A DMARC generator builds theDocumentation Index
Fetch the complete documentation index at: https://docs.spotzee.com/llms.txt
Use this file to discover all available pages before exploring further.
v=DMARC1 TXT record that tells receiving mail servers how to handle messages that fail SPF or DKIM alignment. Getting the syntax right matters: a missing semicolon, an invalid tag value, or a mistyped mailto: URI renders the record malformed — receivers quietly ignore it, and you get neither enforcement nor reports.
Generate a record at spotzee.com/tools/dmarc-generator — choose your policy, add a reporting address, and copy the formatted record to DNS. No signup.
POST /generic/email/dmarc-generator deducts a small per-call amount from your Spotzee credit balance. See the Spotzee pricing page for live figures.
Why this matters
DMARC is the policy layer that turns SPF and DKIM authentication into enforcement. Without a DMARC record, even a domain with perfect SPF and DKIM provides no protection against From-header spoofing — the address the recipient actually sees in their inbox. Withp=reject, messages that fail authentication are dropped before they reach any inbox.
The publishing requirement now has teeth. Google and Yahoo mandated at minimum p=none with an rua= address for bulk senders from February 2024. Non-compliance means mail goes to spam or is rejected outright. And for financial services firms under FCA Consumer Duty, the inability to demonstrate authenticated outbound communications is an audit finding. The FCA forced 19,766 financial promotions to be amended or withdrawn in 2024 — a 97.5% increase from 2023. Sender authentication is part of the evidence regulators expect.
Most domains are stuck. They published p=none at some point, stopped there, and have no plan to escalate. A generator makes the next step easy — change the policy, regenerate, republish.
How to create a DMARC record
Identify your current authentication state
Before generating, confirm SPF and DKIM are passing for every legitimate sender. DMARC enforcement only works when both underlying mechanisms are in place. Run the email health check first if you are unsure.
Call the generator with your policy
Send a
POST to /generic/email/dmarc-generator with domain, failure_response, and subdomains. Add aggregate_reporting_email (strongly recommended) and optionally failure_reporting_email and percent.Start at p=none with an rua= address
p=none gathers reports but takes no enforcement action. Without an rua= address you get no reports and no visibility. Publish p=none; rua=mailto:dmarc@yourdomain.com as the minimum viable record, then read the reports for four to eight weeks.Escalate gradually through pct=
When moving to
p=quarantine or p=reject, start at percent=10. Set percent=10 in the request, verify the aggregate reports show no false positives at that fraction, then raise it to 25, 50, and finally 100. The pct= tag in the record tells receivers to apply the stated policy to only that percentage of failing messages — the rest are treated as p=none.Publish and verify
Copy the generated
v=DMARC1 string and add it as a TXT record at _dmarc.yourdomain.com. There must be exactly one DMARC record — delete any existing one first. Allow up to 48 hours for propagation, then verify with the DMARC lookup tool.Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
domain | string | Yes | The domain the DMARC record will be published on. |
failure_response | none / quarantine / reject | Yes | Enforcement policy (p= tag). |
subdomains | none / quarantine / reject | Yes | Subdomain policy (sp= tag). |
percent | number (0–100) | No | Percentage of failing messages the policy applies to. Defaults to 100. |
aggregate_reporting_email | string | No | Email address for daily aggregate reports (rua= tag). |
failure_reporting_email | string | No | Email address for per-message forensic reports (ruf= tag). |
Response shape
data value is the complete, ready-to-publish TXT record string.
What to watch for
- Policy matches your current SPF and DKIM state.
p=quarantineorp=rejectwill affect legitimate mail if any sender is not yet passing SPF or DKIM. Confirm with the email health check before escalating. rua=is set. Without aggregate reports you cannot verify your enforcement is working or that no legitimate senders are failing. Add it before raising the policy level.pct=at 100 in production.pct=below 100 means partial enforcement — the remaining fraction is treated asp=none. It is a useful rollout tool but not a final state.- Only one DMARC record per domain. Two
v=DMARC1TXT records at_dmarc.yourdomain.comcause evaluation errors. Delete the old record before publishing the new one. - Subdomain policy reflects your subdomain landscape. If you have active sending subdomains, confirm they have DKIM configured before a root
p=rejectpushes them into enforcement via the default subdomain inheritance.
FAQs
How do I create a DMARC record for my domain?
How do I create a DMARC record for my domain?
Enter your domain, choose your enforcement policy (
none to start monitoring, quarantine or reject for enforcement), set a subdomain policy, and add an rua= address to receive aggregate reports. The generator outputs a correctly formatted v=DMARC1 string — publish it as a TXT record at _dmarc.yourdomain.com. There must be exactly one record; edit existing ones rather than adding a second.What policy should I start with?
What policy should I start with?
p=none with an rua= address is the right starting point. It puts you in monitoring mode — receivers send daily reports but take no action on failing messages. Read the reports for four to eight weeks to confirm every legitimate sender is passing before moving to p=quarantine.What is the difference between rua= and ruf= in DMARC?
What is the difference between rua= and ruf= in DMARC?
rua= receives daily XML aggregate reports — summaries of every IP that sent mail claiming your domain, with pass/fail counts. ruf= receives individual forensic reports for each failed message. Start with rua=. It’s widely supported and gives you the most actionable data. ruf= is optional and not all providers send forensic reports.Can I set different policies for my root domain and subdomains?
Can I set different policies for my root domain and subdomains?
Yes. The
sp= tag sets a separate policy for subdomains. If you want the root domain at p=reject but need new subdomains to stay in monitoring mode, set sp=none. Without sp=, subdomains inherit the root p= policy.What does pct= do in a DMARC record?
What does pct= do in a DMARC record?
pct= sets the percentage of failing messages the stated policy applies to. The remainder are treated as p=none. It’s a useful rollout tool — start at pct=10 when first moving to quarantine, raise it incrementally as you verify no false positives. Once you’re at pct=100, you have full enforcement.Where can I learn more about DMARC records?
Where can I learn more about DMARC records?
This guide covers the generator in depth. For understanding an existing record, use the DMARC lookup tool and the DMARC lookup guide. For a full authentication audit covering SPF, DKIM, DMARC, BIMI, and MTA-STS in one scan, run the email health check.
Try it
Generate a DMARC record at the free DMARC generator for a one-off build, or callPOST /generic/email/dmarc-generator via the Extended API for automated generation as part of a domain onboarding workflow.