DMARC Checker

Q: How do I check my DMARC record?

Enter your domain in the DMARC Checker form and it will perform a live DNS lookup against _dmarc.yourdomain.com, parse every tag, calculate a configuration score, and flag any issues. You can also check manually with dig TXT _dmarc.yourdomain.com from a terminal.

Q: What does a valid DMARC record look like?

A valid DMARC record always starts with v=DMARC1 and at minimum specifies a policy with the p tag. A common starter record is v=DMARC1; p=none; rua=mailto:reports@yourdomain.com. A fully enforced record adds p=reject; sp=reject; pct=100 for maximum protection.

Q: What is the difference between p=none, p=quarantine, and p=reject?

p=none is monitor-only: the receiver delivers failing mail but reports the failure. p=quarantine sends failing mail to the spam folder. p=reject blocks failing mail at the SMTP layer. Best practice is to start at p=none for 30-60 days, fix legitimate sources, then progress to p=reject.

Q: Why is there no DMARC record at my domain?

DMARC is opt-in. If you have not explicitly published a TXT record at _dmarc.yourdomain.com, none exists. This means receivers will not enforce any policy on mail claiming to be from your domain, which leaves you open to spoofing.

Q: Is this DMARC checker free?

Yes. The DMARC checker is completely free and requires no signup. It performs a live DNS lookup, parses your record, and shows you exactly what the policy says in seconds.

Look up and validate any domain's DMARC record — instant policy and configuration analysis

What this DMARC checker shows you

• Whether a DMARC record exists at _dmarc.yourdomain.com
• The full DMARC record syntax with each tag explained (p, sp, pct, rua, ruf)
• Policy strength: monitor (p=none), quarantine, or reject
• Whether aggregate reports (rua) are configured so you can see who is sending email
• Common issues: missing record, multiple records, partial coverage, no reporting

What is a DMARC Record?

Domain-based Message Authentication, Reporting and Conformance — the policy that ties SPF and DKIM together

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that tells receiving mail servers what to do with messages that fail authentication checks. It builds on top of SPF and DKIM and adds two critical capabilities: a policy that instructs receivers to monitor, quarantine, or reject failing mail, and a reporting address that delivers daily aggregate reports about authentication results.

Without a DMARC record, attackers can spoof your domain in phishing emails and you have no visibility into who is sending email as you. With a properly enforced DMARC record (p=reject), receiving servers will block unauthorised mail before it reaches the inbox — and the aggregate reports tell you which legitimate sending services need to be authorised.

This DMARC checker performs a live DNS lookup against _dmarc.yourdomain.com, parses every tag in the record, and flags common configuration mistakes such as missing reporting addresses, partial coverage, or multiple conflicting records. Once you have a record in place, run our SPF Checker and DKIM Checker to confirm the underlying authentication is working too.

A Typical DMARC Record


                                v=DMARC1;
                                p=reject;
                                sp=reject;
                                pct=100;
                                rua=mailto:reports@example.com;
                                ruf=mailto:forensics@example.com;
                                adkim=s;
                                aspf=s

Three Policy Levels

p=none Monitor only — collect reports without blocking

p=quarantine Send failing mail to spam folder

p=reject Block failing mail at the gateway (full enforcement)

How DMARC Authentication Works

Understanding how a DMARC check evaluates an incoming email

SPF and DKIM Run First

When a message arrives, the receiving server first checks SPF (does the sending IP appear in your SPF record?) and DKIM (does the cryptographic signature verify?). DMARC needs at least one of these to pass and align with the From: domain.

Alignment Check

The visible From: domain must match (or align with) the SPF Return-Path domain or the DKIM signing domain. adkim=s and aspf=s require strict alignment; the default r allows relaxed alignment on the organisational domain.

Apply the Policy

If the message fails DMARC, the receiver consults the p tag. p=none delivers anyway (but reports the failure), p=quarantine sends to spam, and p=reject bounces the message at the SMTP layer.

Send Aggregate Reports

Once a day, every receiving server bundles up the authentication results and emails them to the address in your rua tag. Parsing these reports tells you which sending services need to be authorised and where spoofing attempts are coming from.

Common DMARC Issues to Watch For

Configuration mistakes this checker will flag — and how to fix them

No DMARC Record at All

If _dmarc.yourdomain.com returns no TXT record, your domain has zero protection against spoofing and you have no visibility into who is sending mail as you. Fix: Start with v=DMARC1; p=none; rua=mailto:reports@yourdomain.com to begin collecting reports without affecting delivery. Use our DMARC Generator to build the right record.

Multiple DMARC Records

Publishing more than one DMARC TXT record at the same hostname produces undefined behaviour — many receivers ignore all of them, leaving your domain unprotected. Fix: Delete every record except the one you intend to keep, then re-run this checker to confirm only one remains.

Stuck on p=none Forever

p=none is a monitoring-only policy. Many domains publish it and never progress — meaning attackers can still spoof you with no consequences. Fix: Aim to move to p=quarantine within 30–60 days of monitoring, then to p=reject. Use pct=10, pct=25, etc., to stage the rollout.

No Reporting Address (rua)

Without an rua tag, you have a DMARC policy but no visibility — you will never know which legitimate services are failing authentication or whether spoofing attempts are happening. Fix: Add rua=mailto:reports@yourdomain.com, ideally pointing at a dedicated DMARC report processor rather than a human inbox (the volume gets overwhelming fast).

Automate this: DMARC Busta Autopilot collects your aggregate reports, identifies legitimate senders automatically, and progresses your policy from p=none to p=reject safely — no manual report parsing required.

Frequently Asked Questions

How do I check my DMARC record?

Enter your domain in the form above and this DMARC checker will perform a live DNS lookup against _dmarc.yourdomain.com, parse every tag in the record, calculate a configuration score, and flag any issues. You can also check your DMARC record manually with dig TXT _dmarc.yourdomain.com or nslookup -type=txt _dmarc.yourdomain.com from a terminal.

What does a valid DMARC record look like?

A valid DMARC record always starts with v=DMARC1 and at minimum specifies a policy with the p tag. A common starter record is v=DMARC1; p=none; rua=mailto:reports@yourdomain.com. A fully enforced record adds p=reject; sp=reject; pct=100 for maximum protection. Use the DMARC Generator to build one tailored to your domain.

What is the difference between p=none, p=quarantine, and p=reject?

p=none is monitor-only: the receiver still delivers failing mail but reports the failure back to you via the rua address. p=quarantine sends failing mail to the spam folder. p=reject blocks failing mail at the SMTP layer so it never reaches the inbox. Best practice is to start at p=none for 30–60 days, fix any legitimate sources that fail authentication, then progress to p=reject.

Why is there no DMARC record at my domain?

DMARC is opt-in — if you have not explicitly published a record at _dmarc.yourdomain.com, none exists. This means receivers will not enforce any policy on mail claiming to be from your domain, which leaves you open to spoofing. Generate a record with our DMARC Generator and add it as a TXT record at the _dmarc subdomain in your DNS provider.

Is this DMARC checker free?

Yes. This DMARC checker is completely free and requires no signup. It performs a live DNS lookup, parses your record, and shows you exactly what the policy says — in seconds. If you want ongoing DMARC monitoring with automatic policy progression and aggregate report parsing, that is what DMARC Busta does as a managed service.

Related Tools

More free tools to manage your DMARC, SPF, and DKIM

Stop Spoofing — Get to p=reject Safely

DMARC Busta Autopilot collects your reports, approves legitimate senders automatically, and progresses your policy from monitor to full enforcement — with rollbacks if anything goes wrong.

Get Started Free