Create a DMARC policy that matches your rollout stage.

DMARC tells receivers what to do when mail fails SPF and DKIM alignment. Start with monitoring, then tighten when legitimate senders are covered.

Enter a valid aggregate report email to generate.

How it works

  • Choose a policy: monitor, quarantine, or reject.
  • Add aggregate and forensic report addresses if you collect DMARC reports.
  • Set alignment and rollout percentage, then publish the TXT record at `_dmarc`.

When to use it

  • After SPF and DKIM are configured for a sending domain.
  • When moving from monitoring to enforcement in stages.
  • When a client domain needs a visible policy before launch review.

Common failure cases

  • Publishing DMARC at the root domain instead of `_dmarc.example.com`.
  • Moving to `p=reject` before every legitimate sender is authenticated and aligned.
  • Adding report addresses that cannot receive or process aggregate reports.

Examples

What good and bad signals look like

Monitor-first policy

v=DMARC1; p=none; rua=mailto:dmarc@example.com; adkim=r; aspf=r

Collects reports without asking receivers to quarantine or reject yet.

Premature enforcement risk

p=reject before all legitimate senders pass alignment

Real mail can be rejected if SPF or DKIM is incomplete for a sender.

What to do next

  • Publish the generated record under `_dmarc` and verify it with the DNS checker.
  • Review reports before tightening from monitor mode to enforcement.
  • Keep policy rollout separate from claims about inbox placement or reply rates.
Add DMARC to readiness checks

Use readiness reports instead of treating a DNS policy as launch approval.

FAQ

Where should I publish a DMARC record?

Publish it as a TXT record at `_dmarc.yourdomain.com`, not at the root domain.

Does `p=reject` improve deliverability automatically?

No. Enforcement can reduce spoofing risk, but it is not an inbox-placement guarantee and can block legitimate mail if setup is incomplete.