Skip to main content
fareof
Start free

Free Tool

DMARC Checker

Look up any domain's DMARC record instantly. See the policy, reporting addresses, alignment modes, and get plain-English recommendations.

What is DMARC and why does it matter?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is an open email authentication protocol that works on top of SPF and DKIM to give domain owners control over what happens when someone sends email that claims to be from their domain but fails authentication checks.

Without DMARC, phishers and spammers can impersonate your domain freely. A well-configured DMARC policy tells every major inbox provider — Google, Microsoft, Yahoo, and others — to quarantine or reject those impostor messages before they ever reach your customers' inboxes.

Beyond protection, DMARC gives you visibility. Aggregate reports (rua) arrive as XML files showing exactly which mail servers are sending on your behalf, which are failing SPF or DKIM, and from which countries. That intelligence is invaluable for maintaining deliverability across complex sending infrastructures.

Understanding DMARC policy levels

p=noneMonitor only

No action is taken on failing messages. Mail is delivered normally but providers still send you aggregate reports. Use this when first setting up DMARC so you can discover all legitimate senders before enforcing.

p=quarantineSpam folder

Failing messages are sent to the recipient's spam or junk folder. A good stepping stone between monitoring and full enforcement. Move here once your reports show only legitimate mail is passing.

p=rejectFull protection

Failing messages are rejected at the SMTP level — they never reach the recipient. The gold standard. Google and Yahoo now require p=reject or p=quarantine for bulk senders.

Common DMARC issues and how to fix them

No DMARC record found

Publish a TXT record at _dmarc.yourdomain.com. Start with v=DMARC1; p=none; rua=mailto:[email protected] to begin collecting reports without impacting delivery.

Policy is p=none — too weak

Review your aggregate reports for 2–4 weeks. Once all legitimate mail sources are authenticated, step up to p=quarantine, then p=reject.

No rua address configured

Without rua, you have no visibility. Add rua=mailto:[email protected] so providers can send you XML aggregate reports.

Third-party senders failing DKIM

Add DKIM signing for every ESP you use (Mailchimp, SendGrid, HubSpot, etc.) via their DNS instructions, or configure subdomain policies appropriately.

SPF record exceeds 10 DNS lookups

Flatten your SPF record using an SPF flattening service, or switch to DKIM-only authentication for vendors where possible.

Need a DMARC record?

Use the free DMARC Generator to build a correct record in seconds, then copy it into your DNS.

Open DMARC Generator →

Frequently asked questions

What is a DMARC record?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record published at _dmarc.yourdomain.com. It tells receiving mail servers what to do when an email fails SPF or DKIM checks — nothing (none), send it to spam (quarantine), or reject it outright (reject).
What does the DMARC policy (p=) tag mean?
p=none means monitor only — no mail is blocked. p=quarantine sends failing messages to the spam folder. p=reject drops them entirely. Move to p=reject once you have reviewed a few weeks of aggregate reports and are confident all legitimate senders are authenticated.
What are rua and ruf addresses?
rua is the aggregate report address — mailbox providers send XML summaries showing which IPs sent mail claiming to be from your domain. ruf is the forensic (failure) report address, which receives redacted copies of individual failing messages. rua is the most important one to configure.
What does aspf / adkim mean?
These control alignment strictness. aspf=r (relaxed) allows subdomains to pass SPF alignment; aspf=s (strict) requires an exact domain match. Same logic applies for adkim (DKIM alignment). Relaxed is recommended for most senders.
My DMARC check shows "not found" — what should I do?
Publish a DMARC record. Start with p=none and a valid rua address so you can receive reports without affecting deliverability. Use the DMARC Generator on this site to build the correct record, then add it as a TXT record in your DNS at _dmarc.yourdomain.com.
Is this tool free?
Yes — completely free with no account required. You can check up to 30 domains per minute.