Relaxed vs strict alignment?

Relaxed (the default) matches the organizational domain — mail from `news.example.com` aligns with `example.com`. Strict requires an exact domain match. Use strict only if you understand exactly which subdomains send what.

Do I really need rua?

If you ever plan to enforce (`quarantine` or `reject`), yes. Aggregate reports are the only way to find out which legitimate senders are failing alignment before your enforcement starts dropping their mail.

DMARC Record Builder

Network

Builds the TXT record that closes the loop on email authentication: SPF and DKIM say a message is signed; DMARC tells receivers what to do when neither passes. The tool walks you from monitor-only (`p=none`) to quarantine to outright reject, and exposes the alignment modes and percentage rollout that production deployments lean on. Warnings remind you about the common gotchas — going to `p=reject` without an `rua` mailbox to collect failure reports, picking `pct=` below 100% then forgetting to ratchet it up.

—

Presets

Policy (p=)Subdomain policy (sp=)

Percentage to apply policy to (pct=)100% · Receivers apply the policy to this % of failures and treat the rest as p=none.

SPF alignment (aspf=)DKIM alignment (adkim=)

Aggregate report mailbox (rua) (rua=)Forensic report mailbox (ruf, optional) (ruf=)

TXT record · Publish as: _dmarc.example.com

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Publish as a TXT record at _dmarc.<your-domain>. Replace 'example.com' in the rua/ruf addresses with a mailbox you own.

How to use

Start with the monitor preset (`p=none`) — receivers report what's happening without affecting delivery.
Once SPF/DKIM are aligned for all legitimate mail, jump to quarantine (or use `pct=` to slowly ramp).
After a few weeks of clean reports, promote to `p=reject`. Keep the `rua` mailbox forever — it's how you catch new misconfigurations.

Frequently asked questions

Relaxed vs strict alignment?: Relaxed (the default) matches the organizational domain — mail from `news.example.com` aligns with `example.com`. Strict requires an exact domain match. Use strict only if you understand exactly which subdomains send what.
Do I really need rua?: If you ever plan to enforce (`quarantine` or `reject`), yes. Aggregate reports are the only way to find out which legitimate senders are failing alignment before your enforcement starts dropping their mail.

Related tools

IP Address Inspector

Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.

Network00

Port Number Reference

Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).

Network00

DNS Record Reference

Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.

Network00

Subnet Calculator (IPv4 / CIDR)

Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.

Network00

User Agent Parser

Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.

Network00

HTTP Status Code Reference

Searchable list of every HTTP status code (1xx-5xx) with summary, RFC, when to use, and common pitfalls.

Network00