HomeToolsNetwork & DNS › Network & DNS Tools

DMARC Record Checker

dmarc-checker

Validate your DMARC policy — inspect enforcement level, alignment, and reporting configuration.

Enter a target and run the tool.

About DMARC Record Checker

A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record is a DNS TXT entry that tells receiving mail servers what to do when a message claims to come from your domain but fails SPF or DKIM authentication. Without DMARC, even a correctly configured SPF record only affects how the receiving server scores the message — the outcome depends entirely on that server's own policies. DMARC gives domain owners explicit control: quarantine suspicious messages to the spam folder, reject them outright, or run in monitoring mode while you observe authentication results before committing to enforcement. The AT USE DMARC Checker queries _dmarc.{domain} via a live DNS-over-HTTPS resolver, parses every tag in the record, and returns a structured breakdown of your current policy alongside plain-English warnings for common misconfigurations.

How DMARC authentication works

DMARC adds a policy layer on top of SPF and DKIM. For a message to pass DMARC, at least one of SPF or DKIM must pass — and the passing mechanism must be aligned with the From header domain. SPF alignment means the domain in the SMTP envelope-from address matches (or is a subdomain of, in relaxed mode) the From header domain. DKIM alignment means the d= domain in the DKIM signature matches the From header domain. Alignment is the key distinction between DMARC and standalone SPF or DKIM: a spammer can send a message that passes SPF using their own domain in the envelope-from while using your domain in the visible From header. DMARC catches this because SPF passes but is not aligned with the From domain.

The three policy levels

The p= tag sets what receivers should do with messages that fail DMARC evaluation. p=none is monitoring mode: failures are reported (if rua= is set) but no action is taken on delivery. This is the starting point for new DMARC deployments — it lets you see what is sending on behalf of your domain before enforcing anything. p=quarantine instructs receivers to route failing messages to the spam or junk folder. p=reject instructs receivers to block failing messages entirely. The standard progression is none first, then quarantine at 100% or a lower pct= value, then reject once you are confident no legitimate mail is failing. Moving too fast to p=reject before auditing all senders causes legitimate mail to be blocked.

Aggregate reports and forensic reports

The rua= tag specifies where aggregate DMARC reports should be sent. These reports, delivered daily as XML by participating receivers, show authentication pass and fail counts per sending source — broken down by IP, with SPF and DKIM alignment results. They give you visibility into whether any legitimate mail is failing authentication before you raise policy to quarantine or reject. The ruf= tag specifies a forensic report address for individual failure samples. Aggregate reports are widely supported by major providers; forensic reports have reduced coverage due to privacy concerns from receivers. If rua= is missing from your DMARC record, you are running blind — failures are silently dropped or quarantined without you seeing them.

Subdomain policy and percentage

The sp= tag sets a separate policy for subdomains (mail.example.com, send.example.com, etc.). If sp= is absent, subdomains inherit the p= policy. The pct= tag (default 100) applies the p= enforcement to a percentage of failing messages, letting you ramp up enforcement gradually. For example, p=quarantine pct=20 quarantines 20% of failing messages and passes the other 80%, reducing the blast radius of an incomplete SPF/DKIM setup during a transition period. The DMARC Checker shows your current pct= value and flags when it is below 100 on a p=quarantine or p=reject policy, so you know enforcement is partial.

Common use cases

  • Auditing DMARC protection level before an email service migration — A company migrating from a self-hosted mail server to Google Workspace needs to confirm their DMARC configuration before and after. The DMARC Checker shows the current p=none policy and the rua= address for aggregate reports. After the migration, the IT admin re-checks to confirm the record still reads correctly and that the aggregate report destination has not changed. Once DKIM is confirmed working on the new platform and a week of aggregate reports shows clean results, they advance to p=quarantine.
  • Diagnosing why DMARC aggregate reports are not arriving — A domain owner set up DMARC six weeks ago but has not received any aggregate reports. The DMARC Checker shows the rua= tag points to an address at a different domain that was not added to that domain's DMARC authorization record (RFC 7489 requires the receiving domain to publish a _dmarc record to authorize reports from external domains). The checker flags this misconfiguration so the owner can add the required authorization DNS entry.
  • Preparing to move from p=none to p=quarantine — A security team has been collecting aggregate DMARC reports for 60 days. Before advancing to p=quarantine, they use the DMARC Checker to review the current record: p=none, pct=100, rua= set, no sp= override. They confirm alignment modes are relaxed (the default), which allows subdomains to pass. After verifying that aggregate reports show all legitimate senders pass, they update the record to p=quarantine and re-check using the live resolver to confirm propagation.
  • Finding a misconfigured DMARC record after a domain purchase — A company acquires a domain previously owned by another organization. The DMARC Checker reveals the record has p=reject but the rua= address points to the former owner's inbox. The company updates the rua= to their own reporting address, re-checks to confirm it parses correctly, and then reviews aggregate reports to understand what (if anything) is currently sending from the domain before relaxing or tightening the policy.

How to use this tool

  1. Enter the domain to check in the input field — for example, example.com. Do not include a protocol or path.
  2. Click "Check DMARC" to fetch and parse the _dmarc.example.com TXT record from the live DNS-over-HTTPS resolver.
  3. Review the policy breakdown: p= tag (none/quarantine/reject), pct= percentage, and any sp= subdomain override.
  4. Check the reporting addresses under rua= and ruf= — if rua= is missing, you have no visibility into authentication failures.
  5. Read the plain-English interpretation section for any warnings, including missing records, p=none with no rua=, or pct= values below 100 on an enforcing policy.

Frequently asked questions

What is the difference between DMARC p=none and p=quarantine?

p=none is a monitoring policy. Messages that fail DMARC are delivered normally — no spam classification, no rejection. Failures are included in aggregate reports if rua= is configured. p=quarantine instructs receiving servers to route failing messages to the spam or junk folder. Neither policy prevents delivery entirely — p=reject does that. Start with p=none to observe your authentication landscape before enforcing anything.

How does DMARC relate to SPF and DKIM?

DMARC requires at least one of SPF or DKIM to pass AND be aligned with the From header domain. SPF on its own only authenticates the envelope-from address, which can differ from the visible From header. DKIM on its own only authenticates the presence of the signature, not the From domain. DMARC ties both to the From domain the recipient actually sees, closing the gap that allows phishing messages to pass individual SPF or DKIM checks while still appearing to come from a trusted domain.

Why am I getting DMARC failures even though my SPF record is correct?

SPF failures in DMARC are usually alignment failures, not SPF failures. Your SPF record may pass for the sending IP, but if the envelope-from domain does not match the From header domain, DMARC's SPF alignment check fails. This happens frequently with email service providers that use their own domain in the envelope-from. The fix is usually DKIM alignment — the provider signs with your domain's DKIM key, which aligns with your From header regardless of the envelope-from.

What is the pct= tag and when should I use it?

The pct= tag applies DMARC enforcement to a percentage of failing messages. pct=20 means 20% of messages that fail DMARC evaluation are subject to the p= policy; the other 80% are treated as p=none. It exists to allow gradual enforcement rollout — raising pct from 20 to 100 over several weeks reduces the risk of blocking legitimate mail if the SPF or DKIM configuration is incomplete. For fully audited domains, pct=100 is the correct final setting.

Does DMARC prevent all email spoofing from my domain?

DMARC prevents spoofing of your exact domain in the From header at receivers that enforce DMARC — which includes Gmail, Outlook, Yahoo Mail, and most enterprise gateways. It does not prevent look-alike domain spoofing (examples: exarnple.com, example-support.com) or abuse of subdomains if sp= is absent and the subdomain has no separate DMARC record. Monitor aggregate reports for unusual sending patterns even after reaching p=reject.

Related Network Tools

Open another DNS or domain check task in one click.

Live

SPF Record Checker

Validate your SPF record — the first authentication layer DMARC evaluates.

Open tool
Live

DKIM Lookup

Verify the DKIM public key in DNS — the second mechanism DMARC evaluates.

Open tool
Live

SSL Certificate Checker

Verify SSL/TLS certificate validity, expiry, and chain for any domain.

Open tool
Live

DNS Lookup Tool

Query TXT records to inspect raw DMARC entries in DNS.

Open tool