SPF Record Checker
Validate your SPF record — the first authentication layer DMARC evaluates.
Open toolHome › Tools › Network & DNS › Network & DNS Tools
Validate your DMARC policy — inspect enforcement level, alignment, and reporting configuration.
Enter a target and run the tool.
Results
| Type | TTL | Value |
|---|
A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record is a DNS TXT entry that tells receiving mail servers what to do when a message claims to come from your domain but fails SPF or DKIM authentication. Without DMARC, even a correctly configured SPF record only affects how the receiving server scores the message — the outcome depends entirely on that server's own policies. DMARC gives domain owners explicit control: quarantine suspicious messages to the spam folder, reject them outright, or run in monitoring mode while you observe authentication results before committing to enforcement. The AT USE DMARC Checker queries _dmarc.{domain} via a live DNS-over-HTTPS resolver, parses every tag in the record, and returns a structured breakdown of your current policy alongside plain-English warnings for common misconfigurations.
DMARC adds a policy layer on top of SPF and DKIM. For a message to pass DMARC, at least one of SPF or DKIM must pass — and the passing mechanism must be aligned with the From header domain. SPF alignment means the domain in the SMTP envelope-from address matches (or is a subdomain of, in relaxed mode) the From header domain. DKIM alignment means the d= domain in the DKIM signature matches the From header domain. Alignment is the key distinction between DMARC and standalone SPF or DKIM: a spammer can send a message that passes SPF using their own domain in the envelope-from while using your domain in the visible From header. DMARC catches this because SPF passes but is not aligned with the From domain.
The p= tag sets what receivers should do with messages that fail DMARC evaluation. p=none is monitoring mode: failures are reported (if rua= is set) but no action is taken on delivery. This is the starting point for new DMARC deployments — it lets you see what is sending on behalf of your domain before enforcing anything. p=quarantine instructs receivers to route failing messages to the spam or junk folder. p=reject instructs receivers to block failing messages entirely. The standard progression is none first, then quarantine at 100% or a lower pct= value, then reject once you are confident no legitimate mail is failing. Moving too fast to p=reject before auditing all senders causes legitimate mail to be blocked.
The rua= tag specifies where aggregate DMARC reports should be sent. These reports, delivered daily as XML by participating receivers, show authentication pass and fail counts per sending source — broken down by IP, with SPF and DKIM alignment results. They give you visibility into whether any legitimate mail is failing authentication before you raise policy to quarantine or reject. The ruf= tag specifies a forensic report address for individual failure samples. Aggregate reports are widely supported by major providers; forensic reports have reduced coverage due to privacy concerns from receivers. If rua= is missing from your DMARC record, you are running blind — failures are silently dropped or quarantined without you seeing them.
The sp= tag sets a separate policy for subdomains (mail.example.com, send.example.com, etc.). If sp= is absent, subdomains inherit the p= policy. The pct= tag (default 100) applies the p= enforcement to a percentage of failing messages, letting you ramp up enforcement gradually. For example, p=quarantine pct=20 quarantines 20% of failing messages and passes the other 80%, reducing the blast radius of an incomplete SPF/DKIM setup during a transition period. The DMARC Checker shows your current pct= value and flags when it is below 100 on a p=quarantine or p=reject policy, so you know enforcement is partial.
p=none is a monitoring policy. Messages that fail DMARC are delivered normally — no spam classification, no rejection. Failures are included in aggregate reports if rua= is configured. p=quarantine instructs receiving servers to route failing messages to the spam or junk folder. Neither policy prevents delivery entirely — p=reject does that. Start with p=none to observe your authentication landscape before enforcing anything.
DMARC requires at least one of SPF or DKIM to pass AND be aligned with the From header domain. SPF on its own only authenticates the envelope-from address, which can differ from the visible From header. DKIM on its own only authenticates the presence of the signature, not the From domain. DMARC ties both to the From domain the recipient actually sees, closing the gap that allows phishing messages to pass individual SPF or DKIM checks while still appearing to come from a trusted domain.
SPF failures in DMARC are usually alignment failures, not SPF failures. Your SPF record may pass for the sending IP, but if the envelope-from domain does not match the From header domain, DMARC's SPF alignment check fails. This happens frequently with email service providers that use their own domain in the envelope-from. The fix is usually DKIM alignment — the provider signs with your domain's DKIM key, which aligns with your From header regardless of the envelope-from.
The pct= tag applies DMARC enforcement to a percentage of failing messages. pct=20 means 20% of messages that fail DMARC evaluation are subject to the p= policy; the other 80% are treated as p=none. It exists to allow gradual enforcement rollout — raising pct from 20 to 100 over several weeks reduces the risk of blocking legitimate mail if the SPF or DKIM configuration is incomplete. For fully audited domains, pct=100 is the correct final setting.
DMARC prevents spoofing of your exact domain in the From header at receivers that enforce DMARC — which includes Gmail, Outlook, Yahoo Mail, and most enterprise gateways. It does not prevent look-alike domain spoofing (examples: exarnple.com, example-support.com) or abuse of subdomains if sp= is absent and the subdomain has no separate DMARC record. Monitor aggregate reports for unusual sending patterns even after reaching p=reject.
Open another DNS or domain check task in one click.
Validate your SPF record — the first authentication layer DMARC evaluates.
Open toolVerify the DKIM public key in DNS — the second mechanism DMARC evaluates.
Open toolVerify SSL/TLS certificate validity, expiry, and chain for any domain.
Open toolQuery TXT records to inspect raw DMARC entries in DNS.
Open tool