DMARC generator

DMARC lets you publish a domain-level policy that tells mailbox providers what to do when SPF and DKIM do not align with the visible From domain. A clear DMARC record also enables aggregate reporting so you can see which services are sending mail on your behalf. Often the first step is confirming you even have a DMARC record and that the policy value matches your enforcement goal.

If policies are not enforced, review the DMARC setup guide.

Learn the bigger picture in our Email Authentication Explained guide and compare SPF vs DKIM vs DMARC to understand how these protocols work together.

One-Minute Fix

Use the DMARC generator on this page to choose a policy, reporting addresses, and alignment settings. Then copy the generated TXT value into DNS at the _dmarc hostname for your domain.

Example DMARC record

DNS TXT

v=DMARC1; p=none; rua=mailto:dmarc@example.com; pct=100; adkim=r; aspf=r

This example starts with a monitoring policy and relaxed alignment. You can tighten enforcement and alignment over time as you gain confidence that all legitimate senders are authenticated correctly.

Re-check

Generate a DMARC record

Choose your DMARC policy, reporting mailboxes, and alignment strategy, then copy the generated TXT value into DNS.

DMARC record generator

Choose your policy, reporting addresses, and alignment settings. Then copy the generated DMARC TXT value into DNS at _dmarc.yourdomain.

Policy (p)

pct (percentage)

rua (aggregate reports)

ruf (forensic reports, optional)

adkim (DKIM alignment)

aspf (SPF alignment)

Why this happens

Many teams understand they need DMARC but are unsure which tags are required and which values are safe to start with. Hand-writing DMARC records increases the risk of typos or overly aggressive policies that can block legitimate mail. Misaligned authentication paths often show up as DMARC alignment failures or a reporting address that never receives data.

Why a missing or broken DMARC record is a problem

Without a clean DMARC policy, mailbox providers have less guidance on how to treat spoofed or unauthenticated mail that appears to come from your domain. That can make phishing harder to detect and weaken your overall email trust profile. Over time that can mean critical mail is treated like generic bulk, especially when multiple DMARC records or a misconfigured fo= tag confuse evaluation.

How a good DMARC policy helps deliverability

A well-implemented DMARC record, combined with aligned SPF and DKIM, shows receivers that you actively manage abuse and authentication. Over time, this can improve inbox placement for legitimate mail while making it easier for providers to discard obvious spoofing attempts. Over time, well-tuned DMARC aggregate reports and a clear policy stance are what help inbox providers separate your legitimate traffic from spoofing attempts.

Next steps

Review the full troubleshooting guidance in the DMARC Hub.
Explore sender authorization issues in the SPF Hub.
Check signing and selector issues in the DKIM Hub.