How to Create and Publish a DMARC Record?

Instructions for Generating Your DMARC Record

The process for generating your DMARC DNS record is straightforward if you use an online DMARC record generator tool. All you need to do is fill in the following criteria:

• Choose your DMARC policy mode (if you are just starting out with email authentication, we recommend a policy of p=none to begin with, so you can monitor your email flow before enforcing)
• Choose the DMARC policy mode for your existing subdomains (we recommend you only set this if you want a different policy for your subdomains; it defaults to the same policy as your main domain)
• Choose the policy mode for non-existent subdomains (the np tag, introduced in RFC 9989). Setting this to quarantine or reject closes a common spoofing gap, since attackers often forge mail from subdomain names that do not actually exist in your DNS
• Type in the email addresses where you want your DMARC RUA (aggregate) and RUF (failure, also known as forensic) reports delivered
• Choose your DKIM alignment mode (for strict alignment, the DKIM signing domain has to match the domain in the From header exactly; for relaxed alignment, the two domains only need to share the same organizational domain)
• Choose your SPF alignment mode (for strict alignment, the domain in the Return-Path has to match the domain in the From header exactly; for relaxed alignment, the two domains only need to share the same organizational domain)
• Choose your failure reporting options (the fo tag, which sets the circumstances under which you want to receive failure reports)
• Choose whether to enable test mode (the t tag, introduced in RFC 9989). Setting t=y asks receivers to apply the next-lower enforcement level while you test a stricter policy, so you can move toward enforcement without immediately risking legitimate mail. Leave it as t=n (the default) when you are ready for your selected policy to take full effect. This replaces the staged-rollout role that the now-historic pct tag used to serve

A typical error-free DMARC record looks something like this:

v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

The generated record is then published in your domain's DNS at the subdomain: _dmarc.YOURDOMAIN.com

How to Publish Your DMARC Record

To publish your generated DMARC record, log in to your DNS console and navigate to the specific domain for which you want to configure DMARC.

Once there, you will need to specify the hostname and the resource type. Since DMARC exists in your domain as a DNS TXT record, the resource type is TXT, and the hostname to specify is: _dmarc

Finally, add the value of your DMARC record (the one you generated previously): v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Save your changes, and you have successfully configured DMARC for your domain.

NOTE: DNS record propagation may take up to 72 hours depending on your provider.

How to check your DMARC record

To check your DMARC record, you can use an online DMARC record lookup tool to make sure it is free of errors, functional, and configured properly.

Note that SPF and DKIM alone cannot fully protect your domain against attacks. To protect your domain, pairing DMARC with SPF and DKIM is your best bet.