Log In Start Free

DMARC Record Checker

Enter a domain to look up its DMARC record, validate the syntax against RFC 7489, and get actionable recommendations. All checks run in your browser — nothing is sent to our servers.

How DMARC Works

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol defined in RFC 7489. It builds on SPF and DKIM by adding a policy layer: domain owners publish a DNS TXT record at _dmarc.example.com that tells receiving mail servers what to do when a message fails both SPF and DKIM alignment checks. DMARC also provides a reporting mechanism so domain owners can see who is sending email on their behalf and whether those messages pass authentication.

Key DMARC Tags Explained

Tag Required Description
v Yes Version. Must be DMARC1 and must be the first tag in the record.
p Yes Domain policy. Tells receivers how to handle messages that fail DMARC: none (monitor only), quarantine (deliver to spam), or reject (refuse delivery).
sp No Subdomain policy. Same values as p. If absent, subdomains inherit the domain policy.
rua No Aggregate report URI(s). Comma-separated mailto: addresses that receive daily XML reports summarizing authentication results.
ruf No Forensic report URI(s). Addresses that receive per-message failure reports. Many providers do not send these due to privacy concerns.
adkim No DKIM alignment mode. r = relaxed (default, organizational domain match), s = strict (exact domain match).
aspf No SPF alignment mode. r = relaxed (default), s = strict.
pct No Percentage of failing messages the policy applies to (0-100). Defaults to 100. Useful for gradual policy rollouts.
fo No Failure reporting options. 0 = report if all checks fail (default), 1 = report if any check fails, d = DKIM failure, s = SPF failure. Colon-separated.
ri No Requested report interval in seconds. Default is 86400 (24 hours). Most providers send daily regardless of this value.
rf No Forensic report format. Currently only afrf (Authentication Failure Reporting Format) is defined.

Common DMARC Issues

No DMARC record published
Without a DMARC record, receivers have no policy guidance and your domain is more vulnerable to spoofing. Even a p=none record with an rua address gives you visibility into who is sending as your domain.
p=none without rua
Setting p=none without an aggregate report address means you are in monitoring mode but not actually receiving any reports. Always pair p=none with a rua address to collect data before tightening your policy.
pct less than 100
A pct value below 100 means only a fraction of failing messages have the policy applied; the rest are treated as p=none. This is useful during rollout but should be increased to 100 once you are confident in your configuration.
Missing sp tag
Without an explicit sp tag, all subdomains inherit the domain-level policy. If you have subdomains that do not send email, consider setting sp=reject to prevent subdomain spoofing even if your top-level policy is more permissive.

Further Reading