Skip to main content
Log in
CaptainDNS

Email Diagnostics

Tools to verify and validate your email authentication setup.

SPF
DKIM
DMARC
DMARCbis
BIMI
MTA-STS
TLS-RPT
DANE / TLSA

Deliverability

Email deliverability auditMail header analyzerEmail testerIP Blacklist CheckerDomain Blacklist CheckerSPF FlattenerDKIM Selector FinderSMTP/MX Tester

Secure & Monitor

Record generators, policy hosting and continuous monitoring.

Network & Web

Network tools, web page analysis and certificates.

IP Tools

My IP address

Detect your IPv4/IPv6 addresses and their geolocation.

Reverse lookup

Resolve a PTR record and validate DNS consistency.

IP WhoIs

Identify the owner of an IP range and its contacts.

IPv4 netmask

Calculate network, broadcast and usable hosts for any IPv4 block.

IPv6 subnet calculator

Calculate IPv6 subnets, address ranges and reverse DNS entries.

Certificates & BIMI

BIMI logo lookup

Inspect a BIMI logo URL - format, metadata and live rendering - before rollout.

BIMI SVG converter

Convert any SVG to BIMI-compliant Tiny-PS format in seconds.

CSR parser

Inspect a CSR, extract subject details, fingerprints and requested SANs.

VMC inspector

Inspect a Verified Mark Certificate - issuer, validity and SAN coverage - before you publish BIMI.

Web

Page size checker

Check if your page exceeds Google's 2 MB crawl limit.

Phishing URL Checker

Check if a URL is flagged as phishing or malware by 4 threat intelligence sources.

Redirect Checker

Analyze HTTP redirect chains

Domain Redirect

Redirect your domains with automatic HTTPS and 301/302 redirects.

Developer Tools

Text utilities and tools for everyday dev work.

Text

Transform and measure your content in seconds.

Text case converter

Convert any block of text to upper or lower case instantly.

Slug generator

Transform any sentence into an SEO-friendly slug in seconds.

Word & character counter

Measure the length of any text, with instant word and character counts.

Password generator

Generate strong random passwords and memorable passphrases instantly.

Developer

Encoding, hashing, regex and formatting for everyday dev work.

Base64 encoder / decoder

Encode or decode any content in Base64 without leaving the browser.

Hash Generator

Compute MD5, SHA-1, SHA-256 and SHA-512 hashes of any text.

URL encoder / decoder

Encode or decode text using percent-encoding (RFC 3986) right in your browser.

Regex Tester

Test a regular expression against text and visualize matches.

JSON / YAML Formatter

Format, validate and convert JSON and YAML in one click.

DMARC Generator

Create a DMARC record online and stop email spoofing in 30 seconds

Want to stop email spoofing on your domain? Create a DMARC record in 30 seconds. Configure policy, alignment, reports - copy the record and publish. No syntax to memorize.

The organizational domain for which to generate the DMARC record.

Action to apply to messages that fail DMARC checks.

Strongly recommended. Email addresses to receive DMARC aggregate reports. Multiple addresses separated by commas.

Specific policy for subdomains. If not set, inherits the main policy.

Percentage of messages to apply the policy to (1-100). Default: 100.

Email addresses to receive detailed failure reports. Multiple addresses separated by commas.

Required alignment mode for DKIM.

Required alignment mode for SPF.

When to generate failure reports (RUF). Default: 0.

Report generation interval in seconds. Default: 86400 (24h).

Automatic DMARC monitoring

Automatically receive DMARC reports and monitor your domain's email authentication compliance in real time.

Set up DMARC monitoring

Configurable Policy

Choose none (monitor), quarantine (spam folder) or reject (block). Set a different policy for subdomains if needed.

SPF and DKIM Alignment

Configure relaxed or strict alignment for SPF and DKIM. Strict alignment strengthens protection once your flows are stabilized.

Aggregate Reports (RUA)

Receive daily reports on sending sources, pass/fail rates and failures. Essential to map your flows before tightening policy.

Forensic Reports (RUF)

Get details on each individual failure. Useful for diagnosing specific issues (few providers send these).

Gradual Rollout

Use percentage (pct) to apply policy gradually: 10%, then 50%, then 100%. Minimize false positive risks.

Why Generate a DMARC Record?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the protocol that completes SPF and DKIM to protect your domain against email spoofing and phishing. Without a DMARC policy, anyone can send emails impersonating your domain.

Three reasons to have DMARC:

  • Brand protection → Prevent fraudsters from using your domain for phishing
  • Complete visibility → Receive reports on who sends emails from your domain
  • Better deliverability → Providers (Gmail, Microsoft) favor domains with DMARC

How to Use the Generator in 3 Steps

Step 1: Enter your domain

Enter your organizational domain exactly as it appears in your email addresses (e.g., captaindns.com). The tool automatically generates the full DNS name: _dmarc.captaindns.com.

Step 2: Configure options

Main policy (p): What to do with failing emails?

  • none: Monitor without blocking (recommended to start)
  • quarantine: Send to spam
  • reject: Block completely

Alignment (adkim, aspf): How to verify domain matching?

  • relaxed (r): Subdomains accepted (recommended)
  • strict (s): Exact match required

Reports (rua, ruf): Where to receive statistics?

  • Add mailto:dmarc@yourdomain.com for aggregate reports

Step 3: Copy and publish

The generator produces the complete DNS record. Copy it to your DNS management interface:

  • Name: _dmarc.yourdomain.com
  • Type: TXT
  • Value: The generated record

What Exactly is DMARC?

DMARC is a DNS policy that tells mail servers:

  1. What to check: Does SPF or DKIM pass AND align with the visible domain?
  2. What to do on failure: Monitor (none), spam (quarantine), or block (reject)
  3. Where to report: Email addresses for receiving statistics

Example DMARC record:

_dmarc.captaindns.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@captaindns.com; adkim=r; aspf=r; pct=100"

Decoded:

  • v=DMARC1: Protocol version (required)
  • p=quarantine: Policy = send to spam
  • rua=mailto:...: Address for aggregate reports
  • adkim=r: DKIM alignment relaxed
  • aspf=r: SPF alignment relaxed
  • pct=100: Apply to 100% of emails

All DMARC Tags Explained

Required tags

TagValuesDescription
vDMARC1Protocol version. Always DMARC1.
pnone / quarantine / rejectPolicy for main domain.

Common optional tags

TagValuesDescription
spnone / quarantine / rejectPolicy for subdomains. Inherits from p if absent.
ruamailto:addressAddresses for aggregate reports (daily).
rufmailto:addressAddresses for forensic reports (per failure).
adkimr (relaxed) / s (strict)DKIM alignment mode.
aspfr (relaxed) / s (strict)SPF alignment mode.
pct1-100Percentage of emails subject to policy.

Advanced tags

TagValuesDescription
fo0 / 1 / d / sForensic report generation options.
risecondsAggregate report interval (default 86400 = 24h).

Practical use cases

Case 1: New domain with no history

Goal: Protect a domain that's starting to send emails.

Recommended configuration:

v=DMARC1; p=none; rua=mailto:dmarc@captaindns.com; adkim=r; aspf=r

Next steps:

  1. Monitor reports for 2-4 weeks
  2. Identify all legitimate sources
  3. Move to p=quarantine; pct=25
  4. Gradually increase to p=reject

Case 2: Domain with multiple services (CRM, newsletter, transactional)

Goal: Protect without breaking existing flows.

Initial configuration:

v=DMARC1; p=none; sp=none; rua=mailto:dmarc@captaindns.com; adkim=r; aspf=r

Diagnosis via RUA reports:

  • List all IPs/domains sending
  • Verify each source has SPF and DKIM configured
  • Identify unauthorized sources (potential spoofing)

Gradual rollout:

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@captaindns.com

Then 25%, 50%, 100%, and finally p=reject.

Case 3: Domain that doesn't send emails

Goal: Prevent any fraudulent use of a "parked" domain.

Direct strict configuration:

v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s

No observation phase needed if the domain should never send legitimate emails.

Common mistakes to avoid

MistakeProblemSolution
Two DMARC recordsConflict, policy ignoredOne record per domain only
Forgetting mailto:Reports not sentrua=mailto:address@domain.com
Jumping straight to rejectBlocking legitimate emailsStart with p=none, then quarantine
Ignoring reportsNo visibility on issuesAnalyze RUA weekly
Strict alignment too earlyFailures if subdomains or third-party servicesKeep r (relaxed) until complete inventory

Deployment best practices

Phase 1: Observation (2-4 weeks)

v=DMARC1; p=none; rua=mailto:dmarc@captaindns.com
  • Collect reports
  • Identify all legitimate sources
  • Fix SPF/DKIM for non-aligned sources

Phase 2: Gradual quarantine

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@captaindns.com
  • Increase from 10% → 25% → 50% → 100%
  • Monitor user complaints
  • Adjust if needed

Phase 3: Reject

v=DMARC1; p=reject; rua=mailto:dmarc@captaindns.com; adkim=r; aspf=r
  • Maximum protection
  • Optionally move to strict alignment (adkim=s; aspf=s)

FAQ - Frequently asked questions

Q: What is a DMARC record?

A: DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record that tells mail servers how to handle emails that fail SPF and DKIM checks. It protects your domain against spoofing and phishing.

Q: What DMARC policy should I start with?

A: Always start with p=none. This policy doesn't impact delivery but sends you reports. Analyze these reports for 2-4 weeks to identify all legitimate flows before moving to quarantine then reject.

Q: What's the difference between RUA and RUF?

A:

  • RUA (Reporting URI for Aggregate): Daily aggregate reports with global statistics
  • RUF (Reporting URI for Forensic): Detailed reports per individual failure

RUA is essential and supported by all. RUF is optional and rarely supported by providers.

Q: How does DMARC alignment work?

A: Alignment checks that the visible domain (From:) matches the domain authenticated by SPF or DKIM:

  • Relaxed (r): mail.captaindns.com aligns with captaindns.com
  • Strict (s): Exact match required

Q: Can I have multiple DMARC records?

A: No. Only one DMARC record is allowed per domain. Multiple records cause errors. Edit the existing one rather than adding new.

Q: How long before DMARC is active?

A: The record is active once DNS propagates (minutes to 48h). First RUA reports arrive within 24-48h after emails are sent from your domain.

Q: How do I receive reports for an external domain?

A: If your RUA address is on another domain, that domain must authorize you with:

yourdomain._report._dmarc.report-domain.com TXT "v=DMARC1"

Prepare for DMARCbis

DMARCbis is the upcoming IETF Proposed Standard that replaces RFC 7489. It introduces new tags (np, t, psd), removes deprecated tags (pct, rf, ri), and replaces the Public Suffix List with a DNS tree walk algorithm. Check your domain's readiness with the DMARCbis Checker or generate a compliant record with the DMARCbis Migration Tool.

Complementary tools

ToolPurpose
DMARC Record CheckVerify your existing DMARC record
DMARC Report AnalyzerAnalyze DMARC aggregate reports received by email
DMARC MonitoringAutomated, ongoing DMARC monitoring for your domains
SPF GeneratorCreate a valid SPF record
DKIM GeneratorCreate your DKIM keys (RSA/Ed25519)
DKIM Record CheckVerify your DKIM signature
Mail TesterTest your email deliverability
Phishing URL CheckerCheck if a URL is used in phishing campaigns

Useful resources