Create a DMARC record
in 60 seconds
Creating a DMARC record takes 5 steps: choose a policy, configure a reporting address, set alignment mode, format the DNS TXT record, and add it at _dmarc.yourdomain.com.
Required by Google, Yahoo, and Microsoft for bulk senders. Mandatory under PCI DSS v4.0 for customer-facing domains.
Prerequisites: SPF and DKIM
DMARC builds on SPF and DKIM. It requires that at least one of them passes and aligns with the visible From header domain. Before creating a DMARC record, verify both are configured.
Create your DMARC record in 5 steps
Follow these steps to publish a valid DMARC record. The entire process takes less than 5 minutes.
Choose your DMARC policy
Start with p=none for monitoring. This lets you see who sends email from your domain without affecting delivery. After 90+ days of monitoring, move to p=quarantine, then p=reject.
p=none # Monitor only - no email affected p=quarantine # Route failures to spam p=reject # Block failures entirely
Set your reporting address
Add a rua= tag so receivers send you daily aggregate reports. These XML reports show who sends email from your domain and whether they pass authentication. Use DMARC Report to convert raw XML into a visual dashboard.
rua=mailto:dmarc-reports@yourdomain.com
Set alignment mode
Alignment controls whether the domain in SPF/DKIM must exactly match (strict) or can be a subdomain of (relaxed) the From header domain. Start with relaxed alignment - strict can break third-party senders.
adkim=r # Relaxed DKIM alignment (default) aspf=r # Relaxed SPF alignment (default)
Format the complete record
Combine all tags into a single TXT record value. Tags are separated by semicolons. The v= tag must come first.
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; fo=1
Add the record to DNS
Log in to your DNS provider and create a new TXT record. Set the host/name to _dmarc (your provider adds the domain automatically). Paste the record value.
Host: _dmarc Type: TXT Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; fo=1 TTL: 3600
Provider-specific setup guides
Step-by-step guides for adding DMARC records to the most popular DNS providers and email platforms.
Use our free DMARC Record Generator
Answer a few questions and get a valid DMARC record you can copy-paste into your DNS. No signup required.
Open DMARC Record Generator →Already have a record? Check it with our DMARC Checker
After publishing your DMARC record
Publishing the record is step one. The path to full enforcement requires patience - plan for 9 to 18 months.
Monitor aggregate reports daily
Review your DMARC Report dashboard to identify all senders, confirm legitimate sources pass authentication, and flag unauthorized sources. Allow at least 7 days for reports to arrive from all major receivers.
Fix authentication failures
For each legitimate sender that fails SPF or DKIM, update your SPF record to include their sending IPs or configure DKIM signing through their platform. Verify alignment passes before moving to enforcement.
Wait 90+ days per phase
Each enforcement phase (none, quarantine, reject) requires a minimum of 90 days of monitoring. The full journey to p=reject typically takes 9 to 18 months. Do not rush enforcement.
Progress to enforcement gradually
Move to p=quarantine with pct=25, increase to 50, then 100 over several weeks. After another 90+ days with clean results, advance to p=reject using the same gradual pct= approach.
Frequently asked questions about creating DMARC records
How long does it take to create a DMARC record?
Publishing a DMARC record takes less than 5 minutes. The record itself is a single DNS TXT entry. However, reaching full enforcement at p=reject takes 9 to 18 months of monitoring and gradual policy progression.
Do I need SPF and DKIM before DMARC?
Yes. DMARC builds on SPF and DKIM - it requires that at least one of them passes and aligns with the From header domain. Without SPF or DKIM configured, DMARC has nothing to evaluate and all messages will fail.
What is the best starting DMARC policy?
Always start with p=none. This is a monitoring-only policy that lets you identify all legitimate sending sources without affecting email delivery. Moving to quarantine or reject without monitoring first will block legitimate email.
Can I use a free email address for DMARC reports?
Technically yes, but it is not recommended. Aggregate reports are XML files that arrive in high volumes for active domains. Use a dedicated address and a DMARC report analyzer like DMARC Report to process them automatically.
What happens if I make a mistake in my DMARC record?
If the record has a syntax error, receivers treat it as if no DMARC record exists. Your email is delivered based on SPF and DKIM results alone. Use a DMARC checker to validate your record before and after publishing.
Ready to create your DMARC record?
Use our free generator tool or start a free trial to monitor your domain with DMARC Report.
Generate DMARC RecordEasy Setup, Verified by Customers
Rated 4.8/5 on G2 · 469 verified reviews
Dave G.
Owner
"DMARC Report has been invaluable in fixing email deliverability issues for our clients"
DMARC Report dashboard allows us to see easily what is compliant and what isn't compliant so we can quickly fix issues.
Antoine L.
"Incredible Service for an affordable price"
The software is easy to use and has also an entry friendly free plan up to 1,000 mails per month.
Zunaid K.
Director
"Essential tool for email delivery"
This tool helps us to implement DMARC reporting for our domains in an easy to use manner.