How to use the DMARC Record Builder

Pick a policy — start with “none” to monitor without affecting mail. Enter an email address to receive aggregate reports (rua=). Optionally add a forensic report email. Pick alignment (relaxed is the default). The tool generates a DMARC TXT record. Add it to your DNS at `_dmarc.yoursite.com`.

Pourquoi cet outil est important

DMARC is the keystone of modern email security and deliverability. Major mail providers (Gmail, Yahoo, Apple) now reject or quarantine email from domains without DMARC. A correctly configured DMARC record protects your brand from spoofing, improves deliverability, and gives you visibility into who\u2019s sending mail claiming to be you.

Cas d'utilisation courants

• First-time DMARC setup for a new domain
• Hardening an existing domain from p=none to p=quarantine
• Generating DMARC for a marketing or transactional subdomain
• Helping a client comply with Gmail/Yahoo\u2019s 2024 bulk sender requirements
• Pre-launch email deliverability checklist

Always start with p=none

Jumping straight to p=reject blocks legitimate mail you don\u2019t know about — internal apps that send mail, third-party services no one remembers signing up for, conferences sending invitations as your CEO. Run p=none for 4-8 weeks, review aggregate reports (rua), fix all unauthorized senders, THEN move to quarantine, then reject.

Foire aux questions

What\u2019s the difference between rua and ruf?
rua = aggregate reports (daily summaries from each receiver). ruf = forensic reports (full headers of failing messages — most receivers don\u2019t send these for privacy). Both go to your email; aggregate is the standard.

Can I receive reports at any email address?
Yes — but for higher volumes, use a dedicated DMARC report service (DMARCian, Postmark, EasyDMARC). They parse the daily XML reports into readable dashboards.

What does “alignment” mean?
Strict alignment requires the From: domain to exactly match the SPF/DKIM domain. Relaxed allows subdomain matching (mail.yoursite.com matches yoursite.com). Relaxed is the default and right for 95% of cases.

Do I need DKIM for DMARC to work?
You need at least one of SPF or DKIM. Most teams set up both. DMARC checks alignment — meaning either SPF or DKIM must align with the From: address.