DMARC Record Checker
Validate any domain's DMARC record. Check your DMARC policy, reporting configuration, and alignment settings.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is a DNS protocol that tells inbox providers what to do when an email claiming to come from your domain fails SPF or DKIM authentication checks. By publishing a DMARC record, you give receiving mail servers an explicit policy for handling unauthenticated messages, closing the gap that SPF and DKIM leave open on their own.
A DMARC record supports three policy levels. With p=none, the domain owner collects authentication reports without affecting mail delivery — this is the monitoring-only stage. With p=quarantine, messages that fail authentication are routed to the recipient's spam or junk folder. With p=reject, failing messages are blocked outright and never reach the inbox. Most organizations start at p=none, review their aggregate reports, and gradually move toward p=reject as they confirm all legitimate senders are properly authenticated.
DMARC adoption is no longer optional for many senders. Since February 2024, Google and Yahoo require bulk senders to publish a DMARC record with at least p=none. Failing to comply can result in email being throttled, sent to spam, or rejected entirely. Beyond compliance, DMARC provides valuable reporting that reveals which services and IP addresses are sending email on behalf of your domain, helping you detect unauthorized senders and phishing attempts.
What does this tool check?
- DMARC record existence— verifies that a valid TXT record is published at _dmarc.yourdomain.com.
- Policy type— identifies whether the domain uses p=none, p=quarantine, or p=reject and explains the implications of each.
- Reporting addresses (rua/ruf)— checks that aggregate (rua) and forensic (ruf) report recipients are configured so you receive authentication data.
- Alignment mode— evaluates SPF and DKIM alignment settings (relaxed vs. strict) to determine how closely the From header must match authenticated domains.
- Subdomain policy— inspects the sp= tag to see whether subdomains inherit the parent policy or have their own enforcement level.
Frequently Asked Questions
What is a DMARC record?
A DMARC record is a DNS TXT entry published at _dmarc.yourdomain.com that tells receiving mail servers how to handle emails that fail SPF or DKIM authentication checks. It specifies a policy (none, quarantine, or reject), alignment requirements, and reporting addresses where authentication results are sent. Without a DMARC record, inbox providers have no instructions for dealing with unauthenticated mail claiming to be from your domain.
What DMARC policy should I use?
Start with p=none to collect reports without affecting mail delivery. Once you have reviewed your DMARC aggregate reports and confirmed that all legitimate senders pass SPF or DKIM, move to p=quarantine to send failing messages to spam. After a further monitoring period with no false positives, upgrade to p=reject for full protection. Jumping straight to p=reject without monitoring can cause legitimate email to be blocked.
What does rua mean in DMARC?
The rua tag in a DMARC record specifies the email address where aggregate reports should be sent. Aggregate reports are XML files sent daily by inbox providers that summarize authentication results for all emails received from your domain. They show which IP addresses are sending mail on your behalf and whether those messages pass or fail SPF and DKIM. The format is rua=mailto:dmarc-reports@yourdomain.com. A separate tag, ruf, specifies the address for forensic (failure) reports, which contain details about individual failing messages.
Do I need DMARC if I have SPF?
Yes. SPF alone only verifies that the sending server is authorized, but it does not tell inbox providers what to do when a check fails. DMARC adds an enforcement policy (quarantine or reject) and an alignment requirement that links SPF and DKIM results back to the From header domain the recipient sees. Without DMARC, a spoofer can still forge your From address even if your SPF record is correct. DMARC also enables aggregate reporting, giving you visibility into who is sending email as your domain.
Is DMARC required by Google and Yahoo?
Yes. Since February 2024, Google and Yahoo require all bulk senders (those sending more than 5,000 messages per day to their users) to publish a DMARC record with at least p=none. Senders who do not comply may see their email throttled, sent to spam, or rejected entirely. Even if you send fewer than 5,000 messages, publishing a DMARC record is strongly recommended as a baseline security measure and is increasingly expected by other inbox providers as well.