Limited time: 50% OFF on your first payment.

Check Your DMARC Record

Verify your DMARC (Domain-based Message Authentication) DNS record for free. Protect your domain from unauthorized use.

Enter Your Domain

You have 5 more free checks today.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is defined in RFC 7489. It builds on top of SPF and DKIM by adding two key capabilities: a policy that tells receivers how to handle unauthenticated mail (monitor, quarantine, or reject), and a reporting mechanism that sends you XML reports on who's sending mail from your domain and whether it's passing authentication.

Crucially, DMARC adds the concept of **alignment** — the domain in the email's visible "From" header must match the domain authenticated by SPF or DKIM. This prevents attackers from passing SPF/DKIM on a different domain while spoofing your domain in the From header.

Why do you need DMARC?

1Header From protection

SPF and DKIM alone don't protect the visible From address — DMARC closes that gap with alignment

2Enforcement policy

You decide what happens to failing mail: monitor it, send to spam, or reject it outright

3Aggregate reporting

Daily XML reports (RUA) show every IP sending mail with your domain and pass/fail rates

4Forensic reporting

Failure reports (RUF) send a redacted copy of individual failing messages for investigation

5Required by Google/Yahoo

Since Feb 2024, bulk senders must have DMARC at p=none minimum to reach Gmail/Yahoo inboxes

6Brand protection

Prevents phishing emails that impersonate your brand from reaching your customers

How DMARC works — step by step

1

You publish a DMARC TXT record at `_dmarc.yourdomain.com` specifying your policy and report addresses.

2

A message arrives at the receiving server. It runs SPF and DKIM checks independently.

3

DMARC alignment is tested: does the authenticated domain (from SPF or DKIM) match the header From domain?

4

If either SPF+alignment OR DKIM+alignment passes, DMARC passes for the message.

5

If both fail, the receiver applies your policy: none (deliver), quarantine (spam folder), or reject (bounce).

6

The receiver collects authentication data for your domain and sends aggregate (RUA) or forensic (RUF) reports to the addresses you specified.

DMARC record syntax

DNS TXT record at _dmarc.yourdomain.com
v=DMARC1; p=quarantine; pct=100; sp=reject;
            rua=mailto:dmarc-reports@yourdomain.com;
            ruf=mailto:dmarc-failures@yourdomain.com;
            adkim=s; aspf=s; fo=1

Tag reference

v=DMARC1— version, required
p=— policy for the domain
sp=— policy for subdomains
pct=— % of failing mail the policy applies to
rua=— aggregate report recipients (mailto:)
ruf=— forensic report recipients (mailto:)
adkim=— DKIM alignment: r=relaxed, s=strict
aspf=— SPF alignment: r=relaxed, s=strict
fo=— failure reporting options (0,1,d,s)
ri=— report interval in seconds (default 86400)

The three DMARC policies

p=none
Monitor only. Failing mail is delivered normally. Use at the start to gather reports before enforcing.
p=quarantine
Failing mail goes to the spam/junk folder. A stepping stone before full rejection.
p=reject
Failing mail is bounced at the SMTP level and never delivered. The strongest protection.

DMARC alignment explained

Relaxed alignment (default)
The authenticated domain may be an organizational parent. e.g. mail.yourdomain.com passes for yourdomain.com
Strict alignment
The authenticated domain must match the From domain exactly. mail.yourdomain.com does NOT pass for yourdomain.com

Common DMARC failures and fixes

SPF alignment failure

The envelope From (return-path) domain doesn't match the header From — common with ESPs using their own return-path

DKIM alignment failure

The d= domain in the DKIM signature doesn't match the visible From domain — configure your ESP to sign with your domain

Missing RUA address

Without rua= you get no reports and no visibility — always include at least one report address

Subdomains not covered

Add sp=reject to extend your policy to subdomains, or publish separate DMARC records per subdomain

FAQs

Frequently Asked Questions

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a critical email authentication protocol that works alongside SPF and DKIM. It provides instructions to receiving mail servers on how to handle emails that fail authentication checks, effectively preventing unauthorized parties from spoofing your domain and protecting your brand reputation.

A DMARC checker verifies that your record is correctly formatted and published in your DNS settings. By ensuring your DMARC policy is active (ideally moving toward p=reject), you signal to ISPs like Google and Outlook that your emails are legitimate, which significantly reduces the chances of your messages being marked as spam or blocked.

The 'quarantine' policy instructs the receiving server to deliver emails that fail DMARC to the recipient's spam or junk folder. The 'reject' policy is more secure, as it tells the server to bounce the email entirely, ensuring it never reaches the recipient. Both policies are essential steps in securing your domain's email flow.

DMARC alignment occurs when the domain in the 'From' header matches the domain validated by SPF or DKIM. Without proper alignment, even a valid SPF or DKIM check can result in a DMARC failure. Alignment ensures that the visible sender address is the one that was actually authenticated.

DMARC changes depend on your DNS record's TTL (Time to Live) settings. While the update happens almost instantly at the source, it can take anywhere from a few minutes to 48 hours for global propagation. Using a DMARC checker regularly helps you verify when the changes have reached major mail servers.

No DMARC record means receivers have no instructions on what to do when mail fails SPF or DKIM, leaving your domain easier to spoof and your legitimate mail more likely to be filtered. Publishing a DMARC record, starting with p=none, lets you monitor authentication and progressively protect your domain.