Skip to main content
CheckTown
Generators

DMARC Generator: Protect Your Email Domain

Published 5 min read
In this article

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that protects your domain from being used in phishing and spoofing attacks. It builds on SPF and DKIM to tell receiving mail servers what to do when messages fail authentication checks.

Published as a DNS TXT record on _dmarc.yourdomain.com, a DMARC policy instructs email receivers to either monitor (none), quarantine, or reject messages that fail SPF and DKIM alignment. It also enables aggregate and forensic reporting so domain owners can monitor authentication results.

How DMARC Works

When an email arrives, the receiving server checks the DMARC record for the sender's domain. It evaluates whether the message passes SPF or DKIM with proper alignment, then applies the policy specified in the DMARC record.

  • Policy modes — p=none (monitor only), p=quarantine (mark as spam), p=reject (block entirely). Start with none and gradually tighten after reviewing reports
  • Alignment — DMARC requires that the domain in the From header matches the domain authenticated by SPF or DKIM (relaxed allows subdomains, strict requires exact match)
  • Reporting — rua= specifies where to send aggregate XML reports (daily summaries), ruf= specifies forensic report delivery for individual failures

Try it free — no signup required

Generate Your DMARC Record →

When To Set Up DMARC

Every domain that sends email should have a DMARC policy. Even domains that do not send email benefit from a reject policy to prevent abuse.

  • Prevent email spoofing — attackers frequently forge the From address of legitimate domains to send phishing emails; DMARC stops these messages from reaching inboxes
  • Improve deliverability — major providers (Google, Microsoft, Yahoo) increasingly require DMARC for bulk senders; proper DMARC improves inbox placement rates
  • Brand protection — DMARC reporting reveals who is sending email on behalf of your domain, helping you identify unauthorized senders and protect your brand reputation

Frequently Asked Questions

What DMARC policy should I start with?

Start with p=none to collect reports without affecting email delivery. Analyze the aggregate reports to identify all legitimate senders, ensure they pass SPF and DKIM, then gradually move to p=quarantine and finally p=reject. This phased approach prevents accidentally blocking legitimate emails.

Do I need SPF and DKIM before setting up DMARC?

Yes. DMARC depends on SPF and DKIM for authentication. A message passes DMARC if it passes either SPF or DKIM with proper domain alignment. Without at least one of these in place, all your emails would fail DMARC checks. Set up SPF and DKIM first, verify they work, then add DMARC.

How do I read DMARC aggregate reports?

DMARC aggregate reports are XML files sent daily by receiving servers. They contain data about which IPs sent email for your domain, whether messages passed SPF/DKIM, and what policy was applied. Use a DMARC report analyzer tool to parse these XML files into readable dashboards showing authentication rates and unauthorized senders.

Related Tools

SPF Generator: Authorize Email SendersGenerate an SPF DNS record to specify which servers can send email for your domain.Read article → How to Generate Perfect Meta Tags for SEOCreate optimized meta tags, Open Graph, and Twitter Cards with live previews.Read article → robots.txt Generator: Control Search Engine Crawling for Your SiteLearn robots.txt syntax, create rules for search engines and AI crawlers, and avoid common SEO mistakes.Read article →
Back to Blog