OSH.co.za - Email Deliverability and DMARC Specialists

✅ DMARC Record Builder

Generate a valid DMARC TXT record for your domain

🔧 Related Tools

ANALYSIS TOOLS

DIAGNOSTIC TOOLS

BUILDER TOOLS

1. Policy (p=)

p=none: No enforcement — emails pass through regardless. Use this while you set up reporting and confirm all your legitimate senders are authenticated. Review aggregate reports for 2–4 weeks before advancing to quarantine.

2. Subdomain Policy (sp=)

By default, subdomains inherit the main domain policy. You can override this or explicitly exclude subdomains from the policy.

Omitting sp= means subdomains use the same policy as the main domain. This is the most common and recommended approach — subdomains automatically get the protection you configure for your root domain.

3. Percentage (pct=)

What percentage of failing emails should the policy apply to? Use 100 for full enforcement.

100%

4. Aggregate Reports (rua=)

Email address(es) to receive daily aggregate XML reports. Separate multiple addresses with commas.

Strongly recommended — required by Google/Yahoo for bulk senders.

5. Forensic Reports (ruf=) — optional

Email address(es) for per-message failure reports. Many providers no longer send these due to privacy regulations.

6. Alignment

SPF Alignment (aspf=)

DKIM Alignment (adkim=)

Relaxed alignment allows subdomains to satisfy DMARC (e.g. mail.example.com passes for example.com). Strict requires an exact domain match.

7. Report Interval (ri=) — optional

How often (in seconds) to send aggregate reports. Default is 86400 (24 hours).

Generated DMARC Record

Add as a TXT record at _dmarc.yourdomain.com

v=DMARC1; p=none;

Need help implementing DMARC?

Frequently Asked Questions

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record that tells receiving mail servers what to do when an email fails SPF or DKIM authentication — and reports back to you about those failures. It ties SPF and DKIM together by requiring that the authenticated domain "aligns" with the visible From: address in the email. DMARC is required by Google and Yahoo for bulk senders (those sending 5,000+ emails/day to Gmail or Yahoo), and strongly recommended for all domains to prevent spoofing and phishing.

What policy should I start with?

Always start with p=none (monitor mode). This collects aggregate reports without affecting email delivery. Review the reports for 2–4 weeks to identify all legitimate email sources and confirm SPF and DKIM are passing for each. Once you're confident all legitimate senders are authenticated, move to p=quarantine to send failing emails to spam, then eventually to p=reject to block them entirely. Skipping the monitor phase and going straight to p=reject is risky — you may accidentally block legitimate email.

Do I need to include subdomains in the record?

No — a single DMARC record at _dmarc.yourdomain.com applies to the root domain and all subdomains by default. Subdomains that don't have their own DMARC record inherit the parent policy. You only need a separate DMARC record on a subdomain if you want a different policy for that subdomain. You can use the sp= tag to set a different policy for subdomains without adding separate records — for example, p=reject; sp=none rejects on the root domain but only monitors on subdomains.

What are aggregate reports (RUA)?

Aggregate reports are daily XML files sent by receiving mail servers (like Google, Microsoft, Yahoo) to your specified RUA email address. They list every IP address that sent email claiming to be from your domain, along with SPF and DKIM pass/fail results and the DMARC disposition applied. These reports are essential for: identifying all your legitimate email senders, detecting spoofing attempts, troubleshooting authentication failures, and safely advancing your DMARC policy. You should always set a RUA address — it's free information that is critical for managing your email security posture.

What is DMARC alignment?

Alignment is the requirement that the domain in the SPF or DKIM result matches the domain in the email's visible From: address. Relaxed alignment (default) allows subdomains — so mail.example.com satisfies DMARC for example.com. Strict alignment requires an exact match. Relaxed alignment is recommended for most deployments as it is more forgiving of common sending configurations. Use strict alignment only if you have a specific security requirement and have verified it won't break legitimate email flows.

Privacy Policy

Data Collection: This DMARC Record Builder processes data to provide results. The DMARC builder runs entirely in your browser. No data you enter is transmitted to our servers unless you submit a support request. We do not store, log, or share the domain names or data you submit beyond what is necessary to return your results.

Data Usage: Your input is used solely to generate results. No data is saved, analysed for profiling, or shared with third parties. Each new check operates independently.

DNS Lookups: To check your domain, we perform DNS queries via Google's DNS-over-HTTPS (dns.google). These queries are subject to Google's Privacy Policy. Only the domain name is transmitted — no personally identifiable information.

Support Requests: If you submit a support request, your name, email address, and message are transmitted securely to our support team via SMTP2Go. This information is used solely to respond to your query.

Analytics: We may collect anonymized usage statistics (page views, tool usage frequency) to improve functionality. This does not include the domain names you check or any personally identifiable information.

Contact: For privacy enquiries or questions, please contact us at support@osh.co.za or visit osh.co.za/contact.