DMARC Record Generator
Build a DMARC policy record for your domain. Configure rejection policy, reporting addresses, and alignment settings — get the exact DNS value to publish.
Generate Your DMARC Record
Percentage of failing messages to apply the policy to. Use a low value when rolling out quarantine or reject.
What Is DMARC and Why Do You Need It?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the third pillar of email authentication, building on top of SPF and DKIM. It tells receiving mail servers what to do when a message fails authentication checks, and where to send reports about those failures. Without DMARC, having SPF and DKIM in place is necessary but not sufficient — an attacker can still forge your visible From address even if SPF and DKIM pass on a different domain.
Gmail, Yahoo, and Microsoft have all made DMARC a requirement for bulk senders. Domains without a DMARC policy face increased spam filtering and reduced inbox placement across major mailbox providers.
The Three DMARC Policy Levels
DMARC uses a graduated rollout approach with three policy levels. The recommended sequence is to start at none, move to quarantine, and ultimately reach reject.
- p=none — Monitor only. Failing messages are delivered normally, but aggregate reports are sent to the rua address. Use this to discover all your sending sources before enforcing policy.
- p=quarantine — Failing messages go to the spam folder. Use this once you have verified your legitimate mail passes authentication.
- p=reject — Failing messages are rejected outright. This is the strongest protection and the goal for most domains.
Understanding DMARC Alignment
DMARC passes when either SPF or DKIM passes and the authenticated domain aligns with the From header domain. Relaxed alignment (r) allows subdomain matches — for example, mail.example.com aligns with example.com. Strict alignment (s) requires an exact domain match. Start with relaxed alignment and only tighten to strict if you have a specific reason.
DMARC Reporting: rua vs ruf
The rua tag specifies the email address to receive aggregate reports — daily XML summaries of authentication results from all senders worldwide. These are essential for understanding your sending footprint and catching unauthorized senders. The ruf tag specifies the address for forensic (failure) reports, which contain details of individual failing messages. Forensic reports are less widely supported and may contain message content, so they require more careful handling.
You can receive reports at any email address — even one on a different domain. Some organizations use dedicated DMARC report processing services to parse and visualize aggregate XML data.
Completing Your Email Authentication Setup
DMARC works best as the final layer on top of SPF and DKIM. Set up SPF to authorize your sending IPs, configure DKIM signing on your mail server or email service provider, and then add a DMARC policy to tie everything together and receive reports.
Authentication protects you from domain abuse. List hygiene protects your sender reputation. Use email verification to remove invalid addresses before every send, or check large lists with bulk email verification. See pricing for verification plans.
Frequently Asked Questions
1. What is DMARC and why do I need it?
DMARC is an email authentication policy that tells receiving mail servers what to do when SPF or DKIM checks fail, and provides reporting so you can monitor who is sending email from your domain. Without DMARC, bad actors can send phishing emails that appear to come from your domain even if you have SPF and DKIM configured. DMARC closes this gap and Google and Yahoo now require it for bulk senders.
2. Where do I publish a DMARC record?
DMARC records are published as a TXT record at the subdomain _dmarc.yourdomain.com (not at the root). For example, if your domain is example.com, publish the TXT record at _dmarc.example.com with the generated value.
3. What is the difference between p=none, p=quarantine, and p=reject?
p=none means take no action — just send reports. This is the monitoring phase. p=quarantine means send failing messages to the spam folder. p=reject means block failing messages entirely before they reach the inbox. Most domain owners start with none, move to quarantine after reviewing reports, then advance to reject.
4. What is DMARC alignment?
Alignment means the domain that passes SPF or DKIM must match the domain in the From header that users see. Relaxed alignment allows subdomain matches (mail.example.com aligns with example.com). Strict alignment requires an exact match. Most senders use relaxed alignment to avoid breaking forwarding and third-party service mail.
5. What are DMARC aggregate reports (rua)?
Aggregate reports are XML files sent daily by every major mail provider to your designated rua email address. They show every IP that sent mail claiming to be from your domain, how many messages each sent, and whether SPF and DKIM passed or failed. You can parse these manually or use a DMARC reporting service.
6. Do I need SPF and DKIM before I can use DMARC?
Yes. DMARC requires at least one of SPF or DKIM to produce an aligned pass. If neither SPF nor DKIM is configured for your domain, all messages will fail DMARC. Set up SPF and DKIM first, then publish a DMARC record in monitoring mode (p=none) to confirm they are working before adding enforcement.
探索更多功能
探索 BillionVerify 的所有強大功能
Complete your email deliverability setup
DMARC protects your domain. A clean email list protects your sender reputation. Use BillionVerify to remove invalid addresses and reduce bounce rates.
100 free verifications daily · 99.9% SMTP accuracy · Instant API access · No credit card required