DMARC Record Generator
Create a valid DMARC record for your domain in seconds. Our free generator helps you set up email authentication policies, configure reporting, and protect your domain from spoofing attacks. Whether you're setting up DMARC for the first time or updating an existing policy, we'll guide you through each option and generate the correct DNS record.
Enter your domain to look for existing record or start creating a new one
How to Create a DMARC Record Using APIFreaks DMARC Record Generator
You can easily create a secure DMARC Record with these steps using our tool.
Step 1: Check your current DMARC record
Start by entering your domain in the search box at the top. Our tool will look up your DNS records to see if you already have a DMARC record. If we find one, we'll automatically fill the generator with your current settings. This makes it easy to update an existing record without starting from scratch.
Step 2: Select Options and Enter Details
- Policy Type (`p`): This is the most important setting. It tells email providers what to do with mail that fails DKIM and SPF checks. You can choose one of these:
- None: The monitor-only mode. It takes no action against failing emails but sends you reports. Use this when starting out to gather data.
- Quarantine: Sends failing emails to the recipient's spam or junk folder.
- Reject: The strictest level. It blocks failing emails entirely so they never reach the inbox.
- Aggregate Reports (`rua`): Here you enter the email address where you want to receive the aggregated reports. These reports show which emails passed or failed authentication. You need at least one address here but it also supports multiple email addresses at the same time. The format of the generated reports is in XML.
- Failure Reports (`ruf`): This is an optional field. If you want detailed reports for the individual emails failing the authentication checks you can add an email address here. It also supports multiple email addresses.
- Subdomain policy (`sp`): You can use this field to set up different policy for your subdomains if needed. If you don't set this, the subdomains will use the main domain policy.
- Percentage applied to (`pct`): By default, your policy applies to 100% of emails. In case if you need it you can lower this setting. For example, set it to 10 to apply the policy to only 10% of emails while you are testing the policy. Usually it is kept at 100.
- Reporting interval (`ri`): This defines the duration after how long (in seconds) you want to receive aggregate reports. The standard default is `86400` seconds (24 hours).
- SPF Identifier Alignment (`aspf`): This field controls how strictly the "From" header in the email must match your SPF records. Either set it to relaxed to allow subdomains to match or set to strict which requires exact match.
- DKIM Identifier Alignment (`adkim`): This field is same as the SPF field but this checks the DKIM signature from the incoming email and accepts "relaxed" or "strict" as valid values.
- Report Format (`rf`): The standard format for forensic reports is Authentication Failure Reporting Format (AFRF). You rarely need to change this.
- Failure Reporting Options (`fo`): Here you can choose when to generate the reports and on what kind of fails according to your needs. These are the following options which can be chosen:
- Generate if all checks fail (0) - This will send a report only when both SPF and DKIM checks fail completely. This is the default and most conservative option. You only get alerted when an email has no valid authentication at all.
- Generate if any check fail (1) - This will send a report when either SPF check or DKIM check fails. This means you get more reports since just one failure is enough to trigger it. Use this if you want to catch authentication issues early.
- Generate if DKIM check fails (d) - When this option is selected, you will only get reports in case DKIM signature fails or is missing. You won't get reports about SPF failures.
- Generate if SPF check fails (s) - When this option is selected, you will only get reports when SPF check fails. You won't get reports about DKIM failures.
This section controls how your DMARC record functions. Now, you can choose which policies you want according to your own requirements.
Step 3: Add the Record to Your DNS
After you have created your new DMARC record, you can just log in to your DNS provider (like GoDaddy, Cloudflare, or Namecheap) and look for DNS settings or DNS management to create a new TXT record. For the Host/Name field, type `_dmarc` and in the Value/Content field, paste the text record generated by our tool. It may take a few hours to propagate across the internet.
To confirm it has been properly added and has taken effect, you can use our DMARC Checker tool to look up your record.
FAQs
Do I need SPF and DKIM before setting up DMARC?
Yes. DMARC works on top of SPF and DKIM. SPF checks if emails come from approved servers. DKIM adds digital signatures to verify emails are real. DMARC looks at these results and applies your policy. Set up SPF and DKIM first, then add DMARC record.
What policy should I start with?
Always start with `p=none`. This is monitor-only mode and doesn't affect email delivery. You get reports but nothing gets blocked. Run this for a week or two, check the reports, fix any issues with legitimate senders, then move to `p=quarantine`. After another monitoring period with no problems, go to `p=reject`.
How do I read DMARC reports?
DMARC reports come as XML files in emails. They're technical and not easy to read directly. Each report shows which IP addresses sent emails from your domain, how many messages they sent, and whether they passed or failed authentication. You can use a DMARC report analyzer tool to turn these into readable dashboards, or parse them manually if you're technical.
Do subdomains need their own DMARC records?
No, subdomains automatically inherit your main domain's policy. But if you want different rules for a specific subdomain, you can create a separate DMARC record for it by adding `_dmarc.subdomain.yourdomain.com` to your DNS with its own policy.
What's the difference between aggregate and failure reports?
Aggregate reports (`rua`) are daily summaries showing stats about all emails - how many passed, how many failed, and from which IP addresses. Failure reports (`ruf`) are detailed, per-message reports about specific failures that come in real-time. Most people only need aggregate reports since forensic reports can be limited by privacy policies and many providers don't send them.