WPMozo: add-ons and tools for WordPress and Elementor
⚡ Email & DNS · Client-side · No data sent to server

DMARC Record Generator

Set your DMARC policy, reporting addresses, alignment options, and failure reporting to generate a ready-to-publish DMARC TXT record. Everything runs in your browser.

Domain

The domain you are protecting. The record will be published at _dmarc.example.com.

Policy

%
Apply the policy to this percentage of failing messages. 100 is the standard value.
Override the policy for subdomains. Leave blank to inherit the parent policy.

Reporting

Where to send aggregate (XML summary) reports. Separate multiple addresses with commas.
Where to send per-message failure reports. Many large providers no longer send these.

Alignment

Other

seconds
Default is 86400 (1 day). Most providers ignore this and send daily regardless.
Policy: none (monitoring)
DNS TXT Record
Type TXT
Name _dmarc
Value 
 		 
 
 Copied! 
  
 
Recommended rollout
 
     
  1.  1 p=none — Start here. Collect aggregate reports for 1-2 weeks to understand who is sending on behalf of your domain. 
    2.  
  2.  2 p=quarantine, pct=10 — Begin enforcing on a small percentage. Monitor reports for false positives and gradually increase pct toward 100. 
    3.  
  3.  3 p=reject, pct=100 — Full enforcement. Illegitimate senders are blocked at the mail server. Only move here once all legitimate mail streams pass DKIM and SPF. 
    4.  
 
 
 
 
 
 
About this tool
 
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that lets domain owners publish a policy telling receiving mail servers how to handle messages that fail DKIM or SPF checks. It is defined in RFC 7489.
 
How DMARC builds on SPF and DKIM
 
SPF checks that the sending mail server is authorized to send for the domain. DKIM adds a cryptographic signature that lets the receiving server verify the message was not tampered with in transit. Both operate at the envelope level, though, and neither tells receiving servers what to do when a check fails. DMARC adds that missing enforcement layer and introduces the concept of alignment: the authenticated domain must match the domain in the visible From: header.
 
     
  • SPF alignment — the domain used in the SMTP MAIL FROM envelope must align with the From: header domain.
    •  
  • DKIM alignment — the d= tag in the DKIM signature must align with the From: header domain.
    •  
  • A message passes DMARC if it passes SPF with alignment or DKIM with alignment. Both do not need to pass.
    •  
 
What aggregate reports contain
 
When you include an rua address, receiving mail providers (Gmail, Microsoft, Yahoo, and others) send you daily XML reports at the end of each reporting interval. Each report contains:
 
     
  • The source IP address that sent the messages.
    •  
  • The number of messages from that IP.
    •  
  • Whether SPF, DKIM, and DMARC passed or failed for each source.
    •  
  • The disposition applied (none, quarantine, or reject).
    •  
 
These reports are invaluable for discovering legitimate sending sources you may have forgotten (marketing platforms, CRMs, transactional email services) and for detecting spoofing attempts before you move to a strict policy.
 
DMARC report analysis tools
 
The raw XML reports are dense and difficult to read directly. Several tools can parse and visualize them:
 
     
  • Postmark DMARC — free hosted report aggregation and visualization.
    •  
  • dmarcian — commercial platform with a free tier for low-volume domains.
    •  
  • parsedmarc — open-source self-hosted CLI and Elasticsearch/Kibana pipeline.
    •  
  • DMARC Digests — lightweight free service that emails you a human-readable summary.
    •  
 
Common mistakes to avoid
 
     
  • Jumping straight to p=reject before reviewing reports typically blocks legitimate mail from unregistered sending services.
    •  
  • Setting adkim=s (strict) will break DKIM for any subdomain-signed messages, including many ESPs that sign from a subdomain of your domain.
    •  
  • Forgetting to add SPF records and DKIM signatures for third-party senders (Mailchimp, Salesforce, Zendesk, etc.) before enforcing DMARC.
    •  
  • Only one DMARC record per domain is allowed. Multiple _dmarc TXT entries cause the record to be treated as invalid.
    •  
 
    
  
 
Related tools
 
  SPF Record Generator Build a valid SPF TXT record by selecting your mail providers and IP ranges. No server-side requests, runs in your browser.  Email Header Analyzer Paste the full raw headers from any email to trace the delivery path and check DKIM, SPF, and DMARC authentication results. Runs in your browser.  Security Headers Generator Generate HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy for Apache or Nginx.  
 
    DiviExtended: premium Divi child themes and plugins