Free DNS tool

DMARC Record Checker

Validate your DMARC policy, alignment, and reporting tags, and see exactly how your domain tells receivers to handle mail that fails authentication.

No login required. We query live DNS and never store your domain.

Try it instantly

Run a DMARC check on a well known domain, or enter your own above.

DMARC, explained

What is a DMARC record?

DMARC, short for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication standard that builds on SPF and DKIM. A DMARC record is a single DNS TXT record published at _dmarc.yourdomain.com, beginning with v=DMARC1. It does two things: it tells receiving mail servers what policy to apply when a message fails authentication, and it asks them to send back reports showing who is using your domain to send mail.

The standard is defined in RFC 7489. Since 2024, Google, Yahoo, and Microsoft have all required a published DMARC record for bulk senders, so a valid record is no longer optional if you send any meaningful volume of email.

How DMARC uses SPF and DKIM alignment

DMARC does not replace SPF and DKIM. It sits on top of them and adds the concept of alignment. SPF checks the envelope sender, and DKIM checks a cryptographic signature, but neither one looks at the visible From address your recipients actually see. DMARC closes that gap by requiring the authenticated domain to match the From domain.

A message passes DMARC when SPF passes and aligns with the From domain, or when DKIM passes and aligns with it. Only one of the two needs to align. Alignment can be relaxed, which matches the organizational domain, or strict, which requires an exact match. Relaxed is the default and works for most senders.

  • SPF alignment (aspf): compares the From domain with the domain SPF authenticated. Set to r for relaxed or s for strict.
  • DKIM alignment (adkim): compares the From domain with the domain in the DKIM signature. Also r or s.
  • Pass logic: if either SPF or DKIM passes and aligns, DMARC passes, regardless of the other result.

The policies: p=none, p=quarantine, and p=reject

The policy tag, p=, is the heart of a DMARC record. It tells receivers what to do with mail that fails the alignment check above.

  • p=none is monitoring only. Failing mail is still delivered normally, but you receive reports. It collects data and provides no spoofing protection on its own, so it is a starting point, not a destination.
  • p=quarantine asks receivers to treat failing mail with suspicion, usually by routing it to the spam folder. It is the first enforcing policy.
  • p=reject tells receivers to block failing mail outright, so it never reaches the inbox or the spam folder. This is the strongest setting and the goal of a full rollout.

Two related tags shape how the policy is applied. The subdomain policy, sp=, sets a separate rule for subdomains and defaults to the main policy when omitted. The percentage tag, pct=, applies the policy to only a sample of failing mail, which is useful while ramping up but should reach 100 before you rely on enforcement.

Reading aggregate reports

The reporting tags are what make DMARC actionable. The aggregate report tag, rua=, names an address that receives daily XML summaries from mailbox providers. Each report lists the sending IP addresses seen using your domain, the volume from each, and whether those messages passed SPF, DKIM, and alignment.

These reports are how you discover every legitimate service that sends on your behalf, from your help desk to your newsletter platform, before you tighten the policy. A forensic tag, ruf=, can request per-message failure samples, but many providers no longer send them for privacy reasons, so aggregate reporting is the one that matters. Without a rua address you are enforcing blind, with no visibility into what your policy is affecting.

Rolling out DMARC safely

The safe path is gradual. Moving straight to p=reject before you have mapped every sender is the fastest way to block your own legitimate mail. Work through these steps in order, re-scanning after each change.

  1. Publish p=none with rua. Start in monitoring mode with an aggregate report address so you collect data without affecting delivery.
  2. Authenticate every sender. Read the reports, then bring each legitimate service into SPF and DKIM alignment until the failures you see are only spoofing attempts.
  3. Move to p=quarantine. Once the reports are clean, switch to quarantine, optionally using pct to ramp from a small sample up to 100 percent.
  4. Finish at p=reject. When quarantine causes no collateral damage, move to reject for full protection against spoofing of your domain.

DMARC only works when SPF and DKIM are in place first. Confirm both with the SPF record checker and the DKIM record checker, build a policy with the DMARC record generator, then grade everything together with the sender reputation checker.

Frequently asked

DMARC record questions

What is a DMARC record and what does it do?
A DMARC record is a single DNS TXT record published at _dmarc.yourdomain.com, beginning with v=DMARC1. It tells receiving mail servers what policy to apply when a message fails SPF and DKIM alignment, and it requests reports showing who is sending mail using your domain. Together those two functions let you protect the visible From address and gain visibility into your sending sources.
What do p=none, p=quarantine, and p=reject mean?
They are the three DMARC policy levels. p=none is monitoring only: failing mail is still delivered, but you receive reports. p=quarantine asks receivers to send failing mail to the spam folder. p=reject tells them to block it entirely so it never arrives. Best practice is to start at none, then move to quarantine, and finally reject once every legitimate sender authenticates.
How do I check if my DMARC record is valid?
Enter your domain in the checker above. It performs a live DNS lookup at _dmarc.yourdomain.com, confirms a single v=DMARC1 record exists, parses the policy, alignment, and reporting tags, and flags anything that weakens protection. You can cross-check manually with nslookup -type=txt _dmarc.yourdomain.com, but the tool also reads the individual tags and explains what each one means.
What is DMARC alignment?
Alignment is the rule that the authenticated domain must match the visible From domain. A message passes DMARC when SPF passes and aligns, or when DKIM passes and aligns; only one of the two needs to align. Relaxed alignment matches the organizational domain and is the default, while strict alignment requires an exact match. This is the check that lets DMARC protect the From address that recipients actually see.
Do I need a DMARC record?
If you send any meaningful volume of email, yes. Since February 2024, Google and Yahoo require a published DMARC record for bulk senders of 5,000 or more messages a day, and Microsoft enforces the same expectation for Outlook. Non-compliant mail is filtered to spam or rejected. Even smaller senders benefit, because DMARC protects your domain from spoofing and improves how mailbox providers treat your mail.
What is a rua report?
The rua tag names an address that receives DMARC aggregate reports, which are daily XML summaries sent by mailbox providers. Each report lists the IP addresses sending mail as your domain, the volume from each, and whether those messages passed SPF, DKIM, and alignment. Aggregate reports are how you discover every legitimate sender before tightening your policy, so configuring rua is essential for any safe rollout.
Can a domain have more than one DMARC record?
No. A domain must publish exactly one DMARC record at the _dmarc subdomain. If receivers find two or more v=DMARC1 records, the check fails and the policy is ignored entirely, leaving the domain unprotected. Subdomains can publish their own DMARC records that override the organizational policy, but each individual host must have a single record.
How do I set up DMARC safely without blocking my own email?
Roll it out in stages. Publish p=none with a rua address first so you monitor without affecting delivery, then use the reports to bring every legitimate sender into SPF and DKIM alignment. Once the only failures left are spoofing attempts, move to p=quarantine, optionally using pct to ramp up gradually, and finish at p=reject. Skipping straight to reject before mapping your senders is the most common way to block legitimate mail.
Does DMARC actually stop email spoofing?
DMARC stops exact-domain spoofing once it is set to an enforcing policy. With p=quarantine or p=reject, receivers are told to filter or block mail that fails authentication and alignment, which prevents attackers from forging your exact From domain. It does not stop look-alike domains or display-name tricks, so it is one strong layer rather than a complete defense against every kind of phishing.
Why does DMARC fail even though SPF and DKIM pass?
This is almost always an alignment problem. DMARC does not just need SPF or DKIM to pass, it needs the domain they authenticated to match the domain in your visible From address. A common cause is a third-party sender that passes SPF on its own domain rather than yours, or signs DKIM with its domain. Fix it by setting up custom authentication with the provider so the passing domain aligns with your From domain.
How do I read a DMARC aggregate report?
Aggregate reports are XML files that mailbox providers send to your rua address, usually once a day. Each one lists the sending IP addresses seen using your domain, how many messages came from each, and whether they passed SPF, DKIM, and alignment. The raw XML is hard to read by eye, so most people feed it into a report parser, but the goal is simple: confirm every passing source is a sender you recognize, and treat the failing ones as either misconfigured services or spoofing.
What is BIMI and does it require DMARC?
BIMI, short for Brand Indicators for Message Identification, displays your logo next to your messages in supporting inboxes. It only works once you have DMARC at an enforcing policy of quarantine or reject, because providers will not show a brand logo for mail they cannot fully trust. So DMARC is a prerequisite: reach enforcement first, then BIMI becomes available as a visible reward for strong authentication.