Free tool
DMARC Record Checker
Look up any domain's published DMARC record live, confirm whether the policy actually rejects spoofed mail, and get plain-English fixes. Reads public DNS only.
Live DNS lookup via DNS-over-HTTPS. We only read public DNS records.
How the DMARC check works
Enter a domain and the tool performs a live DNS lookup of the _dmarc.<domain> TXT record, then grades the policy it finds. It reads the key tags — p (policy), sp (subdomain policy), rua (aggregate reports), pct (coverage), and alignment settings — and tells you in plain English whether your domain is actually protected or merely monitoring.
From monitoring to enforcement
A record at p=none is the most common — and most dangerous — finding: it looks like DMARC is "set up," but spoofed mail still lands. Move toward p=reject deliberately: confirm your SPF and DKIM are aligned for every legitimate sender first, then tighten the policy. Build a correct record with the DMARC generator. Learn the terminology in the email spoofing and business email compromise glossary entries.
Frequently asked questions
What is a DMARC record?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a TXT record published at _dmarc.yourdomain.com. It tells receiving mail servers what to do with messages that fail SPF and DKIM alignment — monitor (p=none), quarantine, or reject — and where to send reports. It's the policy that actually stops attackers from spoofing your domain.
What's the difference between p=none, quarantine, and reject?
p=none only monitors and reports — spoofed mail still gets delivered. p=quarantine sends failing mail to spam. p=reject blocks it outright. The goal is to reach p=reject: start at none to gather reports, move to quarantine, then reject once legitimate sources are aligned.
Why does my domain need DMARC?
Without an enforcing DMARC policy, anyone can send email that appears to come from your domain. That's how brand-impersonation phishing and business email compromise work. DMARC at p=reject means recipients' servers refuse spoofed mail before it reaches a victim.
How do I fix a weak DMARC record?
Add a reporting address (rua=) to start receiving data, ensure SPF and DKIM are aligned for all your legitimate senders, then progress the policy from none → quarantine → reject. Use the DMARC record generator to build a correct record, and the SPF and DKIM checkers to confirm your senders authenticate.
Related free tools
Email authentication
SPF Record Checker
Look up and validate a domain's SPF record, including the 10-lookup limit and the all-qualifier that controls enforcement.
Email authentication
DKIM Record Checker
Enter a domain and selector to fetch and validate the DKIM public key that proves your mail wasn't tampered with.
Awareness
Phishing Quiz
Realistic email, SMS, QR-code, voice and social scenarios. Guess phishing or legitimate, then see which red flags gave each one away.
DMARC stops spoofed email. We stop the rest.
Lookalike domains, phishing pages, and fake apps live outside email. PhishEye finds and takes them down.