HomeEmail ToolsDMARC Checker
Email Tool

DMARC Checker

Find and validate your DMARC record (v=DMARC1). Review policy, alignment, and reporting addresses to protect your domain from spoofing.

Location
_dmarc.<domain>
DMARC is always published under _dmarc.
Key tag
p=none/quarantine/reject
Policy determines enforcement.
Waiting for input
Enter a domain, then press Check
How to Use

Use DMARC Checker in 4 Steps

01
Enter domain
Type the domain you send email from (e.g. example.com).
02
Check DMARC
We query _dmarc.<domain> for a v=DMARC1 TXT record.
03
Review policy
See p/sp, alignment settings, and reporting (rua).
04
Roll out safely
Start with p=none, then move to quarantine/reject.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol defined in RFC 7489. It builds on SPF and DKIM to give domain owners control over what happens to email that fails authentication — and provides visibility into who is sending mail on behalf of their domain.

A DMARC record is published as a DNS TXT record at _dmarc.yourdomain.com. When a receiving mail server processes an incoming message, it checks whether SPF and/or DKIM pass and are aligned to the From header domain, then applies the DMARC policy to non-compliant messages.

Without DMARC, a domain with SPF and DKIM configured still has no enforcement mechanism. Anyone can spoof the visible From address even if your SPF and DKIM are configured correctly.

DMARC Record Tag Reference

TagRequiredExample valueWhat it controls
vYesDMARC1Version. Must be first.
pYesnone / quarantine / rejectPolicy for the root domain.
spNoquarantinePolicy for subdomains. Inherits p if omitted.
adkimNor (relaxed) / s (strict)DKIM alignment mode.
aspfNor (relaxed) / s (strict)SPF alignment mode.
ruaRecommendedmailto:dmarc@example.comAggregate report destination.
rufOptionalmailto:forensics@example.comForensic report destination.
pctNo100Percentage of mail the policy applies to (1–100).
foNo1Forensic report options (0, 1, d, s).
rfNoafrfForensic report format.
riNo86400Reporting interval in seconds (default: 1 day).

DMARC Policy Levels Explained

DMARC enforcement is a three-stage rollout. Never jump directly to p=reject without first monitoring aggregate reports.

PolicyWhat happens to failing mailWhen to use
p=noneDelivered normally. Reports generated.Initial deployment — monitor for 2–4 weeks.
p=quarantineDelivered to spam/junk folder.After confirming all legitimate senders pass.
p=rejectRejected by receiving server.Full enforcement — stops spoofing completely.

Recommended Rollout Path

Step 1:  v=DMARC1; p=none; rua=mailto:dmarc@example.com
         ↓ monitor aggregate reports (2–4 weeks)

Step 2:  v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.com
         ↓ gradually increase pct from 10 → 100 while watching reports

Step 3:  v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com
         ↓ confirm no legitimate mail is failing

Step 4:  v=DMARC1; p=reject; rua=mailto:dmarc@example.com
         ↓ full enforcement active

DMARC Alignment Explained

DMARC requires that either SPF or DKIM passes AND that the authenticated domain aligns with the visible From header domain.

SPF Alignment

  • The domain in the Return-Path (envelope sender) must match the From domain.
  • Relaxed (aspf=r): subdomains of the From domain are accepted. Default.
  • Strict (aspf=s): exact match required.

DKIM Alignment

  • The d= tag in the DKIM signature must match the From domain.
  • Relaxed (adkim=r): subdomains allowed. Default.
  • Strict (adkim=s): exact match required.

Alignment failure example

If you send from notifications.example.com but your From header shows example.com, SPF will fail alignment in strict mode. Use relaxed alignment or align your sending domain with your From domain.

Example DMARC Records

Monitoring only (start here):

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Partial enforcement with reporting:

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com; aspf=r; adkim=r

Full enforcement:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; fo=1

With subdomain policy:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com

Common DMARC Errors and Fixes

ErrorCauseFix
No DMARC record foundMissing TXT at _dmarc.domainPublish a p=none record with rua to start
p=none with no ruaPolicy exists but reports are never sentAdd rua=mailto: to receive aggregate reports
DMARC fails despite SPF passSPF alignment failing (different envelope/From domains)Align Return-Path domain with From domain or rely on DKIM
DMARC fails despite DKIM passDKIM alignment failing — d= tag subdomain, strict modeSwitch to relaxed alignment or fix the signing domain
Multiple DMARC recordsTwo TXT records at _dmarc.domainMerge into one — only one is permitted
sp=none overrides strong pSubdomains lack enforcementSet sp=quarantine or sp=reject

Checking DMARC from the Command Line

# Query DMARC record
dig +short TXT _dmarc.example.com

# Same with Cloudflare resolver
dig +short TXT _dmarc.example.com @1.1.1.1

# Windows PowerShell
Resolve-DnsName -Name _dmarc.example.com -Type TXT

# Check a specific subdomain's DMARC (falls back to parent domain policy)
dig +short TXT _dmarc.mail.example.com

DMARC, SPF, and DKIM — How They Work Together

DMARC does not replace SPF or DKIM — it coordinates them:

  • SPF confirms the sending server IP is authorised by the domain's DNS.
  • DKIM proves the message body and headers were not altered in transit.
  • DMARC enforces that at least one of SPF or DKIM passes AND is aligned with the From domain, then tells receivers what to do with failures.

A complete email authentication stack requires all three. Use the SPF Checker and DKIM Checker alongside this tool for a full audit.

Related Tools

Frequently Asked Questions

What is DMARC and why do I need it?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS-based email authentication protocol that tells receiving mail servers what to do when email fails SPF or DKIM checks. Without DMARC, even a domain with perfect SPF and DKIM has no enforcement — anyone can still spoof the visible From address. DMARC closes that gap and provides aggregate reports showing who is sending mail as your domain.
Where is the DMARC record stored?
DMARC is published as a TXT record at _dmarc.yourdomain.com — always with the _dmarc prefix. For example, for example.com the record lives at _dmarc.example.com. Subdomains can have their own DMARC records at _dmarc.subdomain.example.com, or they inherit the parent domain policy via the sp= tag.
What DMARC policy should I start with?
Always start with p=none and a rua= reporting address. This monitors email without affecting delivery, giving you 2–4 weeks of aggregate data to identify all legitimate sending sources. Once you confirm no legitimate mail is failing alignment, move to p=quarantine (use pct= to ramp gradually), then to p=reject for full enforcement.
What is DMARC alignment?
Alignment means the domain validated by SPF (the Return-Path / envelope sender) or DKIM (the d= tag in the signature) must match the domain in the visible From header. Relaxed alignment (default) allows subdomains to match. Strict alignment requires an exact match. DMARC passes if either SPF or DKIM passes AND is aligned.
Do I need both SPF and DKIM for DMARC?
DMARC only requires one to pass and align — either SPF or DKIM is sufficient. However, using both is strongly recommended. SPF can fail if a legitimate forwarder changes the envelope sender; DKIM survives forwarding because it signs the message itself. Relying on both provides redundancy and better coverage across different email paths.
What is the rua tag and should I always include it?
rua (Reporting URI for Aggregate reports) specifies where to send daily XML reports showing all sources that sent mail claiming your domain, and whether they passed or failed DMARC. You should always include rua — without it you are flying blind. Without reports you cannot safely move from p=none to p=quarantine or p=reject.
What does p=none actually do?
p=none means DMARC is in monitoring mode. Mail that fails authentication is still delivered normally — no messages are quarantined or rejected. But if rua is set, aggregate reports are generated and sent to you. This policy is safe to deploy immediately and gives you visibility without any risk of blocking legitimate email.
Can DMARC cause legitimate email to be blocked?
Yes, if you move to p=quarantine or p=reject before identifying all your legitimate sending sources. Automated emails from CRMs, marketing platforms, HR systems, and other third-party services must all have SPF or DKIM alignment configured before you enforce. Aggregate reports from p=none phase reveal these sources so you can configure them before tightening policy.
Recommended Path
1. p=none + rua=
2. Fix alignment issues
3. p=quarantine
4. p=reject
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.