DMARC Record Generator
Enter your domain to look for existing record or start creating a new one
How to Create a DMARC Record Using APIFreaks DMARC Record Generator
Step 1: Check your current DMARC record
Step 2: Select Options and Enter Details
- Policy Type (
p): This is the most important setting. It tells email providers what to do with mail that fails DKIM and SPF checks. You can choose one of these:- None: The monitor-only mode. It takes no action against failing emails but sends you reports. Use this when starting out to gather data.
- Quarantine: Sends failing emails to the recipient's spam or junk folder.
- Reject: The strictest level. It blocks failing emails entirely so they never reach the inbox.
- Aggregate Reports (
rua): Here you enter the email address where you want to receive the aggregated reports. These reports show which emails passed or failed authentication. You need at least one address here but it also supports multiple email addresses at the same time. The format of the generated reports is in XML. - Failure Reports (
ruf): This is an optional field. If you want detailed reports for the individual emails failing the authentication checks you can add an email address here. It also supports multiple email addresses. - Subdomain policy (
sp): You can use this field to set up different policy for your subdomains if needed. If you don't set this, the subdomains will use the main domain policy. - Percentage applied to (
pct): By default, your policy applies to 100% of emails. In case if you need it you can lower this setting. For example, set it to 10 to apply the policy to only 10% of emails while you are testing the policy. Usually it is kept at 100. - Reporting interval (
ri): This defines the duration after how long (in seconds) you want to receive aggregate reports. The standard default is86400seconds (24 hours). - SPF Identifier Alignment (
aspf): This field controls how strictly the "From" header in the email must match your SPF records. Either set it to relaxed to allow subdomains to match or set to strict which requires exact match. - DKIM Identifier Alignment (
adkim): This field is same as the SPF field but this checks the DKIM signature from the incoming email and accepts "relaxed" or "strict" as valid values. - Report Format (
rf): The standard format for forensic reports is Authentication Failure Reporting Format (AFRF). You rarely need to change this. - Failure Reporting Options (
fo): Here you can choose when to generate the reports and on what kind of fails according to your needs. These are the following options which can be chosen:- Generate if all checks fail (
0) - This will send a report only when both SPF and DKIM checks fail completely. This is the default and most conservative option. You only get alerted when an email has no valid authentication at all. - Generate if any check fail (
1) - This will send a report when either SPF check or DKIM check fails. This means you get more reports since just one failure is enough to trigger it. Use this if you want to catch authentication issues early. - Generate if DKIM check fails (
d) - When this option is selected, you will only get reports in case DKIM signature fails or is missing. You won't get reports about SPF failures. - Generate if SPF check fails (
s) - When this option is selected, you will only get reports when SPF check fails. You won't get reports about DKIM failures.
- Generate if all checks fail (
Step 3: Add the Record to Your DNS
_dmarc and in the Value/Content field, paste the text record generated by our tool. It may take a few hours to propagate across the internet.FAQs
Yes. DMARC works on top of SPF and DKIM. SPF checks if emails come from approved servers. DKIM adds digital signatures to verify emails are real. DMARC looks at these results and applies your policy. Set up SPF and DKIM first, then add DMARC record.
Always start with p=none. This is monitor-only mode and doesn't affect email delivery. You get reports but nothing gets blocked. Run this for a week or two, check the reports, fix any issues with legitimate senders, then move to p=quarantine. After another monitoring period with no problems, go to p=reject.
DMARC reports come as XML files in emails. They're technical and not easy to read directly. Each report shows which IP addresses sent emails from your domain, how many messages they sent, and whether they passed or failed authentication. You can use a DMARC report analyzer tool to turn these into readable dashboards, or parse them manually if you're technical.
No, subdomains automatically inherit your main domain's policy. But if you want different rules for a specific subdomain, you can create a separate DMARC record for it by adding _dmarc.subdomain.yourdomain.com to your DNS with its own policy.
Aggregate reports rua are daily summaries showing stats about all emails - how many passed, how many failed, and from which IP addresses. Failure reports rufare detailed, per-message reports about specific failures that come in real-time. Most people only need aggregate reports since forensic reports can be limited by privacy policies and many providers don't send them.