Zero Signup ToolsFree browser tools

Security Tools

DMARC Record Generator

Build and parse DMARC TXT records in your browser. Pick policy, alignment, percentage, reporting; copy DNS snippets for Cloudflare, Route 53, BIND.

Quick presets

Tap a preset to load common DMARC rollout patterns. Your domain is preserved.

Domain

The domain you are protecting. The record is published at the host below.

Host: _dmarc.example.com

Policy (p)

Monitor mode. Receivers report failures but do not change delivery.

Subdomain policy (sp)

Set sp=reject on parked or non-sending domains so mail from any subdomain is rejected too.

Apply the policy to this fraction of failing mail. Use during rollout.

Reporting

Comma-separate multiple addresses. mailto: prefix is added automatically when missing.

Daily XML reports listing every IP that sent mail using your domain.

Per-message reports. Many receivers no longer send these; rua is more useful in practice.

Alignment

adkim (DKIM)

aspf (SPF)

Relaxed lets organizational domains match (mail.example.com aligns with example.com). Strict requires exact match.

Failure reporting (fo)

Default 86400 (one day). Most receivers send daily regardless.

Generated DMARC TXT record

Publish this as a TXT record at _dmarc.example.com.

v=DMARC1; p=none

Receivers will not change delivery for non-aligned mail (monitor mode). Subdomains inherit the parent policy. DKIM alignment is relaxed; SPF alignment is relaxed.

  • Warning rua is empty. Aggregate reports are how you learn what fails alignment; add a mailto: address.
  • Warning fo only affects forensic (failure) reports. Without ruf, fo has no destination.

DNS provider snippets

Drop into your DNS host or zone file. Replace placeholder zone IDs and resource groups.

BIND zone file

_dmarc.example.com.	IN	TXT	"v=DMARC1; p=none"

Cloudflare DNS (UI)

Type: TXT
Name: _dmarc.example.com
Content: v=DMARC1; p=none
TTL: Auto (or 3600)

Route 53 (AWS CLI)

aws route53 change-resource-record-sets \
  --hosted-zone-id ZXXXXXXXXXXXXX \
  --change-batch '{"Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"_dmarc.example.com.","Type":"TXT","TTL":3600,"ResourceRecords":[{"Value":"\"v=DMARC1; p=none\""}]}}]}'

Google Cloud DNS / Workspace

Record type: TXT
DNS name: _dmarc.example.com
TTL: 3600 seconds
Value: "v=DMARC1; p=none"

Azure DNS (CLI)

az network dns record-set txt add-record \
  --resource-group MY-RG \
  --zone-name example.com \
  --record-set-name _dmarc \
  --value "v=DMARC1; p=none"

Quick reference

p=none vs p=quarantine vs p=reject

none monitors only; quarantine routes failures to spam; reject drops them at SMTP. Always start with none, watch reports for 2-4 weeks, then escalate.

adkim and aspf

r=relaxed allows the From: domain and the auth domain to share an organizational domain. s=strict requires exact match. Most domains start with relaxed.

pct rollout

With p=quarantine; pct=25 receivers apply quarantine to 25% of failures and fall back to none for the rest. Step up: 5, 25, 50, 100.

rua reports

Aggregate XML reports listing every IP that sent mail using your domain. Send to a mailbox you actually read or to a DMARC report processor.

External reporting

To send rua to a domain other than yours, the receiving domain must publish <yourdomain>._report._dmarc.<theirdomain> with v=DMARC1.

Subdomain (sp)

Set sp=reject on parked or non-sending domains so subdomain mail is rejected even if you keep p relaxed for the parent.

How to use

  1. Choose Build record to compose a DMARC TXT record, or Parse and explain to paste an existing one.
  2. Builder: enter your domain (the host shows up automatically as _dmarc.your-domain), then pick policy (none, quarantine, or reject), subdomain policy, and rollout percentage. Quick presets cover monitor only, rolling to quarantine 25%, quarantine all, reject all (strict), and non-sending domains.
  3. Add aggregate (rua) and optional forensic (ruf) report destinations as mailto: addresses. The tool adds the mailto: prefix automatically and validates each address.
  4. Set DKIM and SPF alignment to relaxed or strict, pick failure-reporting (fo) options, and adjust the report interval if you need something other than the default daily cadence.
  5. Read the generated TXT record, the plain-English summary, and any warnings. Copy the value or pick a DNS provider snippet for Cloudflare, Route 53, Google Cloud DNS, Azure DNS, or BIND zone files.
  6. Parser: paste a DMARC record (the v=DMARC1 prefix, surrounding quotes, and extra whitespace are handled automatically). The tool validates every tag, explains it, surfaces conflicts, and summarizes the effective policy, subdomain handling, and reporting destinations.

About this tool

DMARC Record Generator is a two-mode browser tool for the Domain-based Message Authentication, Reporting and Conformance DNS TXT record defined in RFC 7489. The Build tab lets you compose a DMARC record from structured fields rather than memorizing the tag syntax: pick the parent policy (p=none for monitor mode, p=quarantine to route failing mail to spam, or p=reject to drop it at SMTP), an optional subdomain policy (sp), the rollout percentage (pct), DKIM and SPF alignment modes (adkim and aspf, relaxed or strict), the failure reporting options (fo), the report format (rf), and the report interval (ri). Aggregate report destinations (rua) and forensic destinations (ruf) accept comma-separated mailto: URIs and helpfully add the mailto: prefix when you forget it. Five quick presets cover the entire DMARC rollout journey: Monitor only, Rolling to quarantine at 25%, Quarantine all failures, Reject all failures with strict alignment, and a hardened Non-sending domain preset that protects parked domains. The output panel shows the normalized TXT record value, the correct host name (_dmarc.your-domain), a plain-English summary of how receivers will treat your mail, and a row of validation warnings for common misconfigurations: missing rua, fo set without ruf, pct used with p=none (no effect), and strict alignment that would break legitimately forwarded mail. DNS provider snippets are ready to paste into a BIND zone file, the Cloudflare DNS UI, the AWS Route 53 CLI, the Google Cloud DNS or Workspace UI, and the Azure DNS CLI, with the value escaped correctly so quotes do not break your record. The Parse tab takes any DMARC TXT record (with or without surrounding quotes), splits it into tags, validates every value against the spec, surfaces duplicate tags that lead to undefined behavior across receivers, and explains the effective policy, subdomain handling, and reporting destinations in three quick cards. A reference panel contrasts the tags that confuse most operators (p vs sp, adkim vs aspf, relaxed vs strict alignment, pct rollout, rua external reporting, sp on parked domains) so the page doubles as a study sheet. Useful for setting up DMARC for the first time, fixing an inherited record before promoting it from p=none to p=quarantine, debugging a DMARC fail in a forensic report, hardening a parked domain so attackers cannot spoof your brand, and reviewing the policy of any domain whose record you can paste in. Everything runs locally in your browser. Domains, mailbox addresses, and report URIs never leave your device.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

CSP Header Generator

Visual builder for the Content-Security-Policy HTTP header.

Open tool

Developer

Email Header Analyzer

Parse Received hops, SPF, DKIM, DMARC, and identity headers from raw email source.

Open tool

Developer

Email Validator

Validate, deduplicate, and clean lists of email addresses with typo suggestions.

Open tool

SEO

Robots.txt Generator

Generate a valid robots.txt with grouped rules, sitemap URLs, and useful presets.

Open tool

Security

Password Generator

Strong random passwords with length and character controls.

Open tool

All toolsSecurity Tools