free dmarc checker
analyze email policy
Check DMARC records for any domain. Analyze authentication policies, parse tags, and assess your protection against email spoofing.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It allows domain owners to publish a policy in DNS that tells receiving mail servers what to do when an email fails authentication checks.
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. It starts with v=DMARC1 and includes tags that define the domain's policy, reporting preferences, and alignment requirements.
The three DMARC policies provide increasing levels of protection: none (monitoring only), quarantine (suspicious emails go to spam), and reject (unauthorized emails are blocked entirely).
How to read DMARC results
The DMARC checker displays your record broken down into individual tags:
- Policy badge — Color-coded assessment: green (reject), yellow (quarantine), or red (none). Shows how strongly your domain is protected.
- Tag — The DMARC tag name (p, sp, rua, ruf, pct, adkim, aspf, etc.).
- Value — The configured value for each tag.
- Description — A human-readable explanation of what the tag controls.
If your policy is set to "none", the tool will warn you to consider upgrading to "quarantine" or "reject" for better protection.
DMARC best practices
Start with p=none and rua reporting to monitor authentication results before enforcing
Configure rua to receive aggregate reports and identify all legitimate email sources
Progress gradually: none → quarantine (with pct) → quarantine (100%) → reject
Set up both SPF and DKIM before implementing DMARC for best results
Use strict alignment (adkim=s, aspf=s) for maximum security once all sources are configured
Frequently asked questions
What is a DMARC record?+
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS TXT record published at _dmarc.yourdomain.com. It tells receiving mail servers how to handle emails that fail SPF and DKIM authentication checks, and where to send reports about authentication results.
What do the DMARC policies (none, quarantine, reject) mean?+
"none" is monitoring-only — no action is taken on failing emails, but reports are generated. "quarantine" tells receiving servers to treat failing emails as suspicious (typically moved to spam). "reject" instructs servers to refuse delivery of failing emails entirely. You should start with "none" and progress to "reject" as you verify your legitimate email sources.
How do I set up DMARC?+
Add a TXT record at _dmarc.yourdomain.com with the value "v=DMARC1; p=none; rua=mailto:[email protected]". This starts with monitoring mode. Review the aggregate reports to identify all legitimate email sources, then gradually move to "quarantine" and eventually "reject".
What is the "rua" tag in DMARC?+
The "rua" (Reporting URI for Aggregate reports) tag specifies where aggregate DMARC reports should be sent. These XML reports contain statistics about email authentication results for your domain. Format: rua=mailto:[email protected]. You can specify multiple recipients separated by commas.
What is DMARC alignment?+
DMARC alignment ensures the domain in the "From" header matches the domains used in SPF and DKIM checks. "Strict" alignment (adkim=s, aspf=s) requires an exact domain match. "Relaxed" alignment (adkim=r, aspf=r, the default) allows subdomains to match the organizational domain.
What does the "pct" tag do?+
The "pct" (percentage) tag specifies what percentage of failing emails should have the DMARC policy applied. Default is 100. During migration, you might set pct=10 to apply the policy to only 10% of failing messages while monitoring the impact before going to full enforcement.
How does DMARC work with SPF and DKIM?+
DMARC requires either SPF or DKIM to pass AND align with the "From" domain. An email passes DMARC if: (1) SPF passes and the envelope sender domain aligns with the "From" domain, OR (2) DKIM passes and the signing domain aligns with the "From" domain. DMARC defines what happens when both fail.
Go beyond DNS — verify real email addresses
DMARC protects your domain from spoofing. VerifyKit verifies if email addresses actually exist before you send. Try our email verification API free.
Try it free — 14-day money-back guarantee