Free tool · Every tag explained
Your domain needs a
DMARC policy
Gmail and Microsoft require DMARC from volume senders since 2024. Build the exact record in a minute — and climb the none → quarantine → reject ladder at the right pace.
Publish this DNS record
Add a TXT record at your DNS provider with exactly this host and value.
Host / Name
_dmarc.yourdomain.com
Value (TXT)
v=DMARC1; p=none
No report address set — the policy still works, but you'll be flying blind. Add a rua to actually see who sends as your domain.
What each tag means
- v=DMARC1
- Identifies this TXT record as a DMARC policy.
- p=none
- Nothing gets blocked; you just collect reports. Required by Gmail/Microsoft as a minimum for bulk senders.
Then verify it's live
DNS takes a few minutes to propagate. Check DMARC together with SPF, DKIM and MX in one pass:
Run the domain health check →The ladder: none → quarantine → reject
1 · Observe
p=none + rua
Weeks 1–4. Nothing is blocked; reports reveal every server sending as you — including the ones you forgot about. Fix SPF/DKIM for each legitimate one.
2 · Enforce gently
p=quarantine
Failing mail goes to spam, not the trash. Watch reports for legitimate mail getting caught; use pct to ramp if you're nervous.
3 · Lock the door
p=reject
Spoofed mail is refused outright. Your domain can no longer be impersonated — the destination every domain should reach eventually.
Questions, answered honestly
Do I really need DMARC to send cold email?
Yes. Since February 2024, Gmail and Microsoft require DMARC (at minimum p=none) from senders doing volume. Without it your outreach starts penalized before anyone reads a word. With it — and with SPF/DKIM aligned — you're playing the same game as every legitimate sender.
Which policy should I start with?
p=none, always. It blocks nothing but turns on reporting, so you discover every service legitimately sending as your domain (there are always more than you think). After 2–4 weeks of clean reports, move to p=quarantine, then p=reject. Jumping straight to reject is how companies break their own invoicing emails.
What is the rua tag and do I need it?
rua is where receivers send daily aggregate reports — XML summaries of who sent mail claiming to be your domain and whether it passed. Without a rua you're enforcing blind: you'll never know about the forgotten CRM or the spoofer until something breaks. Always set one.
What does pct do?
pct applies your policy to a percentage of failing mail — pct=25 with p=quarantine quarantines a quarter of failures and lets the rest through. It's a rollout dial: useful for easing into quarantine, pointless with p=none, and best removed (back to 100) once you're confident.
DMARC keeps failing even though SPF passes. Why?
Alignment. DMARC doesn't just want SPF or DKIM to pass — it wants them to pass for the same domain as your From header. Mail sent through a provider often passes SPF for the provider's domain, not yours. That's an alignment failure, and it's exactly what the header analyzer tool diagnoses.
Keep going
More free tools
Don't read XML reports. We do that part.
Norbelys receives and reads your DMARC reports for you — every domain you connect gets continuous monitoring, plain-language findings and an alert when something starts sending as you.
Start sendingFrom $29/mo · Cancel anytime