Skip to main content
Free tool · Email authentication

DMARC Record Checker

Look up any domain's published DMARC record live, confirm whether the policy actually rejects spoofed mail, and get plain-English fixes. Reads public DNS only.

Live DNS lookup via DNS-over-HTTPS. We only read public DNS records.

How the DMARC check works

Enter a domain and the tool performs a live DNS lookup of the _dmarc.<domain> TXT record, then grades the policy it finds. It reads the key tags — p (policy), sp (subdomain policy), rua (aggregate reports), pct (coverage), and alignment settings — and tells you in plain English whether your domain is actually protected or merely monitoring.

From monitoring to enforcement

A record at p=none is the most common — and most dangerous — finding: it looks like DMARC is "set up," but spoofed mail still lands. Move toward p=reject deliberately: confirm your SPF and DKIM are aligned for every legitimate sender first, then tighten the policy. Build a correct record with the DMARC generator. Learn the terminology in the email spoofing and business email compromise glossary entries.

DMARC record tags explained: a tag-by-tag reference

Every DMARC record is a single TXT string of semicolon-separated tags. Running a DMARC record lookup shows you the raw string; this reference decodes what each tag controls so a DMARC analyzer report is readable at a glance.

  • v is the version and must be the first tag, always v=DMARC1. If it is missing or misspelled, receivers ignore the record entirely.
  • p is the policy for the From-header domain: p=none (monitor only), p=quarantine (send failing mail to spam), or p=reject (refuse it at the gateway).
  • sp is the policy applied to subdomains. If absent, subdomains inherit p; set it explicitly (for example sp=reject) to control them independently.
  • pct is the percentage of failing mail the requested policy is applied to, valid from pct=0 to pct=100. The remaining messages get the next-lower action (reject falls back to quarantine, quarantine to none), so pct=0 means effectively none of the mail receives the requested policy. pct=100 is the default and the goal.
  • rua lists the addresses that receive aggregate XML reports (typically daily, at the interval requested by ri), as mailto: URIs (for example rua=mailto:[email protected]). These reports reveal every source sending as your domain.
  • ruf lists addresses for per-message forensic (failure) reports. Support is limited and reports may contain redacted headers, so many receivers never send them.
  • adkim sets DKIM alignment strictness: adkim=r (relaxed, default) requires the DKIM d= domain and the From domain to share an Organizational Domain (so subdomains align); adkim=s (strict) requires the d= domain to exactly equal the From domain.
  • aspf sets SPF alignment strictness: aspf=s (strict) requires the SPF-authenticated domain (the RFC5321.MailFrom / envelope-from domain) to exactly equal the From header domain; aspf=r (relaxed, default) requires only that their Organizational Domains match.
  • fo sets failure-reporting options: fo=0 (default) reports only when both SPF and DKIM fail, fo=1 reports when either fails, fo=d on any DKIM failure, fo=s on any SPF failure.
  • rf names the forensic report format, effectively always rf=afrf (the Authentication Failure Reporting Format defined in RFC 6591).
  • ri is the requested interval in seconds between aggregate reports, defaulting to ri=86400 (24 hours). Receivers treat this as a hint, not a guarantee.

Use this alongside the SPF checker and DKIM checker, since DMARC alignment only passes when SPF or DKIM authenticates against the same domain your recipients see in the From header.

DMARC misconfigurations this checker flags

DMARC record validation is less about syntax and more about whether the record actually blocks spoofing. These are the specific problems the analyzer surfaces, ranked by how much exposure they leave open:

  • No record at all: nothing is published at _dmarc.<domain>, so receivers have no policy to enforce and anyone can send as your domain. This is the baseline state exploited in email spoofing and business email compromise.
  • p=none mistaken for real protection: the record exists and reports flow, but failing mail is still delivered. Monitoring is a starting point, not a defense.
  • Missing rua: with no aggregate reporting address you are blind to which servers send as your domain, so you cannot safely tighten the policy without breaking legitimate mail.
  • pct left below 100 indefinitely: partial coverage is fine during rollout, but any value under pct=100 permanently leaves a share of spoofed mail on the policy you are trying to escape.
  • Missing sp: without a subdomain policy, an attacker can spoof invoices.<domain> or any unused subdomain even when the root domain is at p=reject.
  • Syntax errors: a stray space, a missing semicolon, v=DMARC1 not first, or an invalid mailto: can make receivers discard the whole record so no policy applies.
  • More than one _dmarc TXT record: publishing two DMARC records is a protocol violation, and per RFC 7489 receivers that find multiple records apply none of them, silently disabling your protection.

Frequently asked questions

What is a DMARC record?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a TXT record published at _dmarc.yourdomain.com. It tells receiving mail servers what to do with messages that fail SPF and DKIM alignment — monitor (p=none), quarantine, or reject — and where to send reports. It's the policy that actually stops attackers from spoofing your domain.

What's the difference between p=none, quarantine, and reject?

p=none only monitors and reports — spoofed mail still gets delivered. p=quarantine sends failing mail to spam. p=reject blocks it outright. The goal is to reach p=reject: start at none to gather reports, move to quarantine, then reject once legitimate sources are aligned.

Why does my domain need DMARC?

Without an enforcing DMARC policy, anyone can send email that appears to come from your domain. That's how brand-impersonation phishing and business email compromise work. DMARC at p=reject means recipients' servers refuse spoofed mail before it reaches a victim.

How do I fix a weak DMARC record?

Add a reporting address (rua=) to start receiving data, ensure SPF and DKIM are aligned for all your legitimate senders, then progress the policy from none → quarantine → reject. Use the DMARC record generator to build a correct record, and the SPF and DKIM checkers to confirm your senders authenticate.

What is the difference between aggregate (rua) and forensic (ruf) reports?

Aggregate reports sent to the rua address are daily XML summaries. They list, per sending source IP, how many messages passed or failed SPF, DKIM, and DMARC alignment. They contain no message content, so they are safe to collect at scale and are what you use to inventory your legitimate senders before moving to enforcement. Forensic reports sent to the ruf address are per-message failure samples generated in near real time. They can include redacted headers and portions of individual messages, which is why most large receivers never send them for privacy reasons. In practice you rely on aggregate reports for rollout and treat any forensic reports you do receive as an occasional bonus signal.

How often should I re-check a DMARC record?

Check it whenever you change email infrastructure: adding a new marketing platform, invoicing tool, help desk, or bulk sender is the moment a previously aligned domain can start failing. Beyond that, a monthly spot check is reasonable for a stable domain, and a quarterly review pairs well with reading your accumulated aggregate reports. If you are actively rolling out from none to quarantine to reject, re-check after every policy change and watch reports for at least one to two weeks before tightening further, since some senders only mail occasionally.

Does DMARC hurt the deliverability of my legitimate mail?

Only if you move to quarantine or reject before all of your real senders are aligned. A correctly configured DMARC policy improves deliverability, because major mailbox providers treat an authenticated, enforcing domain as a trust signal and some now require it for bulk senders. The risk is turning on enforcement while a legitimate source such as a CRM or newsletter platform still fails alignment, which would send that mail to spam or get it rejected. That is exactly why you start at none, use aggregate reports to confirm every source passes SPF or DKIM alignment, and only then raise the policy.

Does DMARC work without both SPF and DKIM?

DMARC does not require both, but it needs at least one to pass in alignment. A message passes DMARC if either SPF aligns (the envelope-from domain matches the From-header domain) or DKIM aligns (the signing d= domain matches the From-header domain). You can technically enforce with only one configured, but relying on a single mechanism is fragile: SPF breaks when mail is forwarded, and DKIM breaks if a relay modifies the message. Configuring both gives each message two independent chances to align, which is why production domains publish SPF and sign with DKIM before enforcing at reject.

DMARC stops spoofed email. We stop the rest.

Lookalike domains, phishing pages, and fake apps live outside email. PhishEye finds and takes them down.