All Tools
Free ToolGenerator

DMARC Policy Generator

Builds a DMARC v=DMARC1 record with the policy, percentage, and rua/ruf reporting addresses configured for your domain.

Your DMARC record
v=DMARC1; p=none
Type: TXT. Host: _dmarc (so the full record is at _dmarc.yourdomain.com).
What it does

Generates the DNS TXT record for _dmarc.[yourdomain] subdomain with: p (policy: none, quarantine, reject), pct (rollout percentage), rua (aggregate reporting), ruf (forensic reporting), and optional sp (subdomain policy) directives.

When to use

Setting up DMARC for the first time (start with p=none for monitoring). Tightening DMARC policy after 2-4 weeks of clean monitoring (move to p=quarantine then p=reject).

How to use it

  1. 1
    Start at p=none
    Always begin in monitoring mode. You'll learn what's actually sending as your domain before enforcing anything.
  2. 2
    Set rua to an analyzer endpoint
    Use Dmarcian, EasyDMARC, Postmark, or any DMARC service. Free tier is fine for the first 90 days.
  3. 3
    Watch the reports for 2-4 weeks
    Identify all legitimate senders. Fix SPF/DKIM gaps before tightening policy.
  4. 4
    Ramp p=quarantine, then p=reject
    Use the pct directive (10 → 25 → 50 → 100) to ramp gradually if your volume is sensitive.

Common use cases

  • First-time DMARC setup on a domain that's never had one
  • Quarterly tightening from p=none to p=quarantine to p=reject
  • Setting up subdomain-specific policy (sp= directive) for marketing vs transactional
  • Configuring aggregate reporting destination for a DMARC analyzer service

FAQ

What's the recommended DMARC rollout sequence?+

Start with p=none for 2-4 weeks to monitor authentication results without affecting delivery. Read the rua reports, fix any auth failures from legitimate senders, then move to p=quarantine for 2-4 weeks. Move to p=reject once confident no legitimate mail is being mishandled.

Do I need DMARC reports?+

Yes. The rua reporting address gets daily aggregate reports from receivers showing how your mail authenticated. Without these reports, you're blind to problems. Free DMARC report parsers like Dmarcian or Postmark's DMARC tools handle the XML parsing.

p=quarantine vs p=reject, which should I land on?+

p=reject is stronger and the long-term target. It blocks spoofed mail outright. But you should only land there after weeks of clean rua reports, moving too early can block legitimate mail that's failing alignment due to a forgotten sender (e.g., an old marketing platform you didn't realize sends as you).

What's the pct (percentage) directive for?+

Lets you apply the policy to only a percentage of failing mail during rollout. Useful when moving from p=none to p=quarantine, set pct=10 first to quarantine 10% of failing mail, ramp to 25, 50, 100 over weeks. Safer than a hard switchover.

Why is my DMARC failing despite SPF and DKIM passing individually?+

Alignment. DMARC requires SPF or DKIM to ALIGN with the From: header domain, not just to pass. ESPs that send 'from your domain' via their own bounce return-path can pass SPF without aligning. Aligned DKIM is the cleanest fix; some ESPs need a CNAME setup to enable it.

Why this tool matters

DMARC is the policy layer that sits on top of SPF and DKIM. SPF and DKIM each authenticate one piece of an email's identity (the sending IP, the DKIM-signed content); DMARC tells receiving servers what to do when those checks fail and where to send reports about the failures. Without DMARC, you have no visibility into spoofing attempts against your domain, and in 2024+, with Gmail and Microsoft's bulk-sender requirements, you can't reliably reach the inbox at scale.

The right DMARC rollout is staged. Start at p=none (monitor only, the receiving server reports failures but doesn't change delivery). Run that for 2-4 weeks while you read the aggregate reports and identify every legitimate sender from your domain (including the ones you forgot about, like the old support ticketing system that nobody's used for two years but still sends mail). Move to p=quarantine (route failures to spam) for 2-4 more weeks. Only then move to p=reject (block failures outright).

This generator produces the TXT record for whichever stage you're at, with the right reporting addresses for the rua (aggregate report) and ruf (forensic report) destinations. Most teams send the aggregates to a DMARC analyzer service (Dmarcian, EasyDMARC, Postmark's free DMARC analyzer) because raw XML reports are unreadable. The generator includes a one-click option to set those up.

Record generated. Now make sure it actually passes on real sends.

A correct DNS record on paper still fails 12% of the time at the receiver. Outsolvi watches every send and flags auth failures, opens that look like proxies, and bounces in real time. From $7/user/mo yearly.

Verify on a real send
Nate SummersCo-Founder, Outsolvi

Nate built Outsolvi after watching every email-tracking tool he had ever used lie to him about opens. Outsolvi runs Tier 1 to 5 confidence scoring on every open, native in Outlook and Gmail, so the number on the dashboard is one a rep can actually act on.

Last reviewed May 25, 2026Editorially independent

We update these pages when the underlying mechanics change. new mailbox-provider rules, new tracker behavior, new measurement gaps. The dates above are real revisions, not auto-touches.