DMARC Policy Generator
Builds a DMARC v=DMARC1 record with the policy, percentage, and rua/ruf reporting addresses configured for your domain.
v=DMARC1; p=noneGenerates the DNS TXT record for _dmarc.[yourdomain] subdomain with: p (policy: none, quarantine, reject), pct (rollout percentage), rua (aggregate reporting), ruf (forensic reporting), and optional sp (subdomain policy) directives.
Setting up DMARC for the first time (start with p=none for monitoring). Tightening DMARC policy after 2-4 weeks of clean monitoring (move to p=quarantine then p=reject).
How to use it
- 1Start at p=noneAlways begin in monitoring mode. You'll learn what's actually sending as your domain before enforcing anything.
- 2Set rua to an analyzer endpointUse Dmarcian, EasyDMARC, Postmark, or any DMARC service. Free tier is fine for the first 90 days.
- 3Watch the reports for 2-4 weeksIdentify all legitimate senders. Fix SPF/DKIM gaps before tightening policy.
- 4Ramp p=quarantine, then p=rejectUse the pct directive (10 → 25 → 50 → 100) to ramp gradually if your volume is sensitive.
Common use cases
- •First-time DMARC setup on a domain that's never had one
- •Quarterly tightening from p=none to p=quarantine to p=reject
- •Setting up subdomain-specific policy (sp= directive) for marketing vs transactional
- •Configuring aggregate reporting destination for a DMARC analyzer service
FAQ
What's the recommended DMARC rollout sequence?+
Start with p=none for 2-4 weeks to monitor authentication results without affecting delivery. Read the rua reports, fix any auth failures from legitimate senders, then move to p=quarantine for 2-4 weeks. Move to p=reject once confident no legitimate mail is being mishandled.
Do I need DMARC reports?+
Yes. The rua reporting address gets daily aggregate reports from receivers showing how your mail authenticated. Without these reports, you're blind to problems. Free DMARC report parsers like Dmarcian or Postmark's DMARC tools handle the XML parsing.
p=quarantine vs p=reject — which should I land on?+
p=reject is stronger and the long-term target. It blocks spoofed mail outright. But you should only land there after weeks of clean rua reports — moving too early can block legitimate mail that's failing alignment due to a forgotten sender (e.g., an old marketing platform you didn't realize sends as you).
What's the pct (percentage) directive for?+
Lets you apply the policy to only a percentage of failing mail during rollout. Useful when moving from p=none to p=quarantine — set pct=10 first to quarantine 10% of failing mail, ramp to 25, 50, 100 over weeks. Safer than a hard switchover.
Why is my DMARC failing despite SPF and DKIM passing individually?+
Alignment. DMARC requires SPF or DKIM to ALIGN with the From: header domain, not just to pass. ESPs that send 'from your domain' via their own bounce return-path can pass SPF without aligning. Aligned DKIM is the cleanest fix; some ESPs need a CNAME setup to enable it.
Keep going
Articles, glossary entries, and other tools on the same topic.
Record generated. Now make sure it actually passes on real sends.
A correct DNS record on paper still fails 12% of the time at the receiver. Outsolvi watches every send and flags auth failures, opens that look like proxies, and bounces in real time. From $7/user/mo yearly.
Verify on a real sendNate built Outsolvi after watching every email-tracking tool he had ever used lie to him about opens. Outsolvi runs Tier 1 to 5 confidence scoring on every open, native in Outlook and Gmail, so the number on the dashboard is one a rep can actually act on.
We update these pages when the underlying mechanics change — new mailbox-provider rules, new tracker behavior, new measurement gaps. The dates above are real revisions, not auto-touches.