DMARC Record Checker

Validate your DMARC policy, alignment settings, and reporting configuration. See exactly how your domain handles unauthenticated email.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It lets domain owners tell receiving mail servers what to do when an email fails authentication checks, and provides a reporting mechanism to monitor unauthorized use of the domain.

DMARC Policies

The DMARC policy tag (p=) determines what happens to emails that fail both SPF and DKIM alignment:

  • none - Monitor only. No action is taken on failing emails, but reports are still sent. This is the recommended starting policy.
  • quarantine - Failing emails are sent to the spam/junk folder.
  • reject - Failing emails are blocked entirely. This is the most protective policy.

DMARC Alignment

DMARC requires that the domain in the From header aligns with the domain authenticated by SPF or DKIM. Alignment can be set to "strict" (exact match) or "relaxed" (organizational domain match). Relaxed alignment is the default and is suitable for most setups.

DMARC Reporting

DMARC supports two types of reports:

  • Aggregate reports (rua) - Daily XML reports summarizing authentication results for all emails sent from your domain. Essential for monitoring.
  • Forensic reports (ruf) - Individual failure reports with message details. Not all providers send these due to privacy concerns.

DMARC Deployment Path

  1. Start with p=none and configure aggregate reporting to monitor traffic.
  2. Review reports to identify and authorize all legitimate senders.
  3. Move to p=quarantine once you are confident all legitimate sources pass authentication.
  4. Finally, move to p=reject for full protection against spoofing.

Need to create a DMARC record? Try our DMARC Record Generator.

Frequently Asked Questions

A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record is a DNS TXT record published at _dmarc.yourdomain.com that tells receiving mail servers how to handle emails that fail SPF and DKIM authentication checks. It enables domain owners to set a policy -- none, quarantine, or reject -- and provides a reporting mechanism so you receive data about who is sending email on your behalf and whether those messages pass authentication.

Enter your domain name into our free DMARC record checker tool above. The tool queries DNS for a TXT record at _dmarc.yourdomain.com and displays the results, including policy settings, alignment configuration, reporting addresses, and any issues found. You can also perform a manual lookup using nslookup -type=txt _dmarc.yourdomain.com.

This error means your domain does not have a published DMARC policy in DNS, leaving it unprotected against email spoofing and phishing attacks. To fix it, first ensure you have valid SPF and DKIM records configured, then create a DMARC TXT record (starting with v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com) and add it to your DNS at the _dmarc subdomain. Begin with a p=none monitoring policy and gradually move toward enforcement.

The p=none policy is a monitoring-only mode that takes no action on failing emails but sends reports to the domain owner. The p=quarantine policy routes failing emails to the recipient's spam or junk folder. The p=reject policy blocks failing emails entirely, preventing delivery. Best practice is to implement DMARC in stages -- starting with p=none to monitor, then p=quarantine, and finally p=reject once all legitimate sending sources are authenticated.

As of 2024-2025, Google, Yahoo, and Microsoft all require DMARC authentication for bulk email senders (those sending more than 5,000 emails per day), and non-compliant emails are rejected or sent to spam. Without a DMARC record, your domain is vulnerable to spoofing, your legitimate emails are more likely to land in spam, and you lose visibility into who is sending email on your behalf. Implementing DMARC proactively protects your brand reputation and improves overall email deliverability.

SPF verifies that an email was sent from an IP address authorized by the domain owner. DKIM uses cryptographic signatures to confirm the email content has not been tampered with in transit. DMARC builds on top of both by checking that the domain in the visible "From" header aligns with the domain authenticated by SPF or DKIM, and it tells receiving servers what to do when authentication fails. Together, all three protocols work as complementary layers of email security.

A new or updated DMARC record typically takes between a few minutes and 48 hours to fully propagate across the global DNS system. Major email providers like Gmail and Outlook usually pick up the record within 1-24 hours. To speed up propagation, set a low TTL value (such as 300 seconds) on your DMARC TXT record before making changes.

No, a domain must have only one DMARC record. If a receiving mail server finds two or more DMARC records during a DNS lookup, the DMARC check fails and the policy is ignored entirely, leaving your domain unprotected. Note that subdomains can have their own individual DMARC records, which will override the organizational domain's policy for that subdomain.

Aggregate reports (RUA) are XML-formatted summaries sent daily by receiving mail servers that show the total volume of emails sent from your domain, which IP addresses sent them, and whether they passed or failed authentication. Forensic reports (RUF) are real-time, per-message failure notifications with detailed information about individual emails that failed DMARC. Every domain owner should configure at least the rua tag to receive aggregate reports for essential visibility.

A DMARC record contains tag-value pairs separated by semicolons. The required tags are v (version, always DMARC1) and p (policy: none, quarantine, or reject). The rua tag specifies the email address for aggregate reports, ruf for forensic reports, pct defines the percentage of failing emails the policy applies to, adkim/aspf set alignment mode (strict or relaxed), sp sets subdomain policy, and fo controls forensic report triggers.