How to check DMARC record of a domain?

Enter any domain in our DMARC Checker tool above and click 'Check DMARC'. The tool instantly retrieves the DMARC record from _dmarc.domain.com, parses all tags, evaluates policy strength, checks alignment modes, verifies reporting URIs, and gives you a health score with 11 validation checks. You can also use command-line tools: 'nslookup -type=txt _dmarc.example.com' on Windows or 'dig _dmarc.example.com TXT +short' on Mac/Linux.

What DMARC policy should I use?

Start with p=none to monitor email authentication results without affecting delivery. Analyze DMARC aggregate reports to identify all legitimate email sources. Once verified, upgrade to p=quarantine (sends failing emails to spam), then p=reject for maximum protection. The reject policy is the strongest defense against email spoofing and phishing attacks.

What is DMARC alignment?

DMARC alignment ensures the domain in the email's visible From header matches the domains authenticated by SPF and DKIM. There are two modes: Relaxed alignment (adkim=r, aspf=r) allows subdomains to match the organizational domain, while Strict alignment (adkim=s, aspf=s) requires an exact domain match. Relaxed is the default and works for most setups.

What are DMARC aggregate reports (rua)?

Aggregate reports are XML reports sent daily to the email addresses specified in the rua tag (e.g., rua=mailto:dmarc@example.com). They contain statistics about email authentication results — which IPs sent email for your domain, whether SPF and DKIM passed or failed, and what policy was applied. These reports are essential for monitoring your email authentication health before enforcing strict policies.

Do I need both SPF and DKIM for DMARC to work?

DMARC requires at least one of SPF or DKIM to pass with alignment. However, configuring both SPF and DKIM provides the strongest email authentication. If one fails (e.g., SPF fails due to email forwarding), the other can still pass, ensuring DMARC alignment is maintained. Best practice is to always configure all three: SPF, DKIM, and DMARC.

What is the DMARC pct tag?

The pct (percentage) tag specifies what percentage of failing emails the DMARC policy should apply to. For example, pct=25 means only 25% of emails that fail DMARC will have the policy (quarantine or reject) applied, while the remaining 75% are treated as p=none. This allows gradual rollout of strict policies. The default is pct=100 (full enforcement).

What is the difference between rua and ruf in DMARC?

The rua tag specifies where aggregate reports are sent — these are daily summaries of email authentication statistics in XML format. The ruf tag specifies where forensic (failure) reports are sent — these contain details about individual emails that failed DMARC. Aggregate reports (rua) are widely supported and essential; forensic reports (ruf) are optional and not supported by all email providers due to privacy concerns.

How does DMARC prevent email spoofing?

DMARC prevents email spoofing by instructing receiving mail servers to check SPF and DKIM authentication and verify that the From header domain aligns with the authenticated domain. When the policy is set to p=reject, any email that fails these checks is rejected outright, preventing attackers from sending emails that appear to come from your domain. Without DMARC, spoofed emails can reach inboxes unchallenged.

Is this DMARC checker free?

Yes, our DMARC checker is completely free with no registration required. Check unlimited domains, analyze DMARC policies, verify alignment settings, validate reporting URIs, and get a health score with 11 validation checks — all at no cost. The tool works instantly with real-time DNS lookups.

DMARC Checker — Check DMARC Policy for Any Domain

What Is a DMARC Record?

A DMARC record (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record published at _dmarc.yourdomain.com that tells receiving mail servers what to do when emails fail SPF and DKIM authentication checks. DMARC is the policy layer of email authentication — it ties SPF and DKIM together with enforcement rules (none, quarantine, or reject) and enables reporting so you can monitor who is sending email on behalf of your domain.

Our free DMARC checker goes beyond basic DMARC lookup. It parses every DMARC tag with human-readable descriptions, evaluates policy strength, checks DKIM and SPF alignment modes, validates aggregate and forensic reporting URIs, analyzes subdomain policy, and runs 11 validation checks to give you a comprehensive DMARC health score. Whether you're troubleshooting email deliverability, auditing email security, or implementing DMARC for the first time, this tool provides instant DMARC record validation.

DMARC checker showing validation results with health score, policy analysis, and parsed DMARC tags — DNS Robot's DMARC checker validates DMARC records with 11 checks, policy analysis, alignment verification, and tag parsing.

How to Check DMARC Record (3 Methods)

There are several ways to check DMARC records for any domain. Our online DMARC checker is the fastest and most thorough method, but command-line tools work for quick lookups.

How DMARC works showing email flow through SPF and DKIM authentication with policy enforcement — How DMARC works: the receiving server checks SPF and DKIM, verifies alignment with the From domain, then applies the DMARC policy.

Online DMARC Checker (Recommended)

Enter any domain in our DMARC record checker above and click "Check DMARC". You'll instantly see the full DMARC record, parsed tags with descriptions, policy strength analysis, alignment mode settings, reporting URIs, and a health score based on 11 validation checks.

Using nslookup (Windows/Mac/Linux)

Open a terminal and run nslookup -type=txt _dmarc.example.com. Look for the TXT record starting with v=DMARC1. This shows the raw DMARC record but doesn't validate policy or check alignment.

Using dig (Mac/Linux)

Run dig _dmarc.example.com TXT +short for a quick DMARC lookup. For all DNS record types, use our DNS Lookup tool.

DMARC Record Tags — Complete Reference

A DMARC record consists of tag-value pairs separated by semicolons. Each tag controls a different aspect of email authentication policy. Understanding these tags is essential for a proper DMARC check.

p (Policy)

Required tag. Specifies what to do with failing emails: none (monitor), quarantine (spam), or reject (block).

sp (Subdomain Policy)

Policy for subdomains. If not set, inherits from p. Set separately when subdomains need different policies.

rua (Aggregate Reports)

Email address(es) for aggregate XML reports. Format: rua=mailto:[email protected]. Essential for monitoring.

ruf (Forensic Reports)

Email for forensic failure reports. Contains details about individual failed emails. Optional; not all providers support it.

adkim / aspf (Alignment)

DKIM and SPF alignment mode. r = relaxed (subdomains OK), s = strict (exact match). Default is relaxed.

pct (Percentage)

Percentage of emails to apply policy to (1-100). Use for gradual rollout: start at 10%, increase to 100%. Default is 100%.

Understanding DMARC Policies

p=none (Monitor Only)

No enforcement. Emails are delivered normally regardless of authentication. Best as a starting point to collect DMARC reports before enforcing.

p=quarantine

Failing emails are sent to spam/junk folder. Good intermediate step between monitoring and full rejection.

p=reject (Strongest)

Failing emails are rejected outright. Maximum protection against spoofing and phishing. The ultimate goal for every domain.

Our 11 DMARC Validation Checks

DMARC record found at _dmarc.domain

Valid version tag (v=DMARC1)

Required policy tag (p=) present

Policy strength evaluation (reject > quarantine > none)

Subdomain policy (sp) analysis

Aggregate reporting URI (rua) configured

Forensic reporting (ruf) check

DKIM alignment mode verification

SPF alignment mode verification

Policy percentage (pct) enforcement check

Valid syntax (no unknown tags)

DMARC vs SPF vs DKIM — The Email Authentication Trio

DMARC is the policy and reporting layer that ties SPF and DKIM together. Without DMARC, even if you have SPF and DKIM configured, receiving servers have no clear instructions on what to do with failing emails. Here's how they compare:

SPF vs DKIM vs DMARC comparison showing how each protocol handles email authentication — SPF, DKIM, and DMARC work together: SPF checks sender IP, DKIM verifies message integrity, DMARC enforces policy and enables reporting.

SPF

What: Verifies the sending server's IP is authorized

How: DNS TXT record listing allowed IPs

Checks: Envelope sender (Return-Path)

Check SPF Record →

DKIM

What: Verifies the message wasn't tampered with

How: Cryptographic signature in email headers

Checks: Message integrity + signing domain

Check DKIM Record →

DMARC

What: Ties SPF + DKIM together with policy

How: DNS TXT record at _dmarc.domain

Checks: From header alignment + enforcement

You are here

DMARC Implementation Roadmap: From Monitoring to Enforcement

Implementing DMARC is a phased process that protects your brand from email spoofing without disrupting legitimate email delivery. Start with p=none to collect data about email authentication results. Analyze aggregate reports (rua) to identify all legitimate email sources and ensure they pass SPF and DKIM. Gradually move to p=quarantine with a low percentage (pct=10) and increase as confidence grows. Finally, implement p=reject with pct=100 for full enforcement.

DMARC Best Practices for Email Security

Start with p=none and gradually enforce
Always configure rua for aggregate reports
Set up both SPF and DKIM before DMARC
Use pct tag for gradual policy rollout

Monitor aggregate reports regularly
Set subdomain policy (sp) explicitly
Consider strict alignment for maximum security
Target p=reject as the ultimate goal

Related Email & DNS Tools

SPF Checker

Check SPF records, DNS lookup count, and include chain resolution.

DKIM Checker

Verify DKIM signatures and public key DNS records.

MX Lookup

Check MX records and detect email providers for any domain.

DNS Lookup

Check all DNS record types (A, AAAA, CNAME, MX, TXT, and more).

DNS Validator

Run 17 DNS health checks including SPF and DMARC validation.

IP Blacklist Checker

Check if your mail server IP is blacklisted on major RBLs.

What Is a DMARC Record?

How to Check DMARC Record (3 Methods)

There are several ways to check DMARC records for any domain. Our online DMARC checker is the fastest and most thorough method, but command-line tools work for quick lookups.

Online DMARC Checker (Recommended)

Using nslookup (Windows/Mac/Linux)

Open a terminal and run nslookup -type=txt _dmarc.example.com. Look for the TXT record starting with v=DMARC1. This shows the raw DMARC record but doesn't validate policy or check alignment.

Using dig (Mac/Linux)

Run dig _dmarc.example.com TXT +short for a quick DMARC lookup. For all DNS record types, use our DNS Lookup tool.

DMARC Record Tags — Complete Reference

p (Policy)

Required tag. Specifies what to do with failing emails: none (monitor), quarantine (spam), or reject (block).

sp (Subdomain Policy)

Policy for subdomains. If not set, inherits from p. Set separately when subdomains need different policies.

rua (Aggregate Reports)

Email address(es) for aggregate XML reports. Format: rua=mailto:[email protected]. Essential for monitoring.

ruf (Forensic Reports)

Email for forensic failure reports. Contains details about individual failed emails. Optional; not all providers support it.

adkim / aspf (Alignment)

DKIM and SPF alignment mode. r = relaxed (subdomains OK), s = strict (exact match). Default is relaxed.

pct (Percentage)

Percentage of emails to apply policy to (1-100). Use for gradual rollout: start at 10%, increase to 100%. Default is 100%.

Understanding DMARC Policies

p=none (Monitor Only)

No enforcement. Emails are delivered normally regardless of authentication. Best as a starting point to collect DMARC reports before enforcing.

p=quarantine

Failing emails are sent to spam/junk folder. Good intermediate step between monitoring and full rejection.

p=reject (Strongest)

Failing emails are rejected outright. Maximum protection against spoofing and phishing. The ultimate goal for every domain.

Our 11 DMARC Validation Checks

DMARC record found at _dmarc.domain

Valid version tag (v=DMARC1)

Required policy tag (p=) present

Policy strength evaluation (reject > quarantine > none)

Subdomain policy (sp) analysis

Aggregate reporting URI (rua) configured

Forensic reporting (ruf) check

DKIM alignment mode verification

SPF alignment mode verification

Policy percentage (pct) enforcement check

Valid syntax (no unknown tags)

DMARC vs SPF vs DKIM — The Email Authentication Trio

SPF

What: Verifies the sending server's IP is authorized

How: DNS TXT record listing allowed IPs

Checks: Envelope sender (Return-Path)

Check SPF Record →

DKIM

What: Verifies the message wasn't tampered with

How: Cryptographic signature in email headers

Checks: Message integrity + signing domain

Check DKIM Record →

DMARC

What: Ties SPF + DKIM together with policy

How: DNS TXT record at _dmarc.domain

Checks: From header alignment + enforcement

You are here

DMARC Implementation Roadmap: From Monitoring to Enforcement

DMARC Best Practices for Email Security

Start with p=none and gradually enforce
Always configure rua for aggregate reports
Set up both SPF and DKIM before DMARC
Use pct tag for gradual policy rollout

Monitor aggregate reports regularly
Set subdomain policy (sp) explicitly
Consider strict alignment for maximum security
Target p=reject as the ultimate goal

Related Email & DNS Tools

SPF Checker

Check SPF records, DNS lookup count, and include chain resolution.

DKIM Checker

Verify DKIM signatures and public key DNS records.

MX Lookup

Check MX records and detect email providers for any domain.

DNS Lookup

Check all DNS record types (A, AAAA, CNAME, MX, TXT, and more).

DNS Validator

Run 17 DNS health checks including SPF and DMARC validation.

IP Blacklist Checker

Check if your mail server IP is blacklisted on major RBLs.

What Is a DMARC Record?

How to Check DMARC Record (3 Methods)

DMARC Record Tags — Complete Reference

Understanding DMARC Policies

Our 11 DMARC Validation Checks

DMARC vs SPF vs DKIM — The Email Authentication Trio

DMARC Implementation Roadmap: From Monitoring to Enforcement

DMARC Best Practices for Email Security

Related Email & DNS Tools

Frequently Asked Questions About DMARC Checker

What is a DMARC record?

How to check DMARC record of a domain?

What DMARC policy should I use?

What is DMARC alignment?

What are DMARC aggregate reports (rua)?

Do I need SPF and DKIM for DMARC?

What is the DMARC pct tag?

What is the difference between rua and ruf?

How does DMARC prevent spoofing?

Is this DMARC checker free?

What Is a DMARC Record?

How to Check DMARC Record (3 Methods)

DMARC Record Tags — Complete Reference

Understanding DMARC Policies

Our 11 DMARC Validation Checks

DMARC vs SPF vs DKIM — The Email Authentication Trio

DMARC Implementation Roadmap: From Monitoring to Enforcement

DMARC Best Practices for Email Security

Related Email & DNS Tools

Frequently Asked Questions About DMARC Checker

What is a DMARC record?

How to check DMARC record of a domain?

What DMARC policy should I use?

What is DMARC alignment?

What are DMARC aggregate reports (rua)?

Do I need SPF and DKIM for DMARC?

What is the DMARC pct tag?

What is the difference between rua and ruf?

How does DMARC prevent spoofing?

Is this DMARC checker free?