DMARC Record Generator

How to choose the right DMARC policy

DMARC is published as a TXT record at _dmarc.example.com. It does not replace SPF or DKIM. Instead, it checks whether SPF or DKIM aligns with the visible From domain and then applies the policy you publish. A new domain usually starts with p=none so you can collect reports without blocking mail. Once you know all legitimate senders are authenticated, you can move to p=quarantine and eventually p=reject.

The reporting address in rua receives aggregate reports from participating mailbox providers. Those reports help you see which services are sending mail for the domain, which ones pass authentication, and which ones need SPF or DKIM fixes. Forensic reports in ruf are optional and are not supported consistently by every provider, so many teams rely mostly on aggregate reporting.

The percentage setting lets you roll out enforcement gradually. For example, a domain can move from monitoring to quarantine for a small share of failing mail before applying the policy to all mail. This is useful when a domain has multiple teams or platforms sending from it.

DMARC setup for campaign and product sending

For marketing, sales, and product email, DMARC should be paired with list hygiene and sender monitoring. Authentication reduces impersonation risk and helps mailbox providers understand your sender identity. It does not make invalid addresses deliverable. Before sending to a large CSV, verify the list with bulk verification or test individual addresses with the email verifier.

If you are setting up a new domain, use the SPF generator and DKIM generator first. Then generate DMARC, publish it, and run the DMARC checker. A bounce rate under 3% is healthy; 3-5% needs cleanup and attention; above 5% is high risk for sender reputation.

DMARC rollout checklist

Do not jump straight to a strict policy unless the domain has a simple sending footprint and every sender is already verified. Most teams should monitor first, review aggregate reports, fix the sources that fail alignment, and then tighten the policy in stages. This avoids blocking legitimate invoices, support replies, password resets, or campaign messages that were not fully authenticated yet.

Use a reporting mailbox that someone actually reviews, or route reports into a monitoring service. The value of DMARC reporting is visibility: it shows which systems are using the domain and whether they pass SPF or DKIM alignment. That information is especially useful when several teams control different email platforms.

For subdomains, decide whether the root policy should apply or whether the subdomain needs its own policy. Many teams keep outreach, newsletters, and product mail on separate subdomains so DNS changes and reputation signals are easier to manage.