DMARC policy generator
Compose a DMARC policy a la carte and watch the DNS record build itself — or paste a record you already have and read it back as plain-English choices. They stay in sync both ways.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a small DNS record that tells the world’s mailboxes what to do with email that claims to come from your domain but can’t prove it. In plain terms: it’s how you stop scammers from sending convincing “you@yourcompany.com” phishing emails to your customers.
Email has no built-in way to verify who really sent a message — anyone can type your address into the “From” line. Two older standards, SPF and DKIM, let a receiving mail server check whether a message genuinely came from a server you authorized. DMARC ties them together: it lets you tell receivers what to do when those checks fail, and asks them to email you reports so you can see who is sending mail as your domain.
SPF
A public list of the mail servers allowed to send for your domain. The receiver checks the sending server against that list.
DKIM
A tamper-proof digital signature added to every message, so the receiver can confirm it wasn’t forged or altered along the way.
DMARC
Sits on top of both. It decides what happens when a message fails SPF and DKIM, and collects reports — exactly what you configure below.
You publish the record this tool builds as a TXT record at _dmarc.yourdomain.com in your DNS provider. After saving it, changes can take a little while to spread across the internet (“DNS propagation”), so reporting won’t start immediately.
Build your policy
Toggle the options on the left to fit your situation. Read the note under each one if you’re unsure — the DNS record on the right updates as you go. Already have a record? Paste it into the record box and the options will fill in to match.
Policy wizard
Pick the options you want — the record updates live.
Enforcement
pThe big one: what you're asking other mail providers to do with email that fails the check and claims to be from you.
Monitor only. Receivers still deliver failing mail as normal but send you reports. The safe place to start — you watch for a few weeks before tightening.
Apply to a percentage
pctA safety valve: have receivers apply your policy to only a slice of mail at first (chosen at random), so a mistake can't affect everyone at once. Most people leave this at 100%.
Subdomain policy
spSet a separate rule for subdomains like news.yourdomain.com or mail.yourdomain.com. Leave off and they simply follow the main policy above.
Non-existent subdomains
npA stricter rule just for subdomains you've never set up. Scammers love these because there's no real mail to accidentally block — so reject is usually safe here.
DKIM alignment
adkimHow closely the DKIM signature's domain must match your From address. Relaxed counts a subdomain (mail.yourdomain.com) as a match for yourdomain.com; strict demands an exact match. Relaxed is the usual choice.
SPF alignment
aspfThe same idea for SPF: how closely the sending server's domain must match your From address. Relaxed allows subdomains to match; strict requires an exact match. Relaxed is the usual choice.
Aggregate reports
ruaThe email address that receives the daily summary reports. These show who is sending mail as your domain and whether it's passing — the whole reason to start at None. Strongly recommended.
Failure reports
rufAn address for detailed reports about individual messages that failed. Useful for debugging, but most providers no longer send these for privacy reasons — so it's optional.
Report interval
riHow often you'd like the aggregate reports. In practice receivers almost always send them once a day regardless, so the default (86400 seconds = 24 hours) is fine to leave alone.
DNS record
Publish this TXT record at your domain.
Add this as a new record at your DNS provider. “Type” and “Host” are the fields it asks for — some providers want just _dmarc in the host field and add the domain for you.
Paste an existing record here and the wizard updates to match.