App StoreApp Store
Google PlayGoogle Play
Temp Mail Logo

Temp Mail safeguards your privacy while keeping your inbox free from spam.

🧭 5-Step Guided Setup · Live DNS Check · Strength Score · Free

DMARC Wizard

Free DMARC setup wizard — a guided step-by-step tool that checks your existing DMARC record, walks you through policy and reporting decisions, and generates a publish-ready DNS record instantly.

✓ Checks existing record✓ Step-by-step guidance✓ Policy recommendations✓ Strength scoring✓ One-click copy✓ No signup
1
Domain
2
Review
3
Policy
4
Reports
5
Result
Enter Your Domain
We'll check your DNS for an existing DMARC record and pre-fill your settings.
Emails, URLs, and subdomains are all handled automatically.
What this tool does

Free DMARC wizard — guided step-by-step DMARC record setup

This DMARC wizard guides you through the complete DMARC record setup process one decision at a time. Unlike a static form, the wizard starts by checking your domain's existing DNS configuration — if a DMARC record already exists, it pre-fills your current settings so you can review and improve them rather than starting from scratch. This makes it equally useful for first-time deployments and for organizations upgrading from p=none to full enforcement.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS TXT record published at _dmarc.yourdomain.com that tells receiving mail servers how to handle email that fails SPF or DKIM authentication. A correctly configured DMARC record prevents attackers from sending phishing and spoofing emails that appear to come from your domain — protecting your brand, your customers, and your email deliverability.

The wizard walks you through the key decisions: choosing a policy (p=none to monitor, p=quarantine to send failures to spam, p=reject to block them), setting up a report address to receive daily aggregate data, configuring subdomain policy and authentication alignment, and optionally enabling forensic reports for per-failure debugging. The result is a syntactically correct, publish-ready DMARC TXT record with a strength score and actionable improvement tips.

What each wizard step configures
Step 1 — Domain
Enter your domain. We perform a live DNS lookup to check for an existing DMARC record.
Step 2 — Review
See your current DMARC status. Existing settings are pre-filled for easy editing.
Step 3 — Policy
Choose p=none, quarantine, or reject. Set pct= rollout and optional sp= subdomain override.
Step 4 — Reports
Configure rua= for daily aggregate reports, ruf= for forensic reports, and alignment settings.
Step 5 — Result
Your publish-ready DMARC record with strength score, tips, and one-click copy.
adkim= alignment
How strictly the DKIM signing domain must match your From: header.
aspf= alignment
How strictly the SPF envelope sender must match your From: header.
fo= reporting
Controls when forensic reports are generated (requires ruf=).
How to deploy DMARC step by step
1
Run the wizardUse the wizard above. Start with p=none and add a rua= address as the minimum configuration.
2
Copy the recordClick Copy Record to copy the generated DMARC syntax to your clipboard.
3
Log into DNSOpen your DNS provider's control panel — Cloudflare, Route 53, GoDaddy, Namecheap, etc.
4
Create TXT recordAdd a new TXT record. Set the hostname to _dmarc and paste the record as the value.
5
VerifyUse our DMARC Checker to confirm the record is live and parsing correctly after a few minutes.
6
Review reportsAfter 1–2 weeks, check your rua= inbox for aggregate reports. Identify all sending sources.
7
EnforceUpgrade: p=none → p=quarantine at pct=10, increase pct weekly -> p=reject at pct=100.
Examples

What DMARC records look like — common wizard configurations explained

These examples show the most common DMARC record configurations and the strength score each would receive from the wizard.

ExcellentFull rejection — production-ready
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com
Maximum protection. p=reject blocks all unauthenticated messages. pct=100 applies the policy universally. rua= gives daily visibility. This is the end-state every domain should reach after a phased rollout.
GoodQuarantine with strict subdomain protection
v=DMARC1; p=quarantine; sp=reject; pct=100; rua=mailto:dmarc@example.com
p=quarantine routes failures to spam for the main domain while sp=reject fully blocks subdomain failures. Ideal when subdomains are unused or parked and need tighter enforcement than the main domain.
FairGradual rollout — 25% enforcement
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com
Only 25% of failing messages are quarantined. A typical phased deployment pattern — increase pct by 25% each week after verifying legitimate mail passes, until reaching 100%.
WeakMonitor only — no enforcement
v=DMARC1; p=none; rua=mailto:dmarc@example.com
p=none delivers all mail regardless of authentication results. No enforcement occurs, but rua= provides aggregate reports. This is the recommended starting point — deploy here first, then upgrade once reports confirm legitimate mail is passing.
WeakReject without reporting — blind enforcement
v=DMARC1; p=reject
p=reject is set but no rua= address exists. Without aggregate reports, there's no visibility into failures and no way to detect whether legitimate email is being blocked. Always add rua= before enforcing a reject policy.
FAQ

Frequently asked questions about the DMARC wizard

What is a DMARC wizard?
A DMARC wizard is a guided, step-by-step tool that walks you through every decision needed to create or improve a DMARC record — from checking your existing DNS setup, choosing the right policy, configuring report addresses, and generating a publish-ready TXT record. Unlike a static form, a wizard explains each choice in context so you understand what you're configuring and why.
How is a DMARC wizard different from a DMARC generator?
A DMARC generator is a form where you configure all options at once. A DMARC wizard breaks the process into individual steps with explanations and recommendations at each stage — better suited for those new to DMARC or doing a first-time deployment. Both produce the same DNS record; the wizard just guides you through the process more carefully. The wizard is ideal for first-time DMARC deployments; the generator is better for quickly tweaking an existing record.
What is the best DMARC policy to start with?
Start with p=none combined with a rua= report address. This monitoring-only mode collects daily aggregate reports without affecting email delivery. After 2–4 weeks, review the reports, fix any authentication gaps with SPF and DKIM, then move to p=quarantine (failures go to spam), and finally p=reject (failures are blocked). Skipping straight to p=reject without monitoring risks blocking legitimate mail. Spend at least 2-4 weeks reviewing rua= aggregate reports at each policy level before advancing to the next stage.
Do I need a rua= email address in my DMARC record?
Yes — it is strongly recommended. Without rua=, you receive no aggregate reports and have no visibility into who is sending email on your domain's behalf or whether legitimate mail is passing authentication. This makes it impossible to safely enforce quarantine or reject. Use a dedicated mailbox like dmarc@yourdomain.com or a third-party DMARC reporting service. Without rua=, you publish DMARC policy blind -- you cannot identify authentication failures or confirm that legitimate senders are configured correctly.
What is the difference between rua= and ruf= in DMARC?
rua= (aggregate reports) receives daily XML summary files from receiving mail servers listing all messages they saw from your domain and their authentication outcomes. ruf= (forensic reports) receives individual failure reports for specific messages — these can contain headers and sometimes full content. rua= is more widely supported and the more important of the two. Many organizations configure only rua=.
What does the pct= tag do in a DMARC record?
pct= controls what percentage of failing messages the DMARC policy is applied to. For example, pct=10 means only 10% of failing messages are quarantined or rejected — the remaining 90% are treated as if p=none. This enables a risk-managed phased rollout. Increase pct weekly as you confirm legitimate email is authenticating correctly, targeting pct=100 for full enforcement. Increasing pct in increments (10%, 25%, 50%, 100%) over several weeks lets you catch any authentication gaps before they affect all email traffic.
What is the sp= tag in a DMARC record?
The sp= tag sets the DMARC policy for subdomains independently of the main domain. If sp= is not specified, subdomains inherit the parent domain's p= policy. Setting sp=reject on a parent domain while using p=none for monitoring ensures subdomains are still fully protected, which is especially important for parked or unused subdomains that attackers often target. Setting sp=reject on the organisational domain protects all subdomains from spoofing even if they have no mail infrastructure of their own.
What is DKIM alignment and SPF alignment in DMARC?
DMARC alignment checks whether the domain in the From: header matches the domain authenticated by DKIM (adkim=) or SPF (aspf=). 'Relaxed' alignment (r, the default) allows subdomain matches — for example, mail.example.com signing for example.com is accepted. 'Strict' alignment (s) requires an exact domain match. Relaxed alignment is recommended for most senders, especially those using third-party email services. Relaxed alignment is the safe default; strict alignment should only be used if you are certain all sending sources use the exact root domain in their DKIM and SPF configuration.
How do I publish my DMARC record after the wizard generates it?
Log into your DNS provider's control panel (Cloudflare, Route 53, GoDaddy, Namecheap, etc.) and add a new TXT record. The hostname must be exactly _dmarc (or _dmarc.yourdomain.com depending on your provider's format), and the value is the record string generated by the wizard. DNS changes typically propagate within minutes to 48 hours. Use our DMARC Checker to verify once it's live.
Should I set up DMARC even if my domain does not send email?
Yes — non-sending domains are high-value spoofing targets because they often have no email authentication records. Attackers use them to send convincing phishing emails appearing to come from your brand. Publish p=reject along with an SPF record of 'v=spf1 -all' to explicitly block all senders and prevent your domain from being abused. This takes under 10 minutes and significantly reduces your phishing exposure.
Related Email Authentication Tools

Need a disposable email address right now?Generate a free, instant throwaway — zero signup, zero trace.

Get Free Temp Mail