Should I start at p=none or p=reject?

Always start at p=none. The 'none' policy is monitor-only — it tells receivers to send you aggregate reports about who's sending mail claiming to be from your domain, without taking any action. Use the reports to find every legitimate sender (your own mail, transactional providers, marketing platforms) and add them to SPF and DKIM. Only once your reports show no unexpected legitimate senders for several weeks should you move to p=quarantine, then to p=reject. Jumping straight to reject can silently bin or bounce legitimate email.

Where does the DMARC record go?

DMARC records are published as a TXT record at the special subdomain _dmarc. . So for example.com, the record goes at _dmarc.example.com. The record value starts with v=DMARC1; and is one line of semicolon-separated tags.

What's the difference between rua and ruf?

rua is the address that receives aggregate reports — daily summaries of pass/fail counts per source IP and authentication mechanism. These are the useful reports and you should always set rua to a mailbox or report processor. ruf is the address for forensic (failure) reports — per-message detail of failed authentication. Forensic reports can contain PII from the original message and very few mail providers actually send them, so ruf is optional and often skipped.

What is alignment (adkim and aspf)?

DMARC requires that the domain the user sees (the From: header) align with the domain SPF or DKIM authenticated. 'Relaxed' alignment (r, the default) accepts the same organisational domain — so mail.example.com aligns with example.com. 'Strict' alignment (s) requires an exact match. Relaxed is right for almost everyone; strict can break legitimate mail sent from subdomains.

DMARC Record Generator — Build DMARC TXT Records (Free)

What does DMARC do that SPF and DKIM don't?

SPF says which servers can send mail for your domain; DKIM cryptographically signs each message so receivers can verify it wasn't tampered with. Both are necessary, but neither tells the receiver what to do when authentication fails — and crucially, neither protects the From: header the user actually sees.

DMARC bridges those gaps. It tells receivers: "If a message claims to be from my domain, the SPF or DKIM result must align with my domain, and here's what to do if it doesn't." That last part — the policy, p=none / p=quarantine / p=reject — is the lever you control with this generator.

Why start at p=none?

This is the single most important DMARC rule and the one most often skipped: do not start at p=quarantine or p=reject. Almost every domain has more legitimate senders than its owner realises — a transactional email provider, a marketing platform, a CRM, a help-desk tool, a partner integration, somebody's automation. Until you've watched DMARC reports for a few weeks, you don't know who they all are.

p=none tells receivers: keep delivering normally, but send me a report every day summarising which IPs sent mail as my domain and whether it authenticated. The reports go to the address in your rua tag. After a few weeks you'll have a clear picture of every legitimate sender; add the missing ones to SPF and DKIM, then move to p=quarantine for a while, then to p=reject. Skipping the monitoring stage is how legitimate mail gets silently dropped.

What goes in rua?

The rua tag is the email address that receives aggregate DMARC reports. Format: mailto:dmarc@example.com. You can list multiple addresses. Most domains use either a dedicated mailbox or a third-party DMARC report processor (because the reports are XML and not human-readable). The free processors are good enough for small domains; pay-for-it providers scale better.

ruf is the forensic/failure report tag — per-message detail for each failure. Far fewer providers actually send ruf reports, the reports can contain message contents (PII), and they're operationally noisy, so most domains skip ruf entirely.

Alignment, in one paragraph

DMARC requires the domain in the visible From: header to align with the domain SPF or DKIM authenticated. "Relaxed" alignment (the default, r) treats mail.example.com and example.com as aligned — same organisational domain. "Strict" alignment (s) requires an exact match. Relaxed is right for almost everyone; strict can break legitimate mail sent from subdomains.

Where does this go?

Publish the assembled record as a TXT record at _dmarc.<yourdomain> — for example.com that's _dmarc.example.com. The record value is the single semicolon-separated string the generator outputs. After publishing, give DNS a few minutes to settle, then verify with the DMARC Checker.

Last reviewed by Network Lookup Team, June 2026.