Free DMARC Record Checker

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect your domain from email spoofing and phishing attacks. It builds on SPF and DKIM to provide a way for domain owners to:

• Specify how to handle emails that fail authentication
• Receive reports about email authentication results
• Gradually enforce stricter policies without disrupting legitimate email

How this check works

This tool queries the _dmarc.{domain} TXT record via DNS, parses the tag-value pairs defined in RFC 7489, and validates each field against the specification. Checks include policy presence (p= tag), alignment mode (aspf/adkim), reporting URIs (rua/ruf), subdomain policy (sp=), and percentage (pct=). Results are advisory — this tool does not send email or observe live authentication outcomes.

Limitations: This check reflects the published DNS record at the time of lookup. It does not verify that aggregate reports are being received, that SPF/DKIM are configured correctly, or that the policy is achieving its intended effect. Use the full SpoofSentry platform for continuous monitoring with aggregate report analysis.

DMARC Policy Levels

• p=none — Monitor mode. No action is taken on failing emails, but you receive reports. Learn about DMARC monitoring.
• p=quarantine — Suspicious emails are sent to spam/junk folders.
• p=reject — Failing emails are rejected entirely and never delivered. Compare quarantine vs reject.

Example DMARC Record

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

Why DMARC Matters

Without DMARC, attackers can send emails that appear to come from your domain. This can damage your brand reputation, lead to phishing attacks against your customers, and affect email deliverability. Major email providers like Google and Yahoo now require DMARC for bulk senders.

Common DMARC Mistakes

• No rua= tag — You publish a DMARC record but never receive aggregate reports because you forgot to include a reporting address. Without reports, you have no visibility into who is sending as your domain.
• Staying at p=none indefinitely — Monitor mode collects data but does not protect your domain from spoofing. The goal is to reach quarantine or reject once you've identified all legitimate senders.
• Missing SPF or DKIM alignment — DMARC requires that either SPF or DKIM passes and aligns with your From domain. A passing SPF check for a different domain does not count.
• Ignoring subdomain policy (sp=) — If you don't set sp=, subdomains inherit your parent domain's policy. Subdomains you don't use for email should have sp=reject to prevent subdomain spoofing.
• Publishing multiple DMARC records — Only one DMARC record should exist at _dmarc.yourdomain.com. Multiple records cause unpredictable behavior.

What to Do After Checking Your DMARC Record

Validating your DMARC record is the first step. Here's what comes next:

1. Set up monitoring — Start collecting aggregate reports to see who is sending email as your domain.
2. Check your full posture — Use the Domain Security Score to assess your domain across DMARC, SPF, DKIM, DNSSEC, MTA-STS, and more.
3. Read your reports — Learn how to interpret DMARC aggregate reports to identify authorized senders and spot abuse.
4. Plan enforcement — Once you've identified all legitimate senders, gradually move toward quarantine and then reject.

Frequently Asked Questions

How do I create a DMARC record?

Add a TXT record at _dmarc.yourdomain.com in your DNS. A minimal record looks like: v=DMARC1; p=none; rua=mailto:[email protected]. Use the DMARC Record Generator for a guided setup, or follow the complete DMARC setup guide.

Why does my DMARC record show p=none?

p=none means your domain is in monitoring mode. Receiving servers report authentication results but don't take action on failures. This is the correct starting point — it lets you identify all legitimate senders before tightening policy. The risk is staying there too long, because p=none provides no spoofing protection.

Does DMARC affect email deliverability?

DMARC itself does not hurt deliverability. In fact, having DMARC at p=quarantine or p=reject improves deliverability for properly authenticated mail, because receivers trust that you control your sending ecosystem. What can hurt deliverability is moving to enforcement before all legitimate senders are properly configured.

Do I need DMARC if I use Google Workspace or Microsoft 365?

Yes. Google and Microsoft authenticate their own sending, but DMARC protects your domain from unauthorized senders — anyone outside your mail provider who tries to send as your domain. Google requires DMARC for bulk senders, and both providers strongly recommend it.

How long does it take for DMARC to start working?

Once published, your DMARC record is active immediately. Receiving servers start checking it within hours. Aggregate reports typically begin arriving within 24-48 hours. Reaching full enforcement (p=reject) safely takes 4-8 weeks of monitoring and sender remediation.