DMARC Record Generator
Build a DMARC TXT record with the right policy for where you actually are in the rollout - starting in monitoring mode is not optional, it's how you avoid blocking your own legitimate email.
Generated record
DMARC, in plain English.
DMARC ties SPF and DKIM together and tells receiving mail servers what to do when a message fails both checks - and, critically, sends you reports so you can see who's sending email as your domain before you start blocking anything. It requires SPF and/or DKIM to already be set up correctly; DMARC doesn't replace them, it enforces them.
Common mistakes
Jumping straight to p=reject. This is the single most common DMARC mistake. Going straight to enforcement without first monitoring in p=none mode means any sending source you forgot about - a CRM, an invoicing tool, a marketing platform - gets silently blocked with no warning. Ramp up in order: none → quarantine → reject, watching the reports at each stage.
Skipping the rua reporting address. Without an aggregate reporting address, you're flying blind - you'll have no visibility into what's passing, what's failing, or who's sending mail as your domain. Always set this, even in monitor mode.
Publishing the record in the wrong place. DMARC must be published as a TXT record at _dmarc.yourdomain.com - not at the domain root, where SPF lives. This is the most common reason a correctly-built record "doesn't work."
Forgetting subdomains. If you don't set sp, subdomains inherit the main policy - which is usually fine, but worth being deliberate about if a subdomain sends mail differently (or shouldn't send mail at all).
Setting strict alignment without checking first. Strict alignment (s) requires an exact domain match between the visible "from" address and the authenticated domain. Many legitimate sending setups use a subdomain and will fail strict alignment - relaxed alignment (r) is the safer default unless you've specifically verified strict works for every sender.
