Live tool

DMARC Policy Builder

Build a DMARC TXT record with 3-stage rollout presets (monitoring → quarantine → reject), parse an existing record, or paste an aggregate XML report to see source IPs, alignment results, and failing senders. Includes full tag reference, migration timeline, common mistakes, and shareable URL state.

Live 1 policies built Email Tools Builder DMARC Email Authentication DNS SPF
Open tool

Build DMARC policy

Pick a stage and customise. The record updates live.

Used only to format the DNS hostname (_dmarc.<domain>) — it is never sent anywhere.
If unset, subdomains inherit the main policy. Set explicitly only if you need a different policy for subdomains.
Apply the policy to this percentage of failing mail. Useful during rollout (start at 10%, ramp to 100%).
Where receivers send daily XML aggregate reports. Use a dedicated mailbox or a third-party DMARC processor (Postmark, dmarcian, EasyDMARC).
Per-message failure reports. Most receivers no longer send these due to privacy concerns. Often left empty.
Most receivers honour 24h (86400) regardless. Leave empty unless you have a specific need.

Generated record

Publish as a TXT record at _dmarc.yourdomain.com. 

v=DMARC1; p=none
_dmarc.yourdomain.com.  IN  TXT  "v=DMARC1; p=none"
Stage Monitoring
Enforcement 0% impact
Tags 2
Length 16 chars

How to publish

  1. Log in to your DNS provider (where the domain's nameservers live).
  2. Add a new TXT record at the _dmarc subdomain (host = _dmarc).
  3. Paste the value above (the part inside the quotes — most DNS UIs add the quotes automatically).
  4. Verify with dig +short TXT _dmarc.yourdomain.com.

Paste a DMARC record

Paste a v=DMARC1 string from your DNS or dig output.

Analysis

Paste a DMARC record to see its tags and any issues.

No record to analyse yet.

Tags

Tag Value What it does

Paste aggregate report XML

Standard RFC 7489 XML schema. Parsed entirely in your browser.

Report breakdown

Paste a report XML to see source IPs, alignment results, and failing senders.

No report to analyse yet.

Report metadata

Reporter
Domain
Date range
Total volume
Pass rate

Sources

Source IP Volume Disposition SPF DKIM Alignment

DMARC explained in 60 seconds

Why DMARC, and how it sits on top of SPF and DKIM.

SPF verifies the envelope sender (the Return-Path). The end user never sees it.

DKIM cryptographically signs the message body and selected headers, so receivers can verify nothing was tampered with in transit.

Neither protects the visible From: header. Spoofers exploit that gap.

DMARC closes it. It tells receivers: "Reject mail unless either SPF or DKIM passes and the verified domain matches the visible From: domain."

Plus, DMARC asks receivers to send daily aggregate reports — your visibility into who is sending mail "from" your domain.

Migration timeline (recommended)

Don't jump straight to p=reject.

  1. Weeks 1–2: Publish p=none with rua=. Read reports.
  2. Weeks 3–6: Identify and add every legitimate sender to SPF and DKIM. Reach 95%+ alignment for legitimate sources.
  3. Week 7: Move to p=quarantine; pct=10. Watch reports daily.
  4. Weeks 8–10: Ramp pct: 25 → 50 → 100.
  5. Week 11+: Move to p=reject; pct=10, then ramp to 100.
  6. Ongoing: Keep monitoring reports forever. New senders, new selectors, new edge cases will appear.

DMARC tag reference

All tags defined by RFC 7489.

TagRequiredDefaultMeaning
vyesDMARC1Protocol version. Must be exactly DMARC1.
pyesPolicy: none, quarantine, or reject.
spno= pPolicy for subdomains.
pctno100Percentage of failing mail to apply the policy to.
ruanoAggregate report destination(s), comma-separated mailto: URIs.
rufnoForensic report destination(s). Most receivers no longer send these.
adkimnorDKIM alignment: relaxed (subdomain matches) or strict (exact).
aspfnorSPF alignment, same values as adkim.
fono0Failure reporting options: 0, 1, d, s.
rino86400Reporting interval in seconds.

Common DMARC mistakes

Top 5 in production deployments.

1. Going straight to p=reject Without first running p=none and reading reports for weeks, you will reject legitimate mail you forgot about (CRM, billing, monitoring).
2. Missing the rua= tag DMARC without aggregate reporting is half-blind. You publish a policy and have no idea who's sending as you. Always set rua=.
3. Wrong DMARC hostname DMARC lives at _dmarc.yourdomain.com, not yourdomain.com. Many DNS UIs require entering host as _dmarc only — a frequent fat-finger error.
4. Forgetting subdomain policy If sp= isn't set, subdomains inherit p=. If your subdomains have their own SPF/DKIM, this might not be what you want — set sp= explicitly.
5. Strict alignment when senders use subdomains Tools like SendGrid sign with em.yourdomain.com. With adkim=s (strict), that DKIM domain doesn't match yourdomain.com in From: → DMARC fails. Use relaxed unless you specifically need strict.