DMARC Checker
What Is DMARC and How Does It Work?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM to provide domain-level protection against email spoofing. Published as a DNS TXT record at _dmarc.yourdomain.com, a DMARC policy tells receiving mail servers what to do with emails that fail authentication checks and where to send reports about email activity.
When a receiving mail server processes an incoming email, it checks whether the message passes SPF and DKIM authentication, and whether the authenticated domain aligns with the "From" domain visible to the recipient. If the message fails these checks, the receiving server consults the sender's DMARC record to determine the appropriate action: deliver normally (p=none), send to spam (p=quarantine), or reject entirely (p=reject).
DMARC records contain several important tags. The "p" tag defines the policy for the main domain, while "sp" sets the policy for subdomains. The "rua" tag specifies email addresses to receive aggregate reports - daily XML summaries of all email activity for the domain. The "ruf" tag specifies addresses for forensic reports about individual failures. The "pct" tag allows gradual rollout by applying the policy to only a percentage of failing messages.
Implementing DMARC is a gradual process. Most organizations start with p=none to collect reports without affecting email delivery. After analyzing the reports to ensure all legitimate email sources are properly authenticated with SPF and DKIM, they move to p=quarantine and eventually p=reject. This phased approach prevents legitimate email from being accidentally blocked during deployment.
Our DMARC checker retrieves and validates the DMARC record for any domain. It parses all tags, checks for syntax errors, verifies that required fields are present, and highlights potential issues. Use it alongside our SPF Checker and DKIM Checker to verify your complete email authentication setup.
Frequently Asked Questions
What is a DMARC record?
DMARC is a DNS TXT record published at _dmarc.yourdomain.com that tells receiving mail servers how to handle emails that fail SPF and DKIM authentication. It also enables reporting so domain owners can monitor who is sending email on their behalf.
What do the DMARC policy values mean?
DMARC has three policy values: p=none (monitor only), p=quarantine (send failing emails to spam), and p=reject (block failing emails entirely). Most organizations start with p=none to monitor, then gradually move to p=quarantine and finally p=reject.
What are DMARC rua and ruf reports?
The rua tag receives aggregate reports - daily XML summaries of email activity. The ruf tag receives forensic reports about individual authentication failures. Aggregate reports are widely supported; forensic reports are less common due to privacy concerns.
How do I set up DMARC for my domain?
First ensure you have SPF and DKIM configured. Then create a TXT record at _dmarc.yourdomain.com with at minimum: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. Start with p=none and tighten after reviewing reports.