DMARC Record Checker
Look up any domain's published DMARC record live, confirm whether the policy actually rejects spoofed mail, and get plain-English fixes. Reads public DNS only.
Live DNS lookup via DNS-over-HTTPS. We only read public DNS records.
How the DMARC check works
Enter a domain and the tool performs a live DNS lookup of the _dmarc.<domain> TXT record, then grades the policy it finds. It reads the key tags — p (policy), sp (subdomain policy), rua (aggregate reports), pct (coverage), and alignment settings — and tells you in plain English whether your domain is actually protected or merely monitoring.
From monitoring to enforcement
A record at p=none is the most common — and most dangerous — finding: it looks like DMARC is "set up," but spoofed mail still lands. Move toward p=reject deliberately: confirm your SPF and DKIM are aligned for every legitimate sender first, then tighten the policy. Build a correct record with the DMARC generator. Learn the terminology in the email spoofing and business email compromise glossary entries.
DMARC record tags explained: a tag-by-tag reference
Every DMARC record is a single TXT string of semicolon-separated tags. Running a DMARC record lookup shows you the raw string; this reference decodes what each tag controls so a DMARC analyzer report is readable at a glance.
vis the version and must be the first tag, alwaysv=DMARC1. If it is missing or misspelled, receivers ignore the record entirely.pis the policy for the From-header domain:p=none(monitor only),p=quarantine(send failing mail to spam), orp=reject(refuse it at the gateway).spis the policy applied to subdomains. If absent, subdomains inheritp; set it explicitly (for examplesp=reject) to control them independently.pctis the percentage of failing mail the requested policy is applied to, valid frompct=0topct=100. The remaining messages get the next-lower action (rejectfalls back toquarantine,quarantinetonone), sopct=0means effectively none of the mail receives the requested policy.pct=100is the default and the goal.rualists the addresses that receive aggregate XML reports (typically daily, at the interval requested byri), asmailto:URIs (for examplerua=mailto:[email protected]). These reports reveal every source sending as your domain.ruflists addresses for per-message forensic (failure) reports. Support is limited and reports may contain redacted headers, so many receivers never send them.adkimsets DKIM alignment strictness:adkim=r(relaxed, default) requires the DKIMd=domain and the From domain to share an Organizational Domain (so subdomains align);adkim=s(strict) requires thed=domain to exactly equal the From domain.aspfsets SPF alignment strictness:aspf=s(strict) requires the SPF-authenticated domain (the RFC5321.MailFrom / envelope-from domain) to exactly equal the From header domain;aspf=r(relaxed, default) requires only that their Organizational Domains match.fosets failure-reporting options:fo=0(default) reports only when both SPF and DKIM fail,fo=1reports when either fails,fo=don any DKIM failure,fo=son any SPF failure.rfnames the forensic report format, effectively alwaysrf=afrf(the Authentication Failure Reporting Format defined in RFC 6591).riis the requested interval in seconds between aggregate reports, defaulting tori=86400(24 hours). Receivers treat this as a hint, not a guarantee.
Use this alongside the SPF checker and DKIM checker, since DMARC alignment only passes when SPF or DKIM authenticates against the same domain your recipients see in the From header.
DMARC misconfigurations this checker flags
DMARC record validation is less about syntax and more about whether the record actually blocks spoofing. These are the specific problems the analyzer surfaces, ranked by how much exposure they leave open:
- No record at all: nothing is published at
_dmarc.<domain>, so receivers have no policy to enforce and anyone can send as your domain. This is the baseline state exploited in email spoofing and business email compromise. p=nonemistaken for real protection: the record exists and reports flow, but failing mail is still delivered. Monitoring is a starting point, not a defense.- Missing
rua: with no aggregate reporting address you are blind to which servers send as your domain, so you cannot safely tighten the policy without breaking legitimate mail. pctleft below 100 indefinitely: partial coverage is fine during rollout, but any value underpct=100permanently leaves a share of spoofed mail on the policy you are trying to escape.- Missing
sp: without a subdomain policy, an attacker can spoofinvoices.<domain>or any unused subdomain even when the root domain is atp=reject. - Syntax errors: a stray space, a missing semicolon,
v=DMARC1not first, or an invalidmailto:can make receivers discard the whole record so no policy applies. - More than one
_dmarcTXT record: publishing two DMARC records is a protocol violation, and per RFC 7489 receivers that find multiple records apply none of them, silently disabling your protection.
Frequently asked questions
What is a DMARC record?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a TXT record published at _dmarc.yourdomain.com. It tells receiving mail servers what to do with messages that fail SPF and DKIM alignment — monitor (p=none), quarantine, or reject — and where to send reports. It's the policy that actually stops attackers from spoofing your domain.
What's the difference between p=none, quarantine, and reject?
p=none only monitors and reports — spoofed mail still gets delivered. p=quarantine sends failing mail to spam. p=reject blocks it outright. The goal is to reach p=reject: start at none to gather reports, move to quarantine, then reject once legitimate sources are aligned.
Why does my domain need DMARC?
Without an enforcing DMARC policy, anyone can send email that appears to come from your domain. That's how brand-impersonation phishing and business email compromise work. DMARC at p=reject means recipients' servers refuse spoofed mail before it reaches a victim.
How do I fix a weak DMARC record?
Add a reporting address (rua=) to start receiving data, ensure SPF and DKIM are aligned for all your legitimate senders, then progress the policy from none → quarantine → reject. Use the DMARC record generator to build a correct record, and the SPF and DKIM checkers to confirm your senders authenticate.
What is the difference between aggregate (rua) and forensic (ruf) reports?
Aggregate reports sent to the rua address are daily XML summaries. They list, per sending source IP, how many messages passed or failed SPF, DKIM, and DMARC alignment. They contain no message content, so they are safe to collect at scale and are what you use to inventory your legitimate senders before moving to enforcement. Forensic reports sent to the ruf address are per-message failure samples generated in near real time. They can include redacted headers and portions of individual messages, which is why most large receivers never send them for privacy reasons. In practice you rely on aggregate reports for rollout and treat any forensic reports you do receive as an occasional bonus signal.
How often should I re-check a DMARC record?
Check it whenever you change email infrastructure: adding a new marketing platform, invoicing tool, help desk, or bulk sender is the moment a previously aligned domain can start failing. Beyond that, a monthly spot check is reasonable for a stable domain, and a quarterly review pairs well with reading your accumulated aggregate reports. If you are actively rolling out from none to quarantine to reject, re-check after every policy change and watch reports for at least one to two weeks before tightening further, since some senders only mail occasionally.
Does DMARC hurt the deliverability of my legitimate mail?
Only if you move to quarantine or reject before all of your real senders are aligned. A correctly configured DMARC policy improves deliverability, because major mailbox providers treat an authenticated, enforcing domain as a trust signal and some now require it for bulk senders. The risk is turning on enforcement while a legitimate source such as a CRM or newsletter platform still fails alignment, which would send that mail to spam or get it rejected. That is exactly why you start at none, use aggregate reports to confirm every source passes SPF or DKIM alignment, and only then raise the policy.
Does DMARC work without both SPF and DKIM?
DMARC does not require both, but it needs at least one to pass in alignment. A message passes DMARC if either SPF aligns (the envelope-from domain matches the From-header domain) or DKIM aligns (the signing d= domain matches the From-header domain). You can technically enforce with only one configured, but relying on a single mechanism is fragile: SPF breaks when mail is forwarded, and DKIM breaks if a relay modifies the message. Configuring both gives each message two independent chances to align, which is why production domains publish SPF and sign with DKIM before enforcing at reject.
Related free tools
DMARC stops spoofed email. We stop the rest.
Lookalike domains, phishing pages, and fake apps live outside email. PhishEye finds and takes them down.
