✦ Free DMARC Generator — No Signup Required

DMARC Record Generator

Generate a valid DMARC TXT record in seconds. Protect your domain from phishing and spoofing — free, instant, no account needed.

  • Google Workspace
  • Microsoft 365
  • Zoho Mail
  • SendGrid
  • Mailgun
  • Amazon SES
  • Outlook
  • Custom SMTP
Receive daily summary reports about email authentication results across your domain.
✦ Free Email Warmup Tool

Boost Your Email Deliverability with Warmbase

DMARC is just the first step. Warm up your inboxes, rescue emails from the spam folder, and build a trusted sending reputation — automatically. Used by thousands of cold emailers and sales teams worldwide.

  • ✓ Automatic inbox warming — zero manual work
  • ✓ Real human-like email interactions
  • ✓ Works with any ESP or custom SMTP
  • ✓ Spam folder rescue & reputation repair
Start Free Email Warmup →
98% Inbox Rate
10k+ Active Users
Free To Get Started

What is a DMARC Record?

DMARC — short for Domain-based Message Authentication, Reporting & Conformance — is an email authentication protocol that tells receiving mail servers what to do with emails that fail SPF or DKIM checks. Published as a DNS TXT record under _dmarc.yourdomain.com, a DMARC policy protects your domain from being impersonated in phishing attacks, business email compromise (BEC), and spam campaigns.

Without DMARC, any attacker can send emails that appear to come from your domain. This puts your brand reputation, customer trust, and email deliverability at serious risk. DMARC closes that gap by giving domain owners visibility and enforcement control over their email channel.

DMARC works alongside two complementary standards:

  • SPF (Sender Policy Framework) — specifies which mail servers are authorised to send email on behalf of your domain.
  • DKIM (DomainKeys Identified Mail) — adds a cryptographic signature to emails so recipients can verify the message came from an authorised server and was not tampered with in transit.

When both SPF and DKIM are in place, DMARC ties them together and adds enforcement policy and detailed reporting capabilities.

How to Use Our Free DMARC Generator

Generating a DMARC record takes under two minutes — no technical background needed.

  1. Enter your domain — type your root domain (e.g. example.com) without any prefix like "www" or "mail".
  2. Select your ESP — choose your Email Service Provider from the dropdown. The tool shows platform-specific recommendations automatically.
  3. Choose a DMARC policy — start with none if you are new to DMARC (monitoring only). Move to quarantine or reject once you have reviewed your aggregate reports.
  4. Enter your report email — provide an email address to receive daily DMARC aggregate XML reports.
  5. Configure advanced settings (optional) — set alignment modes, subdomain policy, forensic reports, and percentage.
  6. Click Generate — copy your DMARC TXT record and paste it into your DNS settings.

DMARC Tag Reference

Understanding each DMARC tag helps you craft a policy that fits your sending patterns precisely.

Tag
Required?
Description
Example
v
Yes
Protocol version. Always DMARC1.
v=DMARC1
p
Yes
Policy for failing messages: none, quarantine, or reject.
p=quarantine
rua
Recommended
Email address(es) for daily aggregate reports.
rua=mailto:dmarc@you.com
ruf
Optional
Email address(es) for forensic failure reports. Not widely supported.
ruf=mailto:fail@you.com
pct
Optional
Percentage of messages subject to the policy (1–100). Good for gradual rollout.
pct=25
adkim
Optional
DKIM alignment: r (relaxed) or s (strict). Default: relaxed.
adkim=s
aspf
Optional
SPF alignment: r (relaxed) or s (strict). Default: relaxed.
aspf=r
sp
Optional
Policy applied to subdomains. Overrides p for subdomain mail.
sp=reject
fo
Optional
Failure reporting: 0=all fail, 1=any fail, d=DKIM fail, s=SPF fail.
fo=1

DMARC Record Examples

1. Monitoring Mode (none) — Recommended Starting Point

Collect data without affecting any email delivery. Use this for 2–4 weeks before enforcing.

v=DMARC1; p=none; rua=mailto:dmarc@example.com;

2. Quarantine Mode — Intermediate Enforcement

Failing emails are moved to spam. The pct=50 tag applies the policy to only half of failing messages during rollout.

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com; adkim=r; aspf=r;

3. Reject Mode — Maximum Protection

Failing emails are blocked entirely. Only enable this once aggregate reports confirm all legitimate mail passes authentication.

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s;

SPF vs DKIM vs DMARC — What's the Difference?

📋

SPF

A whitelist of IP addresses and mail servers allowed to send email for your domain. Validated during the SMTP handshake using the Return-Path header.

Weakness: SPF breaks when email is forwarded, and it does not protect the visible "From" address.

Generate a SPF record →

🔑

DKIM

A cryptographic signature added to email headers. The public key is published in DNS; receiving servers use it to verify the signature and confirm the message was not modified in transit.

Strength: Survives forwarding. Does not require IP-based authorisation.

Generate a DKIM record →

🛡

DMARC

Ties SPF and DKIM together, requiring at least one to align with the visible "From" domain. Adds enforcement policy and detailed reporting so you know exactly who is sending email using your domain.

The missing layer: Without DMARC, SPF and DKIM alone cannot prevent "From" address spoofing.

Check a DMARC record →

Best DMARC Settings for Cold Email

If you send cold outreach or run lead generation campaigns, DMARC configuration is essential for landing in the inbox rather than the spam folder.

  • Use a dedicated sending domain — never cold email from your primary business domain. Use a dedicated subdomain or alternative domain such as outreach.yourcompany.com.
  • Start with p=none — monitor email streams for 2–4 weeks before enforcing any policy on a new sending domain.
  • Enable DKIM on every inbox — all sending inboxes must have DKIM configured. DMARC is unreliable without DKIM passing.
  • Use relaxed alignment (adkim=r; aspf=r;) — strict alignment can break subdomain-level setups used by sequencing tools like Instantly and Smartlead.
  • Warm up your inboxes first — even with perfect DMARC, SPF, and DKIM, cold inboxes land in spam without inbox warm-up. Use Warmbase to build inbox reputation automatically before launching any campaign.
  • Monitor aggregate reports weekly — review DMARC reports to catch rogue sending sources or authentication failures early.

Common DMARC Mistakes to Avoid

  • Jumping straight to p=reject — without reviewing reports first, you risk blocking legitimate marketing tools, CRMs, or automated systems.
  • No rua address — without aggregate report emails you are flying blind. Always set the rua tag.
  • SPF with too many lookups — SPF has a 10-DNS-lookup limit. Exceeding it causes SPF failures that break DMARC alignment.
  • Strict alignment with forwarding — email forwarding breaks SPF alignment. Use relaxed mode (aspf=r) unless you have verified no forwarding occurs.
  • Forgetting subdomains — if you send from subdomains, add an sp tag or set separate DMARC records for each subdomain.
  • Setting DMARC without DKIM — DMARC requires either SPF or DKIM to pass and align. Without DKIM, your pass rate will be unreliable.
  • Never graduating past p=none — monitoring mode provides no protection against spoofing. Plan to move to enforcement once your reports are clean.

Troubleshooting DMARC

Emails still landing in spam after setting DMARC

DMARC prevents spoofing — it does not guarantee inbox placement. Spam placement depends on content quality, sending reputation, and inbox warm-up. Use Warmbase to build sender reputation alongside your authentication setup.

DMARC record not found / propagation delay

DNS changes take up to 48 hours to propagate globally. Verify your record is live using dig _dmarc.yourdomain.com TXT or the MXToolbox DMARC Lookup.

Legitimate emails being rejected

Switch immediately to p=none and audit your aggregate reports. Identify all legitimate sending sources, ensure they have SPF or DKIM configured, then gradually re-enforce.

Low DMARC pass rates in reports

Usually caused by third-party tools (marketing platforms, CRMs, helpdesks) that lack DKIM or are not in your SPF record. Audit every service that sends email on behalf of your domain and configure them properly.

SPF alignment failures despite a valid SPF record

This happens when your email is forwarded or when a third-party service changes the Return-Path header. Switch to relaxed SPF alignment (aspf=r) to allow the mismatch, or ensure the third-party tool signs with DKIM so DMARC can pass via DKIM alignment instead.

Frequently Asked Questions

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that tells receiving mail servers how to handle emails that fail SPF or DKIM checks. You need it to prevent attackers from impersonating your domain in phishing attacks, and to gain full visibility into who is sending email on your behalf.

Yes — completely free, forever. No signup, no credit card, no usage limits. Generate DMARC records for as many domains as you need.

Always start with p=none (monitoring mode). This collects aggregate reports without impacting any email delivery. After 2–4 weeks of reviewing reports and confirming all legitimate mail passes authentication, move to p=quarantine, then eventually p=reject.

Yes. DMARC requires at least one of SPF or DKIM to pass and align with the visible "From" domain. Setting up DMARC without configuring SPF or DKIM first will result in very low pass rates, and if you use an enforcement policy, could inadvertently block legitimate email.

Log into your DNS provider (e.g. Cloudflare, GoDaddy, Namecheap), navigate to DNS Records, and add a new TXT record. Set the host to _dmarc and paste the generated value into the TXT value field. DNS propagation takes between 15 minutes and 48 hours.

Relaxed (r) allows the DKIM signing domain to be a parent domain of the From address domain. For example, a message DKIM-signed by mail.example.com will align with example.com. Strict (s) requires an exact match between the DKIM signing domain and the From domain.

In monitoring mode (p=none), DMARC has zero effect on delivery. In quarantine or reject mode, emails that fail authentication will be filtered or blocked — which is the intended behaviour to stop spoofing. A properly configured DMARC policy generally improves inbox placement by building trust signals with ISPs like Gmail and Outlook.

No. Only one DMARC record is allowed per domain. Multiple records cause unpredictable behaviour and will result in DMARC failing entirely for that domain. For subdomain-specific policies, create separate DMARC TXT records at the subdomain level (e.g. _dmarc.mail.example.com).

The rua tag specifies one or more email addresses where major ISPs (Gmail, Outlook, Yahoo, etc.) send daily aggregate DMARC XML reports. These reports contain data about which servers are sending email using your domain and whether they pass or fail SPF and DKIM checks. Reviewing these reports is the most important step when rolling out DMARC enforcement.

Yes, indirectly. Having DMARC, SPF, and DKIM all properly configured builds domain trust signals with ISPs like Google and Microsoft — a prerequisite for strong inbox placement. However, authentication alone is not sufficient for cold email. You also need inbox warm-up, strong sending practices, and quality content. Warmbase automates inbox warming to complement your authentication setup and maximise deliverability from day one.

Ready to Maximise Your Email Deliverability?

You have your DMARC record — now finish the setup. Warmbase automatically warms up your sending inboxes so every cold email, outreach sequence, and transactional message lands in the inbox, not the spam folder.

Start Free Email Warmup →
Increase email deliverability with Warmbase and never land in your prospect's spam box again. 
Warmbase - Built with love for email marketers 💛
crossmenu