DMARC Checker
Find and validate your DMARC record (v=DMARC1). Review policy, alignment, and reporting addresses to protect your domain from spoofing.
Use DMARC Checker in 4 Steps
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol defined in RFC 7489. It builds on SPF and DKIM to give domain owners control over what happens to email that fails authentication — and provides visibility into who is sending mail on behalf of their domain.
A DMARC record is published as a DNS TXT record at _dmarc.yourdomain.com. When a receiving mail server processes an incoming message, it checks whether SPF and/or DKIM pass and are aligned to the From header domain, then applies the DMARC policy to non-compliant messages.
Without DMARC, a domain with SPF and DKIM configured still has no enforcement mechanism. Anyone can spoof the visible From address even if your SPF and DKIM are configured correctly.
DMARC Record Tag Reference
| Tag | Required | Example value | What it controls |
|---|---|---|---|
v | Yes | DMARC1 | Version. Must be first. |
p | Yes | none / quarantine / reject | Policy for the root domain. |
sp | No | quarantine | Policy for subdomains. Inherits p if omitted. |
adkim | No | r (relaxed) / s (strict) | DKIM alignment mode. |
aspf | No | r (relaxed) / s (strict) | SPF alignment mode. |
rua | Recommended | mailto:dmarc@example.com | Aggregate report destination. |
ruf | Optional | mailto:forensics@example.com | Forensic report destination. |
pct | No | 100 | Percentage of mail the policy applies to (1–100). |
fo | No | 1 | Forensic report options (0, 1, d, s). |
rf | No | afrf | Forensic report format. |
ri | No | 86400 | Reporting interval in seconds (default: 1 day). |
DMARC Policy Levels Explained
DMARC enforcement is a three-stage rollout. Never jump directly to p=reject without first monitoring aggregate reports.
| Policy | What happens to failing mail | When to use |
|---|---|---|
p=none | Delivered normally. Reports generated. | Initial deployment — monitor for 2–4 weeks. |
p=quarantine | Delivered to spam/junk folder. | After confirming all legitimate senders pass. |
p=reject | Rejected by receiving server. | Full enforcement — stops spoofing completely. |
Recommended Rollout Path
Step 1: v=DMARC1; p=none; rua=mailto:dmarc@example.com
↓ monitor aggregate reports (2–4 weeks)
Step 2: v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@example.com
↓ gradually increase pct from 10 → 100 while watching reports
Step 3: v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com
↓ confirm no legitimate mail is failing
Step 4: v=DMARC1; p=reject; rua=mailto:dmarc@example.com
↓ full enforcement active
DMARC Alignment Explained
DMARC requires that either SPF or DKIM passes AND that the authenticated domain aligns with the visible From header domain.
SPF Alignment
- The domain in the
Return-Path(envelope sender) must match theFromdomain. - Relaxed (
aspf=r): subdomains of theFromdomain are accepted. Default. - Strict (
aspf=s): exact match required.
DKIM Alignment
- The
d=tag in the DKIM signature must match theFromdomain. - Relaxed (
adkim=r): subdomains allowed. Default. - Strict (
adkim=s): exact match required.
Alignment failure example
If you send from notifications.example.com but your From header shows example.com, SPF will fail alignment in strict mode. Use relaxed alignment or align your sending domain with your From domain.
Example DMARC Records
Monitoring only (start here):
v=DMARC1; p=none; rua=mailto:dmarc@example.com
Partial enforcement with reporting:
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com; aspf=r; adkim=r
Full enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; fo=1
With subdomain policy:
v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com
Common DMARC Errors and Fixes
| Error | Cause | Fix |
|---|---|---|
| No DMARC record found | Missing TXT at _dmarc.domain | Publish a p=none record with rua to start |
p=none with no rua | Policy exists but reports are never sent | Add rua=mailto: to receive aggregate reports |
| DMARC fails despite SPF pass | SPF alignment failing (different envelope/From domains) | Align Return-Path domain with From domain or rely on DKIM |
| DMARC fails despite DKIM pass | DKIM alignment failing — d= tag subdomain, strict mode | Switch to relaxed alignment or fix the signing domain |
| Multiple DMARC records | Two TXT records at _dmarc.domain | Merge into one — only one is permitted |
sp=none overrides strong p | Subdomains lack enforcement | Set sp=quarantine or sp=reject |
Checking DMARC from the Command Line
# Query DMARC record
dig +short TXT _dmarc.example.com
# Same with Cloudflare resolver
dig +short TXT _dmarc.example.com @1.1.1.1
# Windows PowerShell
Resolve-DnsName -Name _dmarc.example.com -Type TXT
# Check a specific subdomain's DMARC (falls back to parent domain policy)
dig +short TXT _dmarc.mail.example.com
DMARC, SPF, and DKIM — How They Work Together
DMARC does not replace SPF or DKIM — it coordinates them:
- SPF confirms the sending server IP is authorised by the domain's DNS.
- DKIM proves the message body and headers were not altered in transit.
- DMARC enforces that at least one of SPF or DKIM passes AND is aligned with the
Fromdomain, then tells receivers what to do with failures.
A complete email authentication stack requires all three. Use the SPF Checker and DKIM Checker alongside this tool for a full audit.
Related Tools
Frequently Asked Questions
Get guides like this by email
DNS, email auth, and security playbooks delivered when they publish. No spam.