DMARC Record Checker

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS-based email authentication protocol that tells receiving mail servers how to handle messages that fail SPF or DKIM checks. It was designed to stop email spoofing — the technique used in phishing and business email compromise attacks where attackers forge the From address to impersonate a trusted domain.

A DMARC record is published as a TXT record at the subdomain _dmarc.yourdomain.com. It instructs receivers on three things: the policy to apply to failing messages, the alignment rules for SPF and DKIM, and where to send reports about authentication results.

The p= tag is the most important part of a DMARC record. It controls what happens to messages that fail DMARC authentication:

Most organizations take 4-12 weeks to move from p=none to p=reject, using aggregate reports to identify and fix all legitimate mail streams along the way.

DMARC reporting turns every major mail receiver into a sensor for your domain. Aggregate reports (rua=) are sent once per day by providers like Gmail, Outlook, Yahoo, and Apple Mail, covering every IP that sent mail using your domain's From address — whether that was you, a legitimate third-party sender, or an attacker.

Each aggregate report is an XML file that shows pass/fail counts for SPF and DKIM per sending IP. Tools like Google Postmaster Tools, Valimail, Dmarcian, and EasyDMARC can parse these reports into dashboards. Forensic reports (ruf=) provide message-level detail but are less commonly sent by major providers.

Moving too fast to p=reject without proper preparation is a common mistake that can block legitimate email. The recommended path:

1. 1
   Publish p=none with rua= — Start collecting aggregate reports. Wait 2-4 weeks to get a complete picture of all mail streams.
2. 2
   Fix SPF and DKIM — Ensure all legitimate senders (ESP, CRM, support tools) are covered by SPF includes or have DKIM signing configured.
3. 3
   Move to p=quarantine pct=10 — Apply quarantine to a small percentage of failing mail. Increase pct gradually over several weeks.
4. 4
   Escalate to p=quarantine pct=100 — Once reports show consistent high pass rates, apply quarantine to all failing messages.
5. 5
   Switch to p=reject — The final step. Full enforcement. Spoofed email from your domain is rejected at the receiver.

DMARC depends on SPF and DKIM being correctly configured. Use these tools to verify your complete email authentication setup:

• •SPF Checker — Validate which servers are authorized to send email for your domain and check for SPF include errors or lookup limit violations
• •DKIM Checker — Look up a DKIM public key by selector and domain, verify the record syntax, and check key strength
• •MX Lookup — Find mail servers for any domain, detect email providers, and verify reverse DNS records
• •SMTP Diagnostics — Test mail server connectivity, TLS certificate validity, and open relay status
• •Blacklist Checker — Check whether your mail server IP is listed on any DNSBL or RBL that could affect deliverability