DMARC Generator

What is a DMARC policy?

DMARC is an email security record that helps prevent spoofing attacks on your brand’s email domain. It aligns your SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) email authentication checks and instructs ISPs on handling them.

To better understand DMARC records, let’s quickly review their security partners.

SPF is an email authentication check in which ISPs check your list of approved hostnames or IP addresses. If the sender is on your list, it passes the check.

DKIM is a unique, encrypted signature you add to every authorized email. The ISP looks up the signature, compares it to the key in the email, and issues a pass or fail accordingly.

Both of these are isolated email authentication checks. However, with a DMARC policy, you can connect the two and help the ISP better protect its users and your email domain. DMARC records create a flow of operations for the ISP to follow if a sender fails either or both checks.

Required DMARC setting

Domain name to generate the DMARC Record for

For example

Sender A fails the SPF check. The ISP then knows to issue the corresponding DKIM check. If A fails to authenticate, the ISP checks your DMARC records. You determine the following actions with your DMARC record policy.

DMARC policy options are as follows:

  • None - The ISP takes no action and the message may reach the inbox. This is useful for early monitoring and observation. However, you are vulnerable as spoofers can readily reach users.
  • Quarantine - Messages that do not pass email authentication go to a quarantine area if the email server has one available. Otherwise, these messages go to the spam folder.
  • Reject - The ISP rejects messages that do not pass email authentication.

DMARC helps synergize your email security efforts and gives you greater control over your email activity. You’ll also have ongoing reports to alert you of suspicious activity to know who to allow, quarantine, or reject.

The benefits of using DMARC records

DMARC is a necessity if you want to take your email reputation seriously. All you need to do is utilize our free DMARC generator and upload your new record to receive the following benefits.

Increased email security

SPF, DKIM, and DMARC are the three pillars of email security. By implementing a DMARC records check, you can better regulate who may send from your email domain. A DMARC record check aligns your email authentication protocols and provides ongoing reports of suspicious or harmful activity.

Improved email deliverability

Only some email authentication failures result from a would-be spoofer. Mistakes in your security implementation can cause otherwise valid emails to bounce. DMARC provides helpful diagnostic reports to help you analyze any failed checks. You can determine what went wrong and take the necessary steps to improve your email deliverability.

Protect your brand’s reputation

By better managing your email activity, you protect your email reputation. Multiple factors help determine your email reputation. If a spoofer manages to replicate your domain and send harmful emails, it leads to black marks on your record. However, even lawful messages can receive a bounce or spam classification. This can happen due to content issues or mistakes in implementing your email security. DMARC records and subsequent reports assist with phishing prevention and help you quarantine and reject harmful messages. You can help ensure that your team and partners can send using your domain without fail.

Using the DMARC generator

To create DMARC records, follow these tips when using the DMARC generator:

  1. Enter your email domain in the first field. If the domain is valid, you can use the remaining fields below.
  2. Select your domain policy type. Check the above passage to review the three DMARC policy options and their corresponding meaning.

These are the required steps to generate a DMARC record. You can find the code in the fields below the generator to enter into your TXT file.

However, you can enable optional DMARC settings if you choose to do so.

  1. This first optional setting allows you to set a policy for your email sub-domain. If you do not have a sub-domain or are unsure if the sub-domain authenticates emails, set this to none.
  2. Your aggregate email is where you will receive your DMARC aggregate report. Also known as RUA, this advises you on the status of DKIM, SPF and DMARC checks.

    Enter the email you wish to use for this report.
  3. The DMARC forensic email, RUF, details a failed email authentication check in greater depth. You can use this information to learn more about a potential attack. If a valid email fails a check, you can use the diagnostic data to rectify the issue for future sending attempts.

    Enter the email you wish to use for this report.
  4. Next, you can choose to have reports sent in two different formats:
    • AFRF (Authentication Failure Reporting Format) - the default format for most applications and useful for general reporting
    • IODEF (Incident Object Description Exchange Format) - useful for cybersecurity teams utilizing incident response tools
  5. Choose a DMARC reporting interval in seconds. The value must be between 1 and 4294967295. For reference, 86400 equates to one day.
  6. Select what percentage of messages you want ISPs to check. We recommend reviewing 100% of your email messages.
  7. Next, identify how strictly your emails adhere to DKIM. We recommend setting this to “relaxed.” However, you can test your DKIM Identifier Alignment by creating an account and using our email testing tools.
  8. Finally, identify how strictly your emails adhere to SPF. Once again, we recommend setting this to “relaxed.” However, our testing tools also include an SPF alignment check to ensure you can set your record up properly.

As you update each field, you’ll notice that the DMARC generate creates three DMARC records automatically at the bottom of the page. Choose the available record that best suits your security needs.

Three Types of Available DMARC Records

DMARC Record

This is a standard line of code to create a TXT record within your DNS settings. Go to your DNS, click create a new record, and apply this code as the record value. Also, add “_dmarc” to the end of your chosen record name.

DMARC Record Using BIND

BIND is a commonplace software for DNS administrators and is compatible with Windows and Linux. Its ease of use, regular updates, and compatibility make it ideal for most users.

DMARC Record Using TinyDNS

TinyDNS, sometimes called djbdns, is a third, lightweight alternative that claims to offer improved security. However, platforms generally do not provide the same support or documentation as BIND, making it unsuitable for novices.

Other email authentication tools

Deliverability ToolsDKIM GeneratorSPF Generator

Frequently asked questions about DMARC policy

Yes. A DMARC policy is one of several necessary tools to assist with phishing prevention. DMARC records package the security measures provided by SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) together for better email authentication.

When a sender fails either the SPF or DKIM check, the DMARC record automatically checks the result of the other for confirmation. Then, it automatically issues an action based on your current DMARC policy.

Spoofing attacks are more sophisticated than ever. Business owners require the synergy and reporting provided by DMARC to give you greater oversight of your email activity. You can instruct ISPs on handling suspicious or invalid users attempting to send from your domain.

Without DMARC records, the ISP does not check for alignment between SPF and DKIM. Instead of following your instruction, the ISP will take action. This will likely result in email rejections. It also leaves your email domain vulnerable and without a phishing prevention safeguard.

DMARC allows you to communicate the alignment between SPF and DKIM. You also tell the ISP which policy to follow: none (permit), quarantine, or reject.

SPF is only one component of your email security. SPF and DMARC records fulfill separate functions and assist with email authentication in the following ways:

SPF is a list of approved hostnames and IP addresses you can send from your email domain. The receiving ISP cross-references your IP with the SPF record. If you pass the check, the email goes to the inbox.

When the SPF check fails, the ISP looks for instructions in your DMARC record. DMARC tells the ISP what to do with the email – allow, reject, or quarantine. This provides greater control over your security and will enable you to consistently detect patterns in potential attacks to bounce invalid emails.

No. DMARC is an email authentication and phishing prevention tactic to stop bad actors from using your domain.

However, this does not mean that a DMARC policy offers foolproof protection. Sophisticated attackers will use different tactics to trick users into thinking they’re receiving emails from your team.

A DMARC policy protects your exact domain name but does not protect against spoofers using domain or display names close to yours.

While technically possible, SPF, DKIM, and DMARC records are always necessary.

These email authentication tools will block hackers from copying your direct domain name or IP and sending emails to users. The issue is that spoofers are always devising new strategies to bypass phishing prevention.

Bypassing email authentication records is easier when brands do not keep their DMARC records up-to-date with a DMARC generator.

Your email security must be an active pursuit. Be sure to update your approved sender lists and remove ex-partners or employees. Monitor your DMARC reports and look out for suspicious emails. Take care to examine these invalid emails, determine how they get through and set up a DMARC policy to handle them appropriately.

A DMARC vulnerability refers to weaknesses in DMARC records from human input error or technological limitations.

Email authentication records are only as adequate as the people implementing them. When writing your record file or creating your settings, any mistakes will develop opportunities for spoofers to attack. Our free DMARC generator above helps you avoid syntactical errors using AI-generated code.

DMARC vulnerabilities are also present if you do not enable a DMARC policy. Email experts often recommend setting your policy to none so that you might monitor and learn from suspicious activity. However, it’s essential to identify suspicious behavior and quarantine it as soon as possible as spoofers have an open door to send emails from your domain.

Finally, your email security has limits. SPF, DKIM, and DMARC cannot account for the following:

  • Close domain addresses (cousin domains)
  • Forwarded emails
  • Heavy modifications to the body or header of email messages
  • Suspicious attachments
  • Any other schemes that are not a result of name-spoofing


For these reasons, brands will benefit from employing a dedicated email security team to monitor their ongoing efforts. The best email defense is always proactive.