ValidEmailChecker

How do I use the DMARC Record Generator tool?

Last updated May 19, 2026Free tools

The DMARC Record Generator at Valid Email Checker builds a valid DMARC TXT record from a small form. The form is split into a basic section (domain, policy, report address) and an advanced section (subdomain policy, percentage, alignment modes, forensic options). For most domains the basic section is enough.

Step by step

  1. Open /dmarc-record-generator.
  2. Enter your apex domain.
  3. Pick a policy. Start with `none` if this is your first DMARC record — it collects reports without affecting delivery. Move to quarantine and then reject over the following weeks as you confirm legitimate mail is passing.
  4. Add at least one aggregate report (RUA) email address. Reports are daily XML — put them somewhere parseable. A dedicated dmarc@yourdomain.com mailbox is common.
  5. Optionally add forensic (RUF) addresses for per-message failure details. Many receivers do not send forensic reports anymore for privacy reasons, so this is often empty.
  6. Open the Advanced section if you need to set subdomain policy (sp=), percentage (pct=), alignment strictness, or reporting interval.
  7. Click Generate. Copy the resulting TXT value.
  8. Publish at your DNS provider as a TXT record on the hostname _dmarc.<your-domain> (e.g. _dmarc.example.com).

Recommended rollout path

DMARC rollout is staged on purpose. The wrong record at p=reject can quietly kill legitimate mail from a marketing platform or a transactional service you forgot about. The safe path:

  1. Week 1-2: `p=none` — collect aggregate reports without enforcement. Review reports to identify every sender claiming to be your domain.
  2. Week 3-4: `p=quarantine; pct=10` — move 10% of failing mail to spam. Watch the reports for legitimate sources still failing.
  3. Week 5-6: `p=quarantine; pct=50` then `pct=100` — ramp up enforcement.
  4. Week 7+: `p=reject; pct=100` — full block. Spoofers are blocked outright.

Tools that consume aggregate reports

Aggregate reports are XML files emailed daily by every receiver that processed mail from your domain. Raw XML is hard to read, so most teams pipe their RUA address into a DMARC reporting tool — Postmark, Dmarcian, Valimail, EasyDMARC, and a dozen others. You can also point the RUA address at a normal inbox and read the XML manually, but only do that for very low-volume domains.

Do not start at p=reject
A first DMARC record at p=reject blocks every unauthenticated message immediately. If a transactional ESP, a billing platform, or a calendar service was sending without proper SPF or DKIM alignment, those messages stop landing. Always start at p=none and progress.

Once published, plug the domain into the DMARC Record Checker to confirm DNS propagation. The matching SPF Record Generator and DKIM Record Generator build the other two records DMARC depends on.

Related questions

How do I use the DMARC Record Checker tool?
How do I use the SPF Record Generator tool?
How do I use the DKIM Record Generator tool?
What free email tools does Valid Email Checker offer?
Back to all FAQs

Still stuck? Email support