DMARC Record Checker

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on top of SPF and DKIM to give domain owners control over how receiving mail servers handle emails that fail authentication.

Without DMARC, even if you have SPF and DKIM configured, receiving servers make their own decisions about what to do with failing emails. DMARC adds a published policy that explicitly tells receivers: “If an email claims to be from my domain but fails authentication, do X.” It also enables reporting, so you can see who is sending email on behalf of your domain and whether they pass or fail authentication.

How DMARC Works

When a receiving mail server gets an email, it performs the following DMARC evaluation:

1. Checks the From header domain of the email
2. Looks up the DMARC record at _dmarc.domain.com
3. Evaluates SPF: Does the sending IP pass SPF, and does the SPF-authenticated domain align with the From domain?
4. Evaluates DKIM: Does the email have a valid DKIM signature, and does the DKIM-signed domain (d= tag) align with the From domain?
5. If either SPF or DKIM passes with alignment, DMARC passes
6. If both fail, applies the DMARC policy (none, quarantine, or reject)
7. Sends aggregate reports to the address specified in the rua tag

DMARC Policy Levels Explained

p=none (Monitoring Only)

The p=none policy tells receivers to take no action on failing emails — deliver them normally. This is the starting point for DMARC deployment. Use it to collect reports and understand your email ecosystem before enforcing a policy. While p=none doesn't prevent spoofing, it's essential for identifying all legitimate email sources before tightening the policy.

p=quarantine (Spam Folder)

The p=quarantine policy instructs receivers to treat failing emails with suspicion — typically delivering them to the spam or junk folder. This provides meaningful protection against spoofing while giving some safety margin: if a legitimate email fails (e.g., due to a forwarding issue), it's still recoverable from the spam folder.

p=reject (Block Completely)

The p=reject policy tells receivers to reject failing emails outright — they are never delivered. This is the strongest protection against email spoofing and phishing. Only move to p=reject after thoroughly monitoring with p=none and p=quarantine to ensure all legitimate email passes authentication.

DMARC Record Tags Reference

A DMARC record is a DNS TXT record at _dmarc.yourdomain.com containing semicolon-separated tags:

• v=DMARC1 — Version identifier (required, must be first)
• p= — Policy for the domain: none, quarantine, or reject (required)
• sp= — Policy for subdomains (defaults to p value if omitted)
• pct= — Percentage of failing emails subject to the policy (default: 100)
• rua= — Where to send aggregate reports (comma-separated mailto: URIs)
• ruf= — Where to send forensic/failure reports
• adkim= — DKIM alignment mode: r (relaxed) or s (strict)
• aspf= — SPF alignment mode: r (relaxed) or s (strict)
• fo= — Failure reporting options: 0 (both fail), 1 (either fails), d (DKIM fails), s (SPF fails)
• rf= — Report format (default: afrf)
• ri= — Aggregate report interval in seconds (default: 86400 = 24 hours)

Common DMARC Record Examples

Monitoring Mode (Start Here)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Collects reports without affecting email delivery. Start here to understand your email landscape.

Quarantine with Reporting

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100

Sends failing emails to spam. Good intermediate step before full rejection.

Full Rejection (Maximum Protection)

v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc@yourdomain.com; pct=100

Rejects all failing emails with strict alignment. The gold standard for email security.

DMARC Deployment Best Practices

1. Start with p=none

Never jump straight to p=reject. Start with monitoring mode, collect reports for 2–4 weeks, and identify all legitimate email sources. Unexpected senders include: marketing tools, CRM systems, invoicing platforms, and third-party services that send email on your behalf.

2. Ensure SPF and DKIM Are Configured First

DMARC depends on SPF and DKIM. Use our SPF checker and DKIM checker to validate both before deploying DMARC. If neither SPF nor DKIM passes for a legitimate email, DMARC will fail it.

3. Set Up Reporting

Always include a rua tag. DMARC aggregate reports are the primary mechanism for understanding your email authentication landscape. Many free services (Google Postmaster Tools, dmarcian, EasyDMARC) can parse these XML reports into readable dashboards.

4. Use pct for Gradual Rollout

When moving from p=none to p=quarantine, use the pct tag for gradual rollout. Start with pct=5 (apply the policy to only 5% of failing emails), then increase gradually: 25%, 50%, 100%. This minimizes the risk of blocking legitimate email.

5. Monitor the Email Authentication Stack

DMARC, SPF, and DKIM all depend on DNS being available and your mail servers being online. API Status Check can monitor your DNS records, SMTP servers, and API endpoints — alerting you immediately when something breaks, before it affects email deliverability.

DMARC and Email Deliverability

Major email providers (Google, Microsoft, Yahoo) now require DMARC for bulk senders. In February 2024, Google and Yahoo implemented new requirements: domains sending more than 5,000 emails per day must have a DMARC record with at least p=none. Without it, bulk emails may be throttled or rejected.

Beyond compliance, DMARC directly improves deliverability. Domains with p=reject have higher inbox placement rates because email providers trust them more — they know unauthorized emails will be explicitly rejected, reducing spam and phishing from that domain.

The Complete Email Authentication Stack

DMARC works best as part of a complete email authentication strategy:

• SPF — Verifies the sending server's IP is authorized by the domain owner
• DKIM — Verifies the email content hasn't been tampered with using cryptographic signatures
• DMARC — Ties SPF and DKIM together with a policy and reporting
• BIMI (Brand Indicators for Message Identification) — Displays your brand logo next to authenticated emails in supporting clients
• MX Records — Ensure your mail servers are correctly configured for inbound delivery

Frequently Asked Questions About DMARC

What is a DMARC record?

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that tells receiving mail servers what to do when an email fails SPF and DKIM authentication. Policies range from monitoring only (p=none) to full rejection (p=reject).

How do I check my DMARC record?

Enter your domain in the DMARC checker above and click “Check DMARC.” The tool queries DNS for the record at _dmarc.yourdomain.com, parses all tags, and provides a security grade with actionable recommendations.

What is the difference between p=none, p=quarantine, and p=reject?

p=none is monitoring only — no action is taken. p=quarantine sends failing emails to spam. p=reject blocks failing emails entirely. Start with p=none, then progress to p=reject over time.

What does the rua tag mean?

The rua tag specifies where aggregate DMARC reports should be sent. These daily XML reports from receiving servers show who is sending email as your domain and whether they pass authentication.

How do I set up DMARC?

First ensure SPF and DKIM are configured. Then add a TXT record at _dmarc.yourdomain.com with: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Monitor reports for 2–4 weeks before tightening the policy.

What is DMARC alignment?

Alignment checks whether the authenticated domain (via SPF or DKIM) matches the visible From header domain. Relaxed alignment allows organizational domain matches; strict requires exact matches. Controlled by adkim= and aspf= tags.

How does DMARC work with SPF and DKIM?

DMARC requires at least one of SPF or DKIM to pass and align with the From domain. If both fail alignment, DMARC applies the specified policy (none, quarantine, or reject).

Why is my DMARC record not working?

Common causes: the record is not at _dmarc.yourdomain.com, SPF/DKIM are not configured, alignment failure (third-party senders not signing with DKIM for your domain), or syntax errors. Use our checker to diagnose.