DMARC Record Checker

Look up and analyze DMARC (Domain-based Message Authentication, Reporting and Conformance) records for any domain. This tool parses DMARC policies, identifies enforcement levels, and checks for configuration issues.

Enter Domain Name

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that builds on SPF and DKIM to provide domain-level email protection. Published as a TXT record at _dmarc.domain.com in DNS, DMARC tells receiving mail servers what to do when an email fails SPF or DKIM authentication — and where to send reports about authentication results.

DMARC solves a critical gap that SPF and DKIM leave open: without it, a receiving server has no way to know the domain owner's policy preference. With DMARC, you explicitly state whether unauthenticated mail should be monitored, quarantined, or rejected entirely.

DMARC Policy Levels

DMARC offers three enforcement levels, each providing a different degree of protection against email spoofing:

Policy	Tag	Action on Failure	Protection Level
None	p=none	No action — deliver normally	Monitoring only (no protection)
Quarantine	p=quarantine	Send to spam/junk folder	Moderate protection
Reject	p=reject	Reject the message entirely	Maximum protection

Most organizations start with p=none to gather data via DMARC reports, then gradually move to p=quarantine and finally p=reject once they've confirmed all legitimate email sources are properly authenticated.

Pro Tip: Don't jump straight to p=reject without first monitoring with p=none. Use the rua tag to receive aggregate reports and identify all legitimate email sources (marketing platforms, CRM systems, transactional email services). Missing even one source can cause legitimate email to be blocked. Use our SPF Record Checker to verify all sending sources are listed.

DMARC Tag Reference

A complete DMARC record contains several tags that control policy enforcement and reporting:

Tag	Required	Default	Description
v	Yes	DMARC1	Version identifier (must be first tag)
p	Yes	—	Policy for the domain (none, quarantine, reject)
sp	No	Same as p	Policy for subdomains
rua	No	—	URI for aggregate reports (e.g., mailto:dmarc@example.com)
ruf	No	—	URI for forensic (failure) reports
adkim	No	r (relaxed)	DKIM alignment mode (r=relaxed, s=strict)
aspf	No	r (relaxed)	SPF alignment mode (r=relaxed, s=strict)
pct	No	100	Percentage of messages to apply policy to
ri	No	86400	Reporting interval in seconds
fo	No	0	Failure reporting options (0, 1, d, s)

DMARC Record Examples

Here are practical DMARC record examples for different stages of deployment:

Monitoring Only (Starting Point)

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com;

Quarantine with Reporting

v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensic@example.com; adkim=r; aspf=r; pct=100;

Full Reject (Maximum Security)

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s; pct=100;

Gradual Rollout (25% Quarantine)

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com;

The pct tag lets you gradually apply the policy. Start with pct=25, monitor reports, increase to pct=50, then pct=100. This minimizes the risk of blocking legitimate email during transition.

Note: DMARC alignment requires that the domain in the "From" header matches the SPF domain or DKIM signing domain. In relaxed mode (default), subdomains are allowed. In strict mode, exact match is required. If your email services send from subdomains, start with relaxed alignment. For help with DNS record management, see our lookup tool.

How DMARC Works with SPF and DKIM

DMARC builds on the two foundational email authentication protocols. For a message to pass DMARC, it must pass either SPF or DKIM, and the passing mechanism must be aligned with the "From" domain:

SPF Check — Receiving server verifies the sending IP against the domain's SPF record. If the IP is authorized and the domain aligns with the "From" header, SPF passes DMARC.
DKIM Check — Receiving server verifies the DKIM signature using the public key from DNS. If the signature is valid and the signing domain aligns with the "From" header, DKIM passes DMARC.
DMARC Evaluation — If either SPF or DKIM passes with alignment, DMARC passes. If both fail, the DMARC policy (none/quarantine/reject) determines what happens.

This architecture means that email forwarding (which breaks SPF) can still pass DMARC through DKIM, as long as the message body isn't modified. Understanding how DNS underpins this entire chain is fundamental for proper configuration.

DMARC Reporting

One of DMARC's most valuable features is its reporting mechanism. There are two types of reports:

Report Type	Tag	Format	Content
Aggregate (RUA)	rua	XML (gzipped)	Summary of all authentication results for the reporting period
Forensic (RUF)	ruf	AFRF/IODEF	Individual failure reports with message details

Aggregate reports are sent daily and show how many messages passed or failed authentication from each sending IP. Use services like DMARC.org tools or Google Postmaster Tools to parse and visualize these reports. Forensic reports contain more detail but are less commonly sent due to privacy concerns.

DMARC Implementation Roadmap

Follow this proven path to implement DMARC without disrupting email delivery:

Audit sending sources — Identify all services that send email for your domain (transactional, marketing, support, etc.).
Configure SPF and DKIM — Ensure all senders are covered by your SPF record and have valid DKIM keys.
Publish p=none — Start with monitoring to gather baseline data.
Analyze reports — Review aggregate reports for 2-4 weeks to identify any unaccounted-for senders.
Move to quarantine — Use pct=25 initially and increase gradually.
Enforce reject — Once confident, set p=reject for maximum protection.
Monitor continuously — Keep reviewing reports for new senders and authentication changes.

If you need to verify your MX records and general DNS setup before implementing DMARC, use our full suite of DNS tools. Also make sure your router DNS settings are configured correctly to avoid lookup issues.

Key Takeaways

DMARC tells receiving servers what to do when email fails SPF and DKIM — monitor, quarantine, or reject.
Start with p=none and aggregate reporting before enforcing quarantine or reject policies.
DMARC requires alignment — the "From" domain must match the SPF or DKIM domain.
Use the pct tag for gradual rollout to avoid blocking legitimate email.
Combine with SPF and DKIM for complete email authentication.
Always configure rua for aggregate reporting — it's your window into email authentication across your domain.

Video: DMARC Explained

Related Tools and Guides

Frequently Asked Questions

Is DMARC required for email?

DMARC is not technically required, but it's becoming increasingly essential. Major providers like Google and Yahoo now require DMARC for bulk senders. Without it, your domain is vulnerable to spoofing, and email deliverability suffers as providers tighten requirements.

What is the difference between p=none, p=quarantine, and p=reject?

With p=none, no action is taken on failing emails (monitoring only). With p=quarantine, failing emails are sent to spam. With p=reject, failing emails are rejected entirely and never delivered. Each level offers progressively stronger protection.

Can DMARC break email forwarding?

Yes, indirectly. Forwarded emails often fail SPF because the forwarding server isn't in the original domain's SPF record. However, if DKIM is properly configured and the message isn't modified during forwarding, DMARC can still pass via DKIM alignment.

How long should I stay on p=none before enforcing?

Monitor with p=none for at least 2-4 weeks, analyzing aggregate reports to identify all legitimate senders. Complex organizations with many email services may need 1-3 months. Use the pct tag for gradual enforcement during transition.

What are DMARC aggregate reports?

Aggregate reports are XML files sent by receiving mail servers (usually daily) that summarize authentication results for your domain. They show which IPs sent email claiming to be from your domain and whether SPF, DKIM, and DMARC passed or failed for each source.

Should subdomains have their own DMARC record?

The sp tag in the parent domain's DMARC record covers subdomains by default. However, subdomains can have their own DMARC record at _dmarc.subdomain.example.com to override the parent policy. This is useful when subdomains have different email requirements.

Does DMARC protect against all phishing?

DMARC specifically protects against domain spoofing — attackers sending email that appears to come from your domain. It does not protect against look-alike domains (e.g., examp1e.com vs example.com) or other phishing techniques. Complete email security requires additional measures including user training and network security.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.