DMARC Record Generator — _dmarc TXT Policy Builder

SPF and DKIM prove individual message authentication. DMARC publishes domain-level policy and alignment rules so receivers know whether a failed check should still deliver, quarantine, or reject — and where to send XML aggregate summaries of authentication activity.

Without DMARC, receivers apply local heuristics to SPF/DKIM failures. With DMARC p=reject, spoofed messages claiming your header From domain face standardized rejection when alignment fails. Our generator helps you stage that policy as TXT on _dmarc.

DMARC records live at _dmarc.example.com as TXT, not at the apex. DNS panels usually want the host field _dmarc with the domain suffix added automatically. The record value starts with v=DMARC1 followed by semicolon-separated tags.

Our builder outputs only the value portion. After publish, confirm with TXT lookup on _dmarc.yourdomain or our SPF/DKIM/DMARC checker — typos in the underscore host are a common first-deployment mistake.

p=none is monitoring mode — receivers send reports but do not change delivery based on DMARC failure. Start here when first collecting rua data. p=quarantine asks receivers to treat failures as suspicious, often spam-folder placement. p=reject requests rejection of failing aligned mail — strongest anti-spoofing when SPF and DKIM are correctly deployed.

sp= sets subdomain policy when it should differ from p=. If omitted, subdomains inherit p=. Document your rollout: none → quarantine → reject over weeks as reports show legitimate streams passing alignment.

rua=mailto: addresses receive daily XML aggregate reports from participating receivers summarizing SPF/DKIM/DMARC results. Use a dedicated mailbox or a reporting SaaS that ingests rua XML. The builder accepts comma-separated emails and adds mailto: prefixes.

ruf=mailto: requests forensic failure reports with redacted message samples. Many providers no longer send ruf due to privacy. Including ruf does not harm policy but may yield empty inboxes — focus operational effort on rua parsing first.

pct= applies policy to only a fraction of failing messages — useful when testing quarantine impact without affecting every message. Omit pct or set 100 for full enforcement. Our builder adds pct only when you specify a value below 100.

Combine pct with p=quarantine during cautious rollouts. Receivers interpret pct stochastically — not a per-user sampling knob you can predict per message.

DKIM alignment compares the d= domain in signatures with the header From domain. SPF alignment compares the envelope MAIL FROM or HELO domain. adkim=s and aspf=s demand strict domain match; relaxed (default r) allows organizational domain match across subdomains.

Strict alignment hardens against sibling-subdomain attacks but breaks legitimate mail when vendors sign with their own domain. Review rua reports before enabling strict tags.

DMARC policies reveal mail security maturity and reporting addresses. Client-side assembly keeps rua distribution lists on your workstation until you publish publicly anyway via DNS. No server upload during drafting.

Published DMARC is public — receivers and competitors can query _dmarc. The privacy win is pre-publish drafting, not hiding a live policy.

Deploy SPF first with our SPF record generator, enable DKIM signing at your mail host, then publish DMARC. Our email spoofing test scores risk from missing or weak combinations — use it before jumping to p=reject.

DMARC without working SPF/DKIM causes false failures — legitimate mail quarantined while spoofers still exploit unrelated paths.

Aggregate XML is verbose. Operators use parsers like dedicated DMARC analytics platforms or open-source tools to visualize sources failing alignment. Schedule weekly review during p=none, daily during quarantine rollout.

Sudden spikes in unauthorized sources in rua XML signal active spoofing campaigns — escalate to p=quarantine or reject faster when no legitimate vendor explains the volume.

Publishing DMARC at apex instead of _dmarc, omitting v=DMARC1, invalid mailto syntax in rua, jumping to p=reject before DKIM selectors exist, or leaving p=none indefinitely while assuming spoofing protection.

Regenerate and republish when changing reporting addresses — stale rua mailboxes silently drop visibility into authentication health.