DNSai DMARC Builder

Build, test, and validate DMARC records

Your DMARC Record

Policy: Monitoring Only

Quick Templates Optional

▾

Choose a preset to get started quickly, or build your own policy step by step. Templates set the policy and percentage — you'll still need to add your reporting email address in the next step.

After selecting a template, continue to Reporting to add your email address.

Policy (Required)

▾

What should happen when an email fails DMARC checks?

none (Monitor) Start Here

Deliver normally, but send reports. Use this to audit before enforcing.

quarantine (Spam Folder)

Move failing emails to spam/junk. Moderate protection.

reject (Block) Goal

Reject failing emails entirely. Maximum protection against spoofing.

Reporting (Recommended)

▾

Receive reports about emails sent from your domain.

Important: The email address(es) you enter must be a mailbox you own and can access, or the designated reporting address provided by your DMARC monitoring service (e.g., Valimail, Dmarcian, EasyDMARC). Reports are sent in XML format and can be large — consider using a dedicated mailbox or third-party service.

Aggregate Reports (rua) Recommended

mailto:

Daily summary reports in XML format. Essential for monitoring your domain's email authentication.

Multiple addresses: Separate with commas (e.g., [email protected], [email protected])

Forensic Reports (ruf) Optional

mailto:

Detailed reports for individual authentication failures. Many providers limit or disable these due to privacy concerns.

Multiple addresses: Separate with commas

Subdomain Policy (Optional)

▾

Apply a different policy to subdomains. If not set, inherits from main policy.

Inherit (Same as main policy)

Subdomains use the same policy as the main domain.

sp=none (Monitor subdomains) sp=quarantine (Quarantine subdomains) sp=reject (Reject subdomains)

Alignment Modes (Advanced)

▾

Control how strictly domains must match.

DKIM Alignment (adkim)

Relaxed allows subdomains. Strict requires exact match.

SPF Alignment (aspf)

Relaxed allows subdomains. Strict requires exact match.

Percentage (Gradual Rollout)

▾

Apply policy to a percentage of emails. Useful for gradual deployment.

0% 100% 100%

100% applies to all emails. Lower values are for gradual rollout only.

DMARC Validation Results

Checking...

Grade

Score

100/100

Validated Record

Parsed Components

What's Next?

This is a validation result — your DMARC record is not live yet. The record above has been checked for correct syntax and compliance with DMARC standards. To protect your domain, you need to publish this record to your DNS.

Understanding DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record that tells email receivers how to handle messages that fail SPF or DKIM authentication. It helps prevent email spoofing and phishing attacks using your domain name. DMARC also provides reporting so you can monitor who is sending email as your domain.

How to Publish Your DMARC Record

Copy your DMARC record — Use the "Copy" button above to copy the validated record to your clipboard.
Log in to your domain registrar or DNS host — This is where you manage your domain (e.g., GoDaddy, Namecheap, Cloudflare, Google Domains, AWS Route 53).
Navigate to DNS Management — Look for "DNS Settings," "DNS Records," "Zone Editor," or "Manage DNS" in your control panel.
Add a new TXT record with these settings:
- Type: TXT
- Host/Name: _dmarc (not @ — DMARC uses a subdomain)
- Value: Paste the validated DMARC record
- TTL: 3600 (or 1 hour, or use default)
Save your changes — DNS propagation typically takes 5-30 minutes, but can take up to 48 hours globally.
Verify your record is live — Use DMARC Lookup to confirm your record is published correctly.

Important: DMARC records must be added to _dmarc.yourdomain.com, not the root domain. For example, if your domain is example.com, the record goes at _dmarc.example.com.

Recommended verification workflow:

Wait 5-10 minutes after saving your DNS changes
Use DMARC Lookup to verify your record is live
Ensure you also have SPF and DKIM configured (DMARC depends on these)
Monitor your DMARC reports to ensure legitimate email is passing

Quick Start Guide (5 minutes)

Check your current record — Use the "Lookup Domain" tab above. Enter your domain to see if you already have a DMARC record.
Build your DMARC record — Click "Build DMARC", choose a policy, and add a reporting email address.
Copy your new record — Click the copy button next to your generated DMARC record.
Add it to your DNS — Log into your domain registrar and add a TXT record for _dmarc.yourdomain.com
Verify it works — Wait 5-10 minutes, then use "Lookup Domain" again to confirm your record is live.

Which Policy Should I Choose?

DMARC has three policy levels. Start with monitoring and gradually increase protection:

p=none (Monitor) — Start here!
Delivers all emails normally but sends you reports about who's sending email from your domain. Use this for 2-4 weeks to make sure your legitimate emails are working.
p=quarantine (Spam Folder)
Emails that fail DMARC checks go to the spam folder. Good middle-ground once you've verified your legitimate emails pass.
p=reject (Block) — Maximum protection
Completely blocks fake emails from being delivered. Use this once you're confident all your legitimate email is properly configured.

Understanding the Builder Options

Aggregate Reports (rua): Daily summary reports sent to your email showing who's sending email from your domain. Highly recommended — this is how you know if your email is working correctly.
Forensic Reports (ruf): Detailed reports for individual failed emails. Optional — many email providers limit or don't send these due to privacy concerns.
Subdomain Policy (sp): Sets a separate policy for subdomains like mail.yourdomain.com. Most small businesses can leave this as "Inherit" (same as main policy).
Alignment (adkim/aspf): Advanced settings for how strictly email domains must match. Leave as "Relaxed" unless you have specific requirements.
Percentage (pct): Apply your policy to only a percentage of emails. Useful for gradual rollout — start at 25%, then increase to 100% once confident.

Where Do I Add My DMARC Record?

Add your DMARC record to your domain's DNS settings (same place as SPF). The key difference: DMARC uses a special subdomain.

Important: DMARC records must be added to _dmarc.yourdomain.com — not the root domain like SPF.

When adding the record:
• Type: TXT
• Host/Name: _dmarc (not @ like SPF)
• Value: Paste your DMARC record (starts with v=DMARC1)
• TTL: 3600 (or "1 hour" or leave as default)

Recommended Email Security Setup

Set up SPF — List your authorized email senders
Set up DMARC with p=none — Monitor for 2-4 weeks
Review your DMARC reports — Make sure legitimate emails pass
Upgrade to p=quarantine — Start filtering suspicious emails
Upgrade to p=reject — Maximum protection

Build DMARC Records the Right Way

DMARC (Domain-based Message Authentication, Reporting & Conformance) protects your domain from email spoofing and phishing. This tool helps you build DMARC records correctly with a visual builder, validates syntax before you publish, and provides actionable recommendations based on best practices.

Lookup Domain Data at Scale

DNS Explorer — Run bulk DKIM, SPF, and DMARC lookups across thousands of domains. Built for security teams, MSPs, and IT administrators who need to audit email authentication configurations across their entire domain portfolio.

Start free DNS Explorer trial

14-day full-feature trial