What should my DMARC record include?

A basic DMARC record includes your policy setting (none, quarantine, or reject), a reporting email address to receive aggregate reports (rua), and optionally a forensic reporting address (ruf). Start with a none policy and a reporting address so you can see who is sending email from your domain before enforcing stricter rules.

DMARC Record Generator | Wolferdawg IT Consulting

DMARC tells receiving mail servers what to do when an email fails SPF or DKIM authentication checks. It also gives you visibility into who is sending email using your domain. Use this generator to build your record. Start with a policy of none and a reporting address so you can monitor your domain before moving to enforcement. Once you are confident all your legitimate sending sources are covered, move to quarantine and then reject.

Policy

What should receiving servers do with emails that fail authentication? Start with none if you are new to DMARC. Move to quarantine, then reject once reporting confirms all legitimate senders are covered.

none
Monitor only — recommended to start

quarantine
Send failures to spam

reject
Block failures outright

Reporting

Aggregate report address (rua) Strongly recommended. Daily summary reports of SPF and DKIM results for your domain. Use mailto:[email protected] or a DMARC reporting service.

Forensic report address (ruf) — optional Individual failure reports. Not all mail servers send these. Many businesses skip ruf and rely on rua alone.

Advanced options

Percentage (pct) What percentage of messages your policy applies to. 100 is full enforcement. Lower values are useful when rolling out quarantine or reject gradually.

Subdomain policy (sp) Override the policy for subdomains. If not set, subdomains inherit the main policy.

DKIM alignment (adkim) Relaxed allows organizational domain matches. Strict requires an exact domain match.

Relaxed (default)

Strict

SPF alignment (aspf) Relaxed allows organizational domain matches. Strict requires an exact domain match.

Relaxed (default)

Strict

Forensic reporting options (fo) Controls when forensic reports are generated. Only relevant if you set an ruf address.

Generated DMARC record

v=DMARC1; p=none

How to add this to your DNS

Log in to your domain registrar or DNS provider (e.g. Cloudflare, GoDaddy, Namecheap).
Add a new TXT record.
Set the host to _dmarc (or _dmarc.yourdomain.com depending on your provider).
Paste the generated record above as the value.
Save. Allow up to 48 hours for DNS propagation.
Use the DMARC lookup tool to verify the record is live.

Need help getting your records right?
Wolferdawg IT Consulting reviews, fixes, and maintains email security records for small businesses in Lawton, Duncan, and across Southwest Oklahoma.

View Cybersecurity Services

Frequently asked questions

A basic DMARC record includes your policy setting (none, quarantine, or reject), a reporting email address to receive aggregate reports, and optionally a forensic reporting address. Start with a none policy and a reporting address so you can see who is sending email from your domain before enforcing stricter rules.

Once you generate your DMARC record using the tool on this page, add it to your domain's DNS as a TXT record with the host name set to _dmarc.yourdomain.com. The value is the DMARC record string the generator produces. DNS changes typically take up to 48 hours to propagate fully.

DMARC aggregate reports are summary emails sent by receiving mail servers that show how email from your domain is performing against SPF and DKIM checks. They help you identify systems sending email on your behalf that are not yet authenticated. Including a reporting address in your DMARC record is strongly recommended so you can monitor your domain and catch unauthorized senders.