DMARC Record Generator
Create a DMARC policy to protect your domain from email spoofing
Configure Your DMARC Policy
Policy Settings
Report Settings
Daily summary reports — pre-filled with DMARC Busta's address
Individual failure reports — pre-filled with DMARC Busta's address
Live Preview
Policy Guide
Recommendation
Start with p=none to monitor. Once you've verified all legitimate sources pass, gradually move to quarantine then reject.
Want automated management?
DMARC Busta's Autopilot manages SPF, DKIM, and DMARC automatically with AI-powered decisions.
Get Started FreeWhat is DMARC?
Domain-based Message Authentication, Reporting, and Conformance
DMARC is an email authentication protocol that builds on SPF and DKIM to give domain owners control over how receiving mail servers handle unauthenticated messages. Without DMARC, anyone can send emails that appear to come from your domain, putting your organisation at risk of phishing attacks and brand damage.
DMARC works by telling receiving servers what to do when an email fails SPF or DKIM checks. You publish a DMARC policy as a DNS TXT record, and receiving servers consult it before deciding whether to deliver, quarantine, or reject a message.
There are three policy levels to choose from. None (p=none) is monitor-only mode, where failing emails are still delivered but you receive reports. Quarantine (p=quarantine) sends failing emails to the spam folder. Reject (p=reject) blocks failing emails entirely, providing the strongest protection against spoofing.
One of the most valuable aspects of DMARC is its reporting capability. The rua tag specifies where aggregate reports are sent, giving you daily summaries of who is sending email using your domain. The ruf tag enables forensic reports for individual authentication failures. Together, these reports provide complete visibility into your domain's email activity.
v=DMARC1;
p=reject;
rua=mailto:dmarc@example.com;
pct=100
How DMARC Works
DMARC Tags Explained
Every tag in your DMARC record and what it controls
Policy
Required
Tells receiving servers how to handle emails that fail authentication. Options are none, quarantine, or reject.
Aggregate Reports
Specifies the email address to receive daily aggregate reports. These XML reports summarise authentication results across all emails sent from your domain.
Forensic Reports
Specifies where to send forensic (failure) reports. These contain details about individual messages that failed authentication, useful for troubleshooting.
Percentage
Controls what percentage of failing emails the policy applies to. Setting pct=25 means only 25% of failing messages are quarantined or rejected, allowing a gradual rollout.
DKIM Alignment
Sets DKIM alignment mode. r (relaxed) allows subdomains to pass. s (strict) requires an exact domain match.
SPF Alignment
Sets SPF alignment mode. Works the same as adkim but applies to SPF checks. Relaxed is the default and works well for most organisations.
Common DMARC Mistakes
Avoid these pitfalls when setting up your DMARC policy
Starting with p=reject
Jumping straight to a reject policy is the most common mistake organisations make. If you have not confirmed that all your legitimate email services pass SPF and DKIM checks, a reject policy will block real emails from reaching their destination. Fix: Always start with p=none and progress gradually once you have reviewed your aggregate reports.
Missing rua Tag
Publishing a DMARC record without the rua tag means you will not receive any reports about who is sending email as your domain. Without this visibility, you are flying blind. Fix: Always include an rua=mailto: address to receive daily aggregate reports.
Forgetting Subdomain Policy
Many organisations focus on their root domain but forget that attackers can spoof subdomains too. The sp tag lets you set a separate policy for subdomains. Fix: If you are not using subdomains to send email, consider setting sp=reject even while your main domain is still on p=none.
Not Progressing Beyond p=none
A monitoring-only policy provides visibility but does not protect your domain. Many organisations set up DMARC with p=none, review a few reports, and then never progress further. To actually prevent email spoofing, you need to move to quarantine and eventually reject.
Automate this: DMARC Busta's Autopilot feature handles policy progression automatically, advancing from none to quarantine to reject at a safe pace based on your authentication results.
Frequently Asked Questions
What DMARC policy should I start with?
p=none for monitoring. This lets you collect aggregate reports and identify all legitimate email sources sending on behalf of your domain. Once you have confirmed that your authorised services pass SPF and DKIM checks, progress to p=quarantine (which sends failing emails to spam) and eventually p=reject (which blocks them entirely).
What are rua and ruf?
Can DMARC break my email?
p=none is completely safe because it only monitors and reports without affecting email delivery. Problems occur when organisations skip the monitoring phase and go straight to enforcement, blocking emails from services they had not accounted for.
How long before DMARC works?
Related Tools
More free tools to secure your email authentication
Automate Your DMARC Journey
DMARC Busta monitors your reports, manages your sources, and safely progresses your policy from none to reject -- across all your domains.
Get Started Free