MedhaCloud
Full Scan
MX Lookup
SPF
DMARC
DKIM
BIMI
SPF Generator
DMARC Generator
DKIM Generator

DMARC Generator

DMARC Policy Generator

Start with "none" to monitor reports before enforcing

Apply policy to 100% of failing emails. Start low and increase gradually.

Receive daily XML reports with DMARC pass/fail statistics

Receive individual failure reports (can be high volume)

📖 DMARC Migration Best Practice

  1. Week 1-2: Start with p=none, monitor reports
  2. Week 3-4: Change to p=quarantine with pct=10
  3. Week 5-6: Increase to pct=50
  4. Week 7+: Full enforcement with pct=100
  5. Optional: Switch to p=reject for maximum protection

About DMARC Generator

Build a syntactically correct DMARC record from scratch. Pick policy mode (none / quarantine / reject), set the enforcement percentage, choose SPF and DKIM alignment (strict or relaxed), define a subdomain policy, and add rua / ruf reporting addresses so you actually see who is trying to spoof your domain. Output is a TXT record ready to publish at _dmarc.yourdomain.com.

How the DMARC generator works

Pick the right policy for your stage

01

Set policy mode

Start with p=none for monitoring. Move to p=quarantine after 2-4 weeks. Eventually p=reject for full protection. The generator picks safe defaults.

02

Add reporting addresses

rua= for aggregate reports (always set this). ruf= for forensic reports (optional, privacy-sensitive). Use a mailbox you actually read — [email protected].

03

Configure alignment + copy

Pick strict vs relaxed alignment for SPF and DKIM separately. Optional pct for gradual rollout. Final record ready to paste as TXT at _dmarc.yourdomain.com.

Common gotchas this generator avoids

Mistakes that break DMARC

Going straight to p=reject

Skipping p=none means you have no reports — you can't see which legitimate senders fail alignment. Mail bounces. Always monitor first.

Missing rua= address

No rua = no aggregate reports = you're flying blind. You can't identify spoofing attempts or fix legitimate senders that fail.

Wrong subdomain policy (sp=)

If you don't set sp=, subdomains inherit p=. If your subdomains have different needs, set sp= explicitly. The generator handles this correctly.

Strict alignment without strict signing

adkim=s requires the From: domain to EXACTLY match DKIM d=. If your DKIM signs with mail.example.com but From: is example.com, you break alignment. Start with relaxed.

Wrong rua= syntax

rua must be mailto: URI: rua=mailto:[email protected]. Without mailto: receivers ignore it. The generator enforces this.

Forgetting v=DMARC1

Every DMARC record must start with v=DMARC1. Without it, receivers ignore the record. The generator adds this automatically.

FAQ

DMARC generator — common questions

What is a DMARC record?+
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record at _dmarc.yourdomain.com that tells receivers what to do with email failing SPF or DKIM. It also requests aggregate reports of authentication attempts — your visibility into who is trying to spoof your domain.
What policy mode should I start with?+
Always start with p=none. This is monitoring mode — receivers send you reports but do NOT block failing mail. Run it for 2-4 weeks, watch the reports, identify legitimate senders that fail alignment, fix them, then upgrade to p=quarantine. Going straight to p=reject without monitoring breaks legitimate mail.
What is the difference between strict and relaxed alignment?+
Strict alignment (s) requires the From: domain to exactly match the SPF Return-Path or DKIM d= domain. Relaxed alignment (r) allows subdomain matches (e.g., mail.example.com aligns with example.com). Start with relaxed; switch to strict only if you control all subdomains and want maximum protection.
Why must I set rua= reporting addresses?+
Without rua, you receive no aggregate reports — you cannot see which senders are failing alignment, can't identify spoofing attempts, and can't safely move from p=none to p=quarantine because you have no data. Always set rua=mailto:[email protected] to a real mailbox you read.
What is the pct= percentage and when should I change it?+
pct controls how much failing mail the policy is applied to. pct=100 (default) applies the policy to all failing mail. pct=10 applies it to only 10% — useful for gradual rollout. Move stepwise: pct=10 → 50 → 100 over weeks, watching reports. Once pct=100 is stable, consider moving from p=quarantine to p=reject.

Other generators

Build your full email auth stack

SPF Generator
Build a valid SPF record
DKIM Generator
Generate DKIM key pairs
DMARC Checker
Validate your existing DMARC record
Full email security scan
All 7 checks in one report

Beyond Free Tools

Enterprise Cloud & IT Services

From Microsoft 365 migrations to fully managed infrastructure — we handle every layer of your IT stack.

Migration Tools We Use

Enterprise-grade tooling for every platform

  • BitTitan MigrationWizCloud-to-cloud email & data
  • Microsoft Exchange HybridOn-prem to Exchange Online
  • ShareGate DesktoolSharePoint & OneDrive
  • Microsoft Mover.ioGoogle Drive to OneDrive
  • Entra ID ConnectAD sync & hybrid identity
  • PowerShell & EWS APIAutomation & bulk ops
M365 Migration Services

Our Services

More Services

Contact Us