DMARC Record Generator Calculator

Build DNS text for monitoring, quarantine, or rejection. Test rollout choices with clarity and confidence. Visualize reporting, alignment, and enforcement impacts before deployment today.

Generate your DMARC record

Domain and base policy

Alignment and rollout

Use lower rollout percentages for staged migration and sender validation.

Reporting and failure options

Enter one or more mailto addresses, separated by commas or line breaks.

Reset

Example data table

Scenario Policy Alignment Reports Example intent
Early monitoring p=none adkim=r, aspf=r rua only Inventory sending services before enforcement.
Staged protection p=quarantine, pct=50 adkim=s, aspf=r rua and ruf Apply protection gradually while reviewing failures.
Strict protection p=reject, sp=reject adkim=s, aspf=s rua enabled Block unauthorized mail after sender cleanup.

Formula used

Record generation formula

v=DMARC1; p=policy; sp=subdomain-policy; np=nonexistent-policy; t=test-mode; adkim=dkim-alignment; aspf=spf-alignment; rua=aggregate-uri; ruf=failure-uri; fo=failure-options; rf=format; ri=interval; pct=rollout

Heuristic scoring formula

Enforcement Score = 0.45×Policy + 0.10×Subdomain + 0.05×Nonexistent + 0.15×Rollout + 0.15×Average Alignment + 0.10×Reporting - Test Mode Penalty

The TXT record string follows DMARC tag composition. The chart scores are planning aids for comparison, not protocol-defined security ratings.

How to use this calculator

  1. Enter your root domain.
  2. Select a base policy for unauthorized mail.
  3. Set subdomain and non-existent subdomain handling if needed.
  4. Choose DKIM and SPF alignment strictness.
  5. Add aggregate and optional failure report mailboxes.
  6. Adjust rollout percentage for staged enforcement.
  7. Generate the record and review the chart, warnings, and DNS output.
  8. Publish the TXT value at the shown _dmarc.yourdomain host.

FAQs

1. What does a DMARC record do?

It tells receiving mail systems how to handle messages that fail alignment checks and where to send feedback reports about that activity.

2. Should I start with p=none?

Yes, many teams begin with monitoring to discover valid senders, fix alignment issues, and reduce the chance of blocking legitimate mail.

3. What is the difference between adkim and aspf?

adkim controls DKIM alignment strictness. aspf controls SPF alignment strictness. Strict mode demands closer domain matching than relaxed mode.

4. Why add rua addresses?

Aggregate reports help identify authorized platforms, spoofing attempts, and alignment failures. They are usually the most useful starting point for DMARC deployment.

5. When should I use ruf reporting?

Use it only if your team can safely process failure reports. Some providers limit them, and the data may contain sensitive message details.

6. What does pct change?

It limits how much of failing traffic receives the requested policy treatment. This supports phased rollout during sender cleanup and testing.

7. What are sp and np for?

sp applies to existing subdomains. np applies to non-existent subdomains when supported. They help refine protection beyond the root domain rule.

8. Is a higher score always better?

Not always. Stronger enforcement is useful only after legitimate senders are aligned. A lower score can be safer during the discovery phase.

Related Calculators

spf record generatoremail header analyzerdmarc policy checkerdomain spoofing testspf flattening toolspf lookup counterdkim key generatorsmtp auth testeremail reputation checkermail spoof test

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.