Build a DMARC record, one question at a time.
Answer a few plain-English questions and we assemble a valid v=DMARC1 record for you. Start in monitor-only mode, point reports somewhere you can read them, and tighten the policy as you gain confidence.
Monitor only. Receivers take no action on failing mail; you just collect reports. Start here.
New in DMARCbis. Sets the policy for subdomains that don't exist, a common spoofing trick. np=reject is a safe quick win even while your main policy is still at p=none, since no real mail comes from a subdomain you never created. One caveat: a wildcard DNS record makes every subdomain "exist" and turns this off.
Publish this record in DNS
Add one TXT record at the host below. It updates live as you change the options above.
_dmarc
v=DMARC1; p=none; np=reject
What to do next
- 1.Publish the TXT record above at
_dmarc. DNS can take a few hours to propagate. - 2.Watch the aggregate reports for a week or two to confirm your real senders pass before tightening the policy.
- 3.Re-run the DMARC audit to confirm the published record parses the way you expect.