Build a valid DMARC record, validate an existing one, or look up what's published in DNS — all in your browser.
The DMARC Record Generator & Analyzer helps you create, validate, and inspect DMARC DNS records without manually remembering every tag defined in the DMARC specification. Whether you're configuring email authentication for a personal domain, managing business email security, or troubleshooting deliverability problems, this tool simplifies the entire process.
Instead of writing DMARC records manually, simply choose the desired policy, alignment modes, reporting addresses, and other options. The generator automatically assembles a valid DNS TXT record that follows the DMARC standard. If you already have a record, the analyzer validates its syntax, explains every tag, identifies mistakes, highlights warnings, and suggests improvements. You can also perform a live DNS lookup to view the currently published DMARC record for any domain.
Everything runs directly in your browser, making the tool fast, private, and easy to use for developers, system administrators, IT teams, email service providers, and website owners.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect domains from email spoofing, phishing attacks, and impersonation. It works alongside SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to determine whether incoming messages are authorized to use your domain.
When a receiving mail server gets an email claiming to come from your domain, it checks:
Depending on your published policy, unauthorized emails can be:
DMARC also supports aggregate and forensic reporting, allowing domain owners to monitor authentication failures and identify unauthorized email sources.
Creating a DMARC record manually can be error-prone because every tag must follow strict formatting rules defined in RFC 7489. A single typo, duplicate tag, or invalid value may cause mail providers to ignore the record or interpret it incorrectly.
This generator eliminates those risks by automatically producing properly formatted DNS TXT records while the analyzer checks existing records for compliance and configuration issues.
Whether you're deploying DMARC for the first time or auditing an existing configuration, this tool reduces manual work while helping ensure your DNS record follows current DMARC recommendations.
A DMARC record is composed of semicolon-separated key/value pairs called tags. Some tags are required, while others provide additional reporting and policy controls.
| Tag | Purpose |
|---|---|
v |
DMARC protocol version. Always DMARC1. |
p |
Primary policy (none, quarantine, reject). |
sp |
Policy for subdomains. |
pct |
Percentage of emails to which the policy applies. |
rua |
Email address(es) for aggregate reports. |
ruf |
Email address for forensic failure reports. |
adkim |
DKIM alignment mode (relaxed or strict). |
aspf |
SPF alignment mode (relaxed or strict). |
fo |
Failure reporting options. |
ri |
Aggregate report interval in seconds. |
_dmarc.yourdomain.com.Suppose your company wants to monitor email authentication before enforcing DMARC.
v=DMARC1;
p=none;
rua=mailto:dmarc@example.com;
adkim=r;
aspf=r;
pct=100
This policy tells receiving mail servers to take no action on failing messages,
but to send aggregate reports to dmarc@example.com. After reviewing
reports and confirming all legitimate mail sources authenticate correctly, the
policy can gradually be changed to quarantine and eventually
reject.
p=none to monitor authentication without affecting mail delivery.none to quarantine, then finally to reject.
The p tag only accepts
none, quarantine, or reject. Any other
value results in an invalid record.
Each DMARC tag should appear only once. Duplicate entries may cause mail receivers to ignore later values or produce unexpected behavior.
Every DMARC record must begin with
v=DMARC1. Without this required tag, the record is invalid.
Custom or misspelled tags are ignored by most receivers and indicate a configuration mistake. Remove unknown tags to keep your record standards compliant.
Reporting addresses should use the correct
mailto: format. Invalid email addresses prevent reports from being
delivered successfully.
A domain should publish only one DMARC TXT record. Multiple records can lead to inconsistent interpretation by mail providers.
Small syntax mistakes can prevent a DMARC policy from functioning correctly. Validation checks every tag, detects formatting errors, duplicate parameters, unsupported values, and missing required fields before the record is published. This reduces deployment errors and helps ensure receiving mail servers interpret your policy exactly as intended.
The integrated DNS lookup also allows you to compare the published record with your local configuration, making troubleshooting significantly easier after DNS changes have propagated.
_dmarc.yourdomain.com subdomain. For example, if your domain is example.com, the record should be created at _dmarc.example.com.
p=none. This collects reports without affecting email delivery, allowing you to identify legitimate senders before enabling enforcement.
ri tag, although mail providers are not required to follow the requested interval exactly.
rua tag by separating them with commas. Your generator formats these correctly using the required mailto: syntax.
v=DMARC1, malformed email addresses, unsupported parameters, or incorrect syntax. The built-in analyzer identifies these issues and explains how to fix them.
A properly configured DMARC policy strengthens email security by preventing domain spoofing, improving message authentication, and providing visibility into how your domain is being used across the internet. Whether you are deploying DMARC for the first time or maintaining an existing policy, creating an error-free record is essential.
This DMARC Record Generator & Analyzer simplifies the entire process by
allowing you to generate standards-compliant records, validate existing
configurations, perform live DNS lookups, and understand every DMARC tag
through clear explanations. By following recommended deployment practices and
gradually progressing from p=none to
quarantine and finally reject, you can confidently
protect your domain while maintaining reliable email delivery.
Where does a DMARC record live? As a TXT record on _dmarc.yourdomain.com, never on the bare domain.
What if there's no rua address? The policy still applies, but you'll get no visibility into who is or isn't passing DMARC for your domain — an rua address is strongly recommended.
Can I have more than one DMARC record? No — publishing more than one TXT record on _dmarc makes the record invalid and receivers will ignore it.