Step 1: Enter Your Domain
Enter the root domain you want to protect with DMARC (for example, example.com).
This domain will be used to:
Publish the DMARC DNS record
Monitor all email sent on behalf of the domain
Step 2: Choose Your DMARC Policy
Select how receiving mail servers should treat email that fails DMARC authentication.
Available options:
None – Collect data only. No impact on mail delivery. (Recommended for first-time setup)
Quarantine – Send failing messages to spam
Reject – Block failing messages completely
Starting with None allows you to review reports and identify legitimate senders before enforcing stricter policies.
Step 3: Provide Aggregate Reporting Address
Enter the email address where aggregate DMARC reports should be sent.
Aggregate reports:
Are sent daily by receiving mail servers
Show which sources send mail using your domain
Are typically delivered as XML files
Use a dedicated address such as:
Multiple addresses can be added.
Step 4 (Optional): Enable Failure (Forensic) Reports
Choose whether you want to receive individual failure reports for messages that fail DMARC.
Failure reports:
Contain samples or metadata of failed messages
Are optional and not required for DMARC deployment
May be limited or redacted by some providers
Select No to rely on aggregate data only.
Step 5: Choose Identifier Alignment
Configure how strictly DKIM and SPF domains must align with the From address.
Options:
Relaxed (default) – Allows subdomain matching
Strict – Requires an exact domain match
Relaxed alignment reduces the risk of legitimate mail failing DMARC and is recommended for most domains.
Step 6 (Optional): Set Subdomain Policy
Decide whether subdomains should use a different DMARC policy.
By default:
Subdomains inherit the main domain’s policy
Use a stricter subdomain policy if:
You do not send mail from subdomains
You want to prevent subdomain spoofing
If unsure, select No and review aggregate reports first.
Step 7 (Optional): Set Policy Percentage
Choose what percentage of email traffic the DMARC policy should apply to.
Policy percentage:
Allows gradual rollout
Applies enforcement only to the specified percentage
Common usage:
Start below 100% when moving to quarantine or reject
Increase to 100% once confident
Publish the DMARC Record
After completing the wizard:
Copy the generated DMARC record
Add it to your domain’s DNS as a TXT record
Allow DNS propagation
DMARC will not function until the record is published in DNS.
FAQ
What is the DMARC Record Wizard?
The DMARC Record Wizard is a guided tool that helps you generate a correctly formatted DMARC record by walking you through each required and optional setting.
Which DMARC policy should I start with?
Start with none. This lets you collect data without affecting mail delivery and avoids blocking legitimate senders.
Where should DMARC reports be sent?
Reports should be sent to a dedicated email address that can receive XML files, such as [email protected].
Are failure (forensic) reports required?
No. Failure reports are optional and not necessary for DMARC deployment.
What is identifier alignment?
Identifier alignment ensures the domain in the From header matches the domain authenticated by DKIM and SPF.
Does a DMARC record cover subdomains?
Yes. By default, a DMARC record on the root domain applies to all subdomains unless a separate subdomain policy is defined.
What happens if I don’t set up DMARC?
Without DMARC, your domain can be spoofed more easily, increasing the risk of phishing, fraud, and reputation damage.
Can the wizard fix an existing broken DMARC record?
Yes. The wizard can generate a clean, valid DMARC record if your current record contains syntax errors.