ToolBelt

DMARC Record Builder

Build a DMARC TXT record with policy, alignment and reporting tags.

Open tool

Overview

The DMARC record builder assembles a Domain-based Message Authentication, Reporting & Conformance TXT record from individual tags — policy, subdomain policy, alignment modes, percentage of mail subject to policy, and the email addresses that receive aggregate and forensic reports. Pick the values you want and the builder emits a single v=DMARC1; ... string ready for your zone file.

Email administrators rolling out DMARC for the first time, deliverability teams moving from p=none to p=reject, and security engineers locking down a no-mail domain all need a way to compose a DMARC record without typos. Long-tail keywords covered: build DMARC record for new domain, move DMARC policy from none to quarantine to reject, and configure DMARC aggregate reports.

How it works

DMARC is defined in RFC 7489. The TXT record is published at _dmarc.example.com and lists tags separated by semicolons. The mandatory tags are v=DMARC1 and p= (one of none, quarantine, or reject). Optional tags include sp= for a different subdomain policy, adkim= and aspf= for strict or relaxed alignment, pct= to apply the policy to a percentage of mail, rua= for aggregate report destinations, and ruf= for forensic reports.

The policy answers the question "what should the receiver do with mail that fails SPF and DKIM alignment?" none only monitors; quarantine routes to spam; reject bounces. The recommended rollout path is nonequarantine (with pct= ramping up) → reject, with rua reports analysed at every step before tightening.

Examples

  • v=DMARC1; p=none; rua=mailto:dmarc@example.com — monitor-only, the typical starting point.
  • v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com — quarantine a quarter of failing mail while you investigate.
  • v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc@example.com — full enforcement with strict alignment, the strongest practical setting.
  • v=DMARC1; p=reject; sp=reject; — for a parked domain that should never send mail.

FAQ

What is the difference between strict and relaxed alignment?

Strict alignment (adkim=s, aspf=s) requires an exact match between the signing/SPF domain and the From: domain. Relaxed (the default) allows organisational-domain matching, so mail from bounces.example.com aligns with example.com.

How long until DMARC takes effect?

As soon as DNS propagates — minutes for low TTLs. Reports arrive on a 24-hour cadence from most providers.

Should pct= be ramped up gradually?

Yes. Start at 10–25%, watch the rejection rate in your aggregate reports, fix any legitimate senders that fail alignment, and increase from there.

Where do rua reports go?

To the address you list. Most teams pipe them into a DMARC dashboard provider that parses the XML and groups failures by source IP.

Try DMARC Record Builder

An unhandled error has occurred. Reload ×