DMARC Generator Tool

The DMARC Generator is an interactive tool that helps you create, validate, and understand DMARC records. Whether you're setting up DMARC for the first time or optimizing your policy, this tool simplifies the process.

Accessing the Tool

1. Log in to SpoofWard
2. Go to Tools → DMARC Generator
3. You'll see three modes: Create, Validate, and Explain

Creating a DMARC Record

Start Fresh

1. Click the Create tab
2. The tool provides an interactive builder with all fields

Basic Fields

Domain: Your email domain (e.g., example.com)

Policy (p=): Choose your enforcement level:

• none - Monitoring mode (start here)
• quarantine - Failing email goes to spam
• reject - Failing email is rejected

Report Address (rua=): Where to send aggregate reports

For SpoofWard users:

rua=mailto:[email protected]

Forensic Address (ruf=): Optional, for detailed failure reports

For SpoofWard users:

ruf=mailto:[email protected]

Advanced Options

DKIM Alignment (adkim=):

• r (Relaxed) - Default. Domain matches loosely (recommended for most)
• s (Strict) - Exact match required (rarely needed)

SPF Alignment (aspf=):

• r (Relaxed) - Default. Domain matches loosely
• s (Strict) - Exact match required (rarely needed)

Failure Reporting (fo=):

• 0 - Report on both DKIM and SPF failure
• 1 - Report on any failure (recommended)
• d - Report on DKIM failures only
• s - Report on SPF failures only

Percentage (pct=):

• 100 - Apply policy to 100% of messages (default and recommended)
• 50 - Apply to 50% for gradual rollout
• 10 - Apply to 10% for testing (rarely used)

Example Creation

Step 1: Select policy: p=none

Step 2: Set report address: rua=mailto:[email protected]

Step 3: Enable forensic reports: ruf=mailto:[email protected]

Step 4: Set failure reporting: fo=1

Generated record:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Step 5: Copy and publish in DNS at _dmarc.yourdomain.com

Validating a DMARC Record

Have an existing DMARC record? Validate it:

1. Click the Validate tab
2. Enter your current DMARC record (copy from DNS)
3. Click Validate

The tool shows:

Syntax Status

• Valid or errors found
• Shows exact problem if syntax is wrong

Field Breakdown

• Each field parsed and displayed
• Shows what each one does
• Highlights missing recommended fields

Alignment Mode

• Current DKIM alignment setting
• Current SPF alignment setting
• Suggests strict vs. relaxed

Policy Assessment

• Current enforcement level
• Whether you're monitoring or enforcing
• Suggestions for next steps

Example Validation

Input:

v=DMARC1; p=quarantine; rua=mailto:[email protected]

Validation output:

• ✓ Valid syntax
• Warning: rua not pointing to SpoofWard (won't receive reports)
• Warning: No ruf field (forensic reports disabled)
• Suggested fix: Update rua and add ruf

Understanding DMARC Components

Version (v=)

Always v=DMARC1

Indicates DMARC version. Only version 1 exists.

Policy (p=)

Your enforcement level:

• p=none - Monitor only, accept all email
• p=quarantine - Quarantine failing email
• p=reject - Reject failing email

Choose based on your readiness. Start with p=none.

Subdomain Policy (sp=)

Optional. Policy for subdomains if they don't have their own DMARC record.

• If not specified, subs inherit main domain policy
• Can be same as p= or more lenient

Example: sp=none while p=quarantine

Report Address (rua=)

Where to send aggregate reports (required if you want reports):

rua=mailto:[email protected]

Required fields:

• rua=mailto: prefix
• Valid email address
• SpoofWard address: [email protected]

Can include multiple addresses:

rua=mailto:[email protected],mailto:[email protected]

Forensic Address (ruf=)

Optional. Where to send forensic reports (detailed failures):

ruf=mailto:[email protected]

Recommended to enable failure visibility.

DKIM Alignment (adkim=)

How strictly to check DKIM alignment:

Relaxed (r) - Default

• Subdomains of the signing domain match
• Example: mail.example.com matches example.com
• Use this unless you have specific requirements

Strict (s)

• Domain must match exactly
• Rarely needed

SPF Alignment (aspf=)

How strictly to check SPF alignment:

Relaxed (r) - Default

• Subdomains of the SPF domain match
• Use this for most cases

Strict (s)

• Exact domain match required
• Rarely used

Failure Reporting (fo=)

When to generate forensic reports:

• 0 - Any SPF or DKIM failure (default, recommended)
• 1 - Any authentication failure
• d - DKIM failures only
• s - SPF failures only

Use fo=1 for visibility into all failures.

Percentage (pct=)

What percentage of messages to apply the policy to:

• 100 - All messages (recommended)
• 50 - Half (for gradual testing)
• 10 - 10% (rare)

Always use pct=100. Gradual rollout doesn't add much value.

Domain Alignment Mode (dam=)

Whether to apply policy when headers don't align:

• 0 - Only if headers align (rare)
• 1 - Apply regardless (default, typical)

Use the default unless you have specific requirements.

External Reports (external_reports=)

Optional. Specify formats for external reports.

Rarely used. Most don't need this.

Advanced Usage

Migrating DMARC Providers

Moving from another service to SpoofWard?

1. Validate your current record in the tool
2. Update rua and ruf:

   Old: rua=mailto:[email protected]
   New: rua=mailto:[email protected]

1. Keep everything else the same
2. Publish updated record
3. Reports will start flowing to SpoofWard

Creating Multiple Records

For subdomains, you can create domain-specific records:

1. Create record for _dmarc.mail.example.com
2. Create record for _dmarc.newsletter.example.com
3. Each can have different policies
4. Use parent domain's policy as fallback

Gradual Enforcement

Some prefer phased enforcement using percentage:

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=10

This applies reject policy to only 10% of messages.

However, this is rarely recommended. Better to move through p=none → p=quarantine → p=reject stages.

Common DMARC Records

Minimal (Starting Point)

v=DMARC1; p=none; rua=mailto:[email protected]; fo=1

Monitoring mode, reports to SpoofWard, forensic on all failures.

Standard (Recommended)

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Adds forensic reports for detailed failure analysis.

Enforcement Ready

v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; adkim=r; aspf=r

In enforcement mode with explicit alignment settings.

Full Enforcement

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; adkim=r; aspf=r

Maximum security, rejects non-aligned email.

Troubleshooting

"Invalid syntax" error

Check:

• Correct v=DMARC1 format
• Semicolon between fields (not comma)
• No extra spaces around =
• Email addresses formatted as mailto:

"Unreachable report address"

• Verify the email address is correct
• Check for typos
• Ensure SpoofWard address is [email protected]

"DNS TXT record limit"

DMARC records have a 255 character limit per TXT record. If yours exceeds:

• Reduce number of report addresses
• Use only rua, not ruf
• Remove non-critical fields
• Consider multiple TXT records (concatenate with blank line)

FAQ

Can I have multiple report addresses?

Yes, comma-separated:

rua=mailto:[email protected],mailto:[email protected]

What happens if I use wrong report address?

Reports go to that address. SpoofWard won't see them. Update DMARC record to fix.

Do I need both rua and ruf?

No, but recommended. rua gives daily stats; ruf gives detail on failures.

How long before reports arrive?

24-48 hours for first report. Daily thereafter.

Can I change policies easily?

Yes. Edit the DMARC record in DNS, change the p= value, save. New policy applies immediately.

Should I use strict or relaxed alignment?

Use relaxed (default) unless you have specific requirements.

Tips

• Start with p=none - Collect baseline data before enforcing
• Point to SpoofWard - Set rua=mailto:[email protected] to get SpoofWard's analysis
• Enable forensic reports - Set ruf= and fo=1 for detail
• Use the validator - Check your record before publishing
• Monitor reports - Check daily for first week after changes

Related Documentation

• Adding a Domain - DMARC setup during onboarding
• DNS Health Score - DMARC record validation
• DMARC Enforcement - Policy progression guide