DMARC Wizard

Take control of your domain’s email security with our DMARC Wizard — a simple, guided tool that helps you create a custom DMARC record tailored to your needs. Whether you're just starting with email authentication or fine-tuning your domain's defenses, this tool walks you through each setting — from policy enforcement to reporting — and generates a ready-to-use DNS record in seconds.

About DMARC

A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record is a DNS TXT record that helps email domain owners protect their domain from unauthorized use, such as email spoofing. Here's a breakdown of each component of a DMARC record, along with recommended default values.

The values of a typical DMARC record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic@example.com; fo=1; sp=none; adkim=r; aspf=r;

Before creating a DMARC Record

Before using the Wizard and activating DMARC on your domain, gather the following information to ensure your record is accurate and effective:

Email Sending Sources

Identify all services and servers that send email on behalf of your domain (e.g., Webnames.ca, Google Workspace, Microsoft 365, Mailchimp, etc.).

SPF and DKIM Setup

Ensure SPF and DKIM are properly configured for your domain. DMARC relies on these protocols to validate messages.

Reporting Addresses

Decide where you want to receive DMARC reports:

Aggregate reports (daily summaries): e.g., dmarc-reports@yourdomain.com
Forensic reports (detailed failure logs): optional, e.g., forensics@yourdomain.com

Policy Preference

Choose how strict you want to be with unauthenticated emails:

none (monitor only)
quarantine (send to spam)
reject (block entirely)

Alignment Settings

Determine whether to use relaxed or strict alignment for SPF and DKIM. Relaxed is more forgiving and suitable for most setups.

Sub-domain Policy

Decide if sub-domains should follow the same policy or have a different one.

Access the DMARC Wizard

Our DMARC Wizard is available to all Webnames.ca email customers via the Email tab of their domain management page.

Parameters

Parameter	Tag	Description	Recommended Default
Version	v	Version. Identifies the record retrieved as a DMARC record. It MUST have the value of "DMARC1", and therefore this value will automatically be inserted and used.	v=DMARC1
Policy	p	Policy – Action to take on failing emails. Options: none, quarantine, reject. Requested Mail Receiver policy indicates the policy to be enacted by the Receiver at the request of the Domain Owner. Policy applies to the domain queried and to subdomains, unless subdomain policy is explicitly described using the "sp" tag. This tag is mandatory for policy records only, but not for third-party reporting records. Possible values are as follows: none: The Domain Owner requests no specific action be taken regarding delivery of messages. quarantine: The Domain Owner wishes to have email that fails the DMARC mechanism check be treated by Mail Receivers as suspicious. Depending on the capabilities of the Mail Receiver, this can mean "place into spam folder", "scrutinize with additional intensity", and/or "flag as suspicious". reject: The Domain Owner wishes for Mail Receivers to reject email that fails the DMARC mechanism check. Rejection SHOULD occur during the SMTP transaction. See Section 10.3 for some discussion of SMTP rejection methods and their implications.	none (for monitoring)
Subdomain Policy	sp	Subdomain Policy – Policy for subdomains. Requested Mail Receiver policy for all subdomains which indicates the policy to be enacted by the Receiver at the request of the Domain Owner. It applies only to subdomains of the domain queried and not to the domain itself. Its syntax and possible values are identical to that of the Policy parameter. If absent, the policy specified by the "p" tag MUST be applied for subdomains.	none (or match p)
Alignment SPF	aspf	SPF Alignment Mode indicates whether strict or relaxed SPF Identifier Alignment mode is required by the Domain Owner. Valid values are as follows: r: relaxed mode s: strict mode	r
Alignment DKIM	adkim	DKIM Alignment Mode indicates whether strict or relaxed DKIM Identifier Alignment mode is required by the Domain Owner. Valid values are as follows: r: relaxed mode s: strict mode	r
Reporting URI Aggregate	rua	Aggregate Report URI – Comma-separated list of email addresses to which aggregate reports (daily summaries) are to be sent.	mailto:dmarc-reports@yourdomain.ca
Reporting URI Failure	ruf	Forensic Report URI – Comma-separated list of email addresses to which detailed failure reports are to be sent.	Optional; use if needed
Reporting Interval	ri	Reporting Interval is the interval requested between aggregate reports. Indicates a request to Receivers to generate aggregate reports separated by no more than the requested number of seconds. DMARC implementations MUST be able to provide daily reports and SHOULD be able to provide hourly reports when requested. However, anything other than a daily report is understood to be accommodated on a best- effort basis.	86400
Percent	pct	Percentage – Percentage of messages to apply policy to. Percentage of messages from the Domain Owner's mail stream to which the DMARC policy is to be applied. However, this MUST NOT be applied to the DMARC-generated reports, all of which must be sent and received unhindered. The purpose of the "pct" tag is to allow Domain Owners to enact a slow rollout enforcement of the DMARC mechanism.	100
Failure Options	fo	Failure reporting options provide requested options for generation of failure reports. Report generators MAY choose to adhere to the requested options. This tag's content MUST be ignored if a "ruf" tag is not also specified. The value of this tag is a colon-separated list of characters that indicate failure reporting options as follows: 0: Generate a DMARC failure report if all underlying authentication mechanisms fail to produce an aligned "pass" result. 1: Generate a DMARC failure report if any underlying authentication mechanism produced something other than an aligned "pass" result. d: Generate a DKIM failure report if the message had a signature that failed evaluation, regardless of its alignment. DKIM-specific reporting is described in [AFRF-DKIM]. s: Generate an SPF failure report if the message failed SPF evaluation, regardless of its alignment. SPF-specific reporting is described in [AFRF-SPF].	1 (report on any failure)
Reporting Format	rf	Format to be used for message-specific failure reports. The value of this tag is a list of one or more report formats as requested by the Domain Owner to be used when a message fails both [SPF] and [DKIM] tests to report details of the individual failure. The values MUST be present in the registry of reporting formats; a Mail Receiver observing a different value SHOULD ignore it or MAY ignore the entire DMARC record. For this version, only "afrf" is presently supported, and therefore this value will automatically be inserted and used.	rf=afrf

Application

In order to be functional, a DMARC record must be inserted into the DNS zone of the applicable domain name. The manner in which this occurs differs depending on which organization hosts the domain name's DNS.

Webnames.ca DNS

In all instances where Webnames.ca provides DNS services for the domain (including domains which are parked, forwarded, have Webnames or Wix web hosting, or have dedicated Advanced or Premium DNS services), clicking the Apply button within the DMARC Wizard will insert the crafted DNS record into the domain name's DNS. No further action is required.

Third-Party DNS

In instances where another company is providing DNS services for the domain name, then the record values produced by the DMARC Wizard must manually be copy and pasted into the other company's DNS Hosting management interface. The location and layout of this interface will differ from one provider to another. Generally however, these are the required parameters:

Record Type: TXT
Record Hostname: _dmarc.yourdomain.ca
Record SOA: default
Record Value: Copy and paste from the DMARC Wizard

WHO HOSTS MY DOMAIN'S DNS?

The servers providing the DNS service for your domain name is displayed in your domain name's WHOIS information. Based on the names of these DNS servers, the name of the corresponding provider can usually be determined. Visit https://www.webnames.ca/whois and perform a search for your domain name. Amongst the results will be (typically) three name servers, e.g.

Name Server: ns1.webnames.ca

Name Server: ns2.webnames.ca

Name Server: ns3.webnames.ca