Skip to main content

Free RFC 9989 planner

Build the policy—and the safe path to enforce it.

Generate current DMARC syntax, expose risky alignment and policy choices, prepare external report authorization, and leave with a staged deployment plan instead of a dangerous one-line record.

MailDNS publishes the policy at _dmarc beneath this domain.

This changes rollout guidance. RFC 9989 cautions against reject for general-purpose email domains.

Identifier alignment

One address per line or comma-separated. Aggregate reports expose sending infrastructure; use a mailbox or processor prepared for XML volume.

Generated DNS change

Ready for a reviewed publish

Valid syntax
Name
_dmarc.example.com
Type
TXT
Value
v=DMARC1; p=none; adkim=r; aspf=r;
34 UTF-8 octets
  • Note: p=none requests reports but does not ask receivers to quarantine or reject failing mail.

  • Review: Without rua, you lose the aggregate evidence needed for a safe enforcement rollout.

MailDNS intentionally excludes the historic pct, rf, and ri tags. It also omits failure reports (ruf) because they can contain message or personal data.

Deployment sequence

A policy is a rollout, not a copy-paste event.

  1. 01

    Observe legitimate senders

    Collect aggregate reports across a normal sending cycle and account for every expected source before enforcement.

    v=DMARC1; p=none; adkim=r; aspf=r;
  2. 02

    Signal the intended policy in test mode

    Confirm aligned DKIM or SPF for every business-critical stream and investigate unknown high-volume sources.

    v=DMARC1; p=quarantine; adkim=r; aspf=r; t=y;
  3. 03

    Apply the reviewed policy

    Keep reviewing reports after enforcement; quarantine is not an inbox-placement guarantee.

    v=DMARC1; p=quarantine; adkim=r; aspf=r;