seconds. Configure policy, alignment, reports - copy the record and publish. No syntax to memorize.

The organizational domain for which to generate the DMARC record.

Action to apply to messages that fail DMARC checks.

Strongly recommended. Email addresses to receive DMARC aggregate reports. Multiple addresses separated by commas.

Specific policy for subdomains. If not set, inherits the main policy.

Percentage of messages to apply the policy to (1-100). Default: 100.

Email addresses to receive detailed failure reports. Multiple addresses separated by commas.

Required alignment mode for DKIM.

Required alignment mode for SPF.

When to generate failure reports (RUF). Default: 0.

Report generation interval in seconds. Default: 86400 (24h).

Configurable Policy

Choose none (monitor), quarantine (spam folder) or reject (block). Set a different policy for subdomains if needed.

SPF and DKIM Alignment

Configure relaxed or strict alignment for SPF and DKIM. Strict alignment strengthens protection once your flows are stabilized.

Aggregate Reports (RUA)

Receive daily reports on sending sources, pass/fail rates and failures. Essential to map your flows before tightening policy.

Forensic Reports (RUF)

Get details on each individual failure. Useful for diagnosing specific issues (few providers send these).

Gradual Rollout

Use percentage (pct) to apply policy gradually: 10%, then 50%, then 100%. Minimize false positive risks.

Why Generate a DMARC Record?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the protocol that completes SPF and DKIM to protect your domain against email spoofing and phishing. Without a DMARC policy, anyone can send emails impersonating your domain.

Three reasons to have DMARC:

  • Brand protection → Prevent fraudsters from using your domain for phishing
  • Complete visibility → Receive reports on who sends emails from your domain
  • Better deliverability → Providers (Gmail, Microsoft) favor domains with DMARC

How to Use the Generator in 3 Steps

Step 1: Enter Your Domain

Enter your organizational domain exactly as it appears in your email addresses (e.g., captaindns.com). The tool automatically generates the full DNS name: _dmarc.captaindns.com.

Step 2: Configure Options

Main policy (p): What to do with failing emails?

  • none: Monitor without blocking (recommended to start)
  • quarantine: Send to spam
  • reject: Block completely

Alignment (adkim, aspf): How to verify domain matching?

  • relaxed (r): Subdomains accepted (recommended)
  • strict (s): Exact match required

Reports (rua, ruf): Where to receive statistics?

  • Add mailto:dmarc@yourdomain.com for aggregate reports

Step 3: Copy and Publish

The generator produces the complete DNS record. Copy it to your DNS management interface:

  • Name: _dmarc.yourdomain.com
  • Type: TXT
  • Value: The generated record

What Exactly is DMARC?

DMARC is a DNS policy that tells mail servers:

  1. What to check: Does SPF or DKIM pass AND align with the visible domain?
  2. What to do on failure: Monitor (none), spam (quarantine), or block (reject)
  3. Where to report: Email addresses for receiving statistics

Example DMARC record:

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; adkim=r; aspf=r; pct=100"

Decoded:

  • v=DMARC1: Protocol version (required)
  • p=quarantine: Policy = send to spam
  • rua=mailto:...: Address for aggregate reports
  • adkim=r: DKIM alignment relaxed
  • aspf=r: SPF alignment relaxed
  • pct=100: Apply to 100% of emails

All DMARC Tags Explained

Required Tags

TagValuesDescription
vDMARC1Protocol version. Always DMARC1.
pnone / quarantine / rejectPolicy for main domain.

Common Optional Tags

TagValuesDescription
spnone / quarantine / rejectPolicy for subdomains. Inherits from p if absent.
ruamailto:addressAddresses for aggregate reports (daily).
rufmailto:addressAddresses for forensic reports (per failure).
adkimr (relaxed) / s (strict)DKIM alignment mode.
aspfr (relaxed) / s (strict)SPF alignment mode.
pct1-100Percentage of emails subject to policy.

Advanced Tags

TagValuesDescription
fo0 / 1 / d / sForensic report generation options.
risecondsAggregate report interval (default 86400 = 24h).

Practical Use Cases

Case 1: New Domain with No History

Goal: Protect a domain that's starting to send emails.

Recommended configuration:

v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r

Next steps:

  1. Monitor reports for 2-4 weeks
  2. Identify all legitimate sources
  3. Move to p=quarantine; pct=25
  4. Gradually increase to p=reject

Case 2: Domain with Multiple Services (CRM, Newsletter, Transactional)

Goal: Protect without breaking existing flows.

Initial configuration:

v=DMARC1; p=none; sp=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r

Diagnosis via RUA reports:

  • List all IPs/domains sending
  • Verify each source has SPF and DKIM configured
  • Identify unauthorized sources (potential spoofing)

Gradual rollout:

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.com

Then 25%, 50%, 100%, and finally p=reject.

Case 3: Domain that Doesn't Send Emails

Goal: Prevent any fraudulent use of a "parked" domain.

Direct strict configuration:

v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s

No observation phase needed if the domain should never send legitimate emails.

Common Mistakes to Avoid

MistakeProblemSolution
Two DMARC recordsConflict, policy ignoredOne record per domain only
Forgetting mailto:Reports not sentrua=mailto:address@domain.com
Jumping straight to rejectBlocking legitimate emailsStart with p=none, then quarantine
Ignoring reportsNo visibility on issuesAnalyze RUA weekly
Strict alignment too earlyFailures if subdomains or third-party servicesKeep r (relaxed) until complete inventory

Deployment Best Practices

Phase 1: Observation (2-4 weeks)

v=DMARC1; p=none; rua=mailto:dmarc@example.com
  • Collect reports
  • Identify all legitimate sources
  • Fix SPF/DKIM for non-aligned sources

Phase 2: Gradual Quarantine

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.com
  • Increase from 10% → 25% → 50% → 100%
  • Monitor user complaints
  • Adjust if needed

Phase 3: Reject

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=r; aspf=r
  • Maximum protection
  • Optionally move to strict alignment (adkim=s; aspf=s)

FAQ - Frequently asked questions

Q: What is a DMARC record?

A: DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record that tells mail servers how to handle emails that fail SPF and DKIM checks. It protects your domain against spoofing and phishing.

Q: What DMARC policy should I start with?

A: Always start with p=none. This policy doesn't impact delivery but sends you reports. Analyze these reports for 2-4 weeks to identify all legitimate flows before moving to quarantine then reject.

Q: What's the difference between RUA and RUF?

A:

  • RUA (Reporting URI for Aggregate): Daily aggregate reports with global statistics
  • RUF (Reporting URI for Forensic): Detailed reports per individual failure

RUA is essential and supported by all. RUF is optional and rarely supported by providers.

Q: How does DMARC alignment work?

A: Alignment checks that the visible domain (From:) matches the domain authenticated by SPF or DKIM:

  • Relaxed (r): mail.example.com aligns with example.com
  • Strict (s): Exact match required

Q: Can I have multiple DMARC records?

A: No. Only one DMARC record is allowed per domain. Multiple records cause errors. Edit the existing one rather than adding new.

Q: How long before DMARC is active?

A: The record is active once DNS propagates (minutes to 48h). First RUA reports arrive within 24-48h after emails are sent from your domain.

Q: How do I receive reports for an external domain?

A: If your RUA address is on another domain, that domain must authorize you with:

yourdomain._report._dmarc.report-domain.com TXT "v=DMARC1"

Complementary tools

ToolPurpose
DMARC Record CheckVerify your existing DMARC record
SPF GeneratorCreate a valid SPF record
DKIM GeneratorCreate your DKIM keys (RSA/Ed25519)
DKIM Record CheckVerify your DKIM signature
Mail TesterTest your email deliverability

Useful resources