Log in
CaptainDNS

Propagation & diagnostics

Compare resolvers worldwide and inspect returned answers.

Email authentication

Tools to verify and validate your email authentication setup.

SPF syntax validator

Review include chains and DNS query limits before publishing changes.

SPF record inspector

Resolve the published TXT record, flag lookup limits and decode each mechanism.

DKIM syntax validator

Quickly check the syntax of your DKIM records.

DKIM record check

Resolve a selector and analyse the published DKIM TXT record.

DMARC syntax validator

Check rua/ruf destinations, alignment modes and the active policy before publishing.

DMARC record inspector

Resolve the published policy, surface diagnostics and confirm enforcement before switching to reject.

BIMI syntax validator

Validate BIMI tags, the logo fetch and the VMC certificate before publishing.

BIMI record inspector

Resolve the published BIMI record, inspect logo and VMC diagnostics in one place.

Email deliverability audit

Audit MX, SPF, DKIM and DMARC to confirm a domain is ready to send.

Mail header analyzer

Decode participants, authentication results and routing from raw headers.

DMARC record generator

Create compliant DMARC records with all policy and reporting options.

Text

Transform, encode and measure your content in seconds.

Text case converter

Convert any block of text to upper or lower case instantly.

Base64 encoder / decoder

Encode or decode any content in Base64 without leaving the browser.

Slug generator

Transform any sentence into an SEO-friendly slug in seconds.

Word & character counter

Measure the length of any text, with instant word and character counts.

Images

Preview and validate your BIMI logos before publishing.

BIMI logo lookup

Inspect a BIMI logo URL—format, metadata and live rendering—before rollout.

Certificates

Inspect CSRs, BIMI logos and VMC certificates before you deploy.

CSR parser

Inspect a CSR, extract subject details, fingerprints and requested SANs.

VMC inspector

Inspect a Verified Mark Certificate—issuer, validity and SAN coverage—before you publish BIMI.

IP

Look up addresses, owners, reverse records and ranges.

Reverse lookup

Resolve a PTR record and validate DNS consistency.

IP WhoIs

Identify the owner of an IP range and its contacts.

IPv4 netmask

Calculate network, broadcast and usable hosts for any IPv4 block.

My IP address

Detect your IPv4/IPv6 addresses and their geolocation.

DMARC record generator

The organizational domain for which to generate the DMARC record.

Action to apply to messages that fail DMARC checks.

Specific policy for subdomains. If not set, inherits the main policy.

Percentage of messages to apply the policy to (1-100). Default: 100.

Email addresses to receive DMARC aggregate reports.

Email addresses to receive detailed failure reports.

Required alignment mode for DKIM.

Required alignment mode for SPF.

When to generate failure reports (RUF). Default: 0.

Report generation interval in seconds. Default: 86400 (24h).

Why generate a DMARC record?

DMARC ties SPF and DKIM to a policy that recipients enforce. It protects the domain identity, improves incident visibility, and delivers useful reports. This generator builds a clean, publication-ready record that accounts for subdomains, enforcement percentages, and reporting addresses.

How to use the generator

  1. Domain: Enter the organizational domain. The record will be published at _dmarc.your-domain.

  2. Primary policy p: Choose None to observe, Quarantine to quarantine, and Reject to block. Start with None, read the reports, fix issues, then ramp up gradually.

  3. Subdomain policy sp: Leave it to inherit or set a different policy for sending subdomains.

  4. Enforcement percentage pct: From 1 to 100. Useful for transitioning gradually into Quarantine or Reject.

  5. Aggregate reports rua: One or more mailto: addresses separated by commas.
    Example: mailto:dmarc@example.com,mailto:secops@example.com
    If you use an address from a third-party domain, that third party must authorize you via a _report._dmarc DNS record (DMARC requirement).

  6. Forensic reports ruf (optional): Detailed failure reports. Few providers send them. Be mindful of volume and sensitive data.

  7. Alignment modes adkim and aspf: relaxed by default. strict strengthens identification once your sending inventory is stable.

  8. Failure options fo: 0 by default.
    Other possible values:

    • 1 generate a report if SPF or DKIM fails
    • d for DKIM-only failures
    • s for SPF-only failures

  9. Interval ri: Frequency of aggregate reports in seconds. 86400 equals 24 hours.

Click Generate the record and publish the TXT value on _dmarc.your-domain.

Ready-to-use examples

Full observation

_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r; ri=86400"

Gradual rollout

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com; adkim=r; aspf=r"

Strict protection (production)

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com; adkim=s; aspf=s; ri=86400"

Publication and verification

  • Publish a single DMARC TXT record on _dmarc.your-domain.
  • Use a TTL of 3600 during tuning, then increase it once things are stable.
  • Verify live resolution with your CaptainDNS DMARC inspector and domain check tools.
  • Monitor rua reports for a few days before hardening the policy.

Common mistakes to avoid

  • Publishing two DMARC records at the same name. Keep a single entry.
  • Forgetting mailto: in front of rua/ruf addresses.
  • Jumping straight to p=reject without cataloging legitimate senders.
  • Switching to strict alignment while subdomains or third-party services still send with another visible domain.
  • Declaring an external reporting address without the third party's _report._dmarc authorization.
  • Mixing up pct and ri. The former controls enforcement, the latter report frequency.

Rollout best practices

  • Step 1: p=none, rua active. Map real sources and fix the ones that fail.
  • Step 2: p=quarantine, pct 10 then 50 then 100. Watch for false positives.
  • Step 3: p=reject. Once stable, consider adkim=s and aspf=s.
  • Define an sp policy if your subdomains send differently.
  • Keep a change log with date, previous and new value, reason, and TTL.

Quick report readouts

  • Aggregate rua reports show per-source volume, SPF and DKIM pass/fail rates, alignment, and applied disposition.
  • Forensic ruf reports capture individual failure events when supported. Enable them cautiously.

Privacy commitment

The values you enter are sent to the CaptainDNS API solely to generate the DMARC string. No data is stored in plain text. Only technical metrics such as processing duration and record size are logged to monitor availability.