Free DMARC Lookup

Instantly check any domain's DMARC record, policy setting, and reporting configuration

Email Tester Inbox Placement Tester
DMARC Record Checker
Use this tool to check, lookup, and validate your DMARC record.
Domain:
Built with by Henry Timmes · Named contributor to RFC 7489 (DMARC)

Understanding DMARC Records

DMARC ties together SPF and DKIM into a single enforceable policy that tells receiving mail servers what to do when authentication fails — and keeps you informed with daily reports.

The Three Policy Levels

p=none lets all mail through but sends reports — ideal when you're starting out. p=quarantine routes failures to spam. p=reject blocks them outright. Progress through these stages as your report data improves.

SPF & DKIM Alignment

DMARC passes only when the authenticated domain aligns with the visible From address. Relaxed alignment (r) allows subdomain matches; strict alignment (s) requires an exact match. Most senders use relaxed alignment for both SPF and DKIM.

Aggregate & Forensic Reports

Set rua to receive daily XML aggregate reports showing pass/fail counts by IP and source. Set ruf for message-level forensic reports. Most large receivers have discontinued ruf reports, so aggregate reports are your primary visibility tool.

How to Check and Improve Your DMARC Record

  1. Enter your domain in the DMARC Lookup tool above and click Check DMARC
  2. Review the raw record returned from DNS — confirm it starts with v=DMARC1
  3. Check the p= tag to see your current policy level (none, quarantine, or reject)
  4. Verify that rua is set to an address you actively monitor for aggregate reports
  5. Review report data for 2–4 weeks, fix any failing sources, then tighten your policy
💡 Tip: Never publish two DMARC records for the same domain — only one TXT record at _dmarc.yourdomain.com is valid. Multiple records cause a "permerror" and DMARC will fail entirely. Use the DMARC Generator to build a correctly formatted record.

DMARC: The Essential Tool for Email Security

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a critical email authentication protocol that safeguards your domain from spoofing attacks. These attacks involve forging your email address to trick recipients into believing the message is legitimate. DMARC helps prevent this by verifying the sender's identity through existing protocols like SPF and DKIM.


By implementing DMARC, you gain greater control over your email security. You can instruct receiving mail servers on how to handle emails that fail authentication checks. This empowers you to quarantine or even reject suspicious emails, protecting your reputation and preventing sensitive information breaches.


DMARC's true power lies in its reporting capabilities. Beyond just verification, DMARC provides valuable insights into email activity associated with your domain. These reports reveal any unauthorized attempts to send emails under your name, even if they manage to bypass initial authentication checks. This advanced visibility allows you to identify potential security weaknesses and take proactive steps to address them before they evolve into costly cyberattacks.


Once you have it set up, it's time to test it with our very own Email Tester.

DMARC Record Checker

DMARC Tag Specification Explained

TAG MEANING
v Required: Specifies the version of the DMARC protocol being used. Always set to v=DMARC1 for the current DMARC protocol version.
p Required: Specifies the policy to be enacted by the receiving mail server when DMARC authentication fails. This tag determines what action should be taken if an email fails DMARC checks.

Possible Values:

  • none: Takes no action, but generates DMARC reports.
  • quarantine: Treats the message as suspicious, possibly placing it in the recipient's spam or quarantine folder.
  • reject: Blocks the message outright, preventing delivery to the recipient.
sp Specifies the policy for handling messages from subdomains of the DMARC-aligned domain. Subdomains inherit policies from their parent domain unless explicitly overridden.
rua Specifies the URI(s) to which aggregate DMARC reports should be sent, for example: rua=mailto:your@email.com. Aggregate reports provide statistics about DMARC usage and authentication results.
ruf Specifies the URI(s) to which forensic DMARC reports should be sent (reports about individual failed messages), for example: ruf=mailto:your@email.com. Forensic reports contain detailed information about specific messages that failed DMARC checks.
adkim Specifies how DKIM (DomainKeys Identified Mail) alignment should be handled. DKIM alignment verifies that the DKIM signature on an email matches the sender's domain.

Possible Values:

  • r: Relaxed mode. Allows for intermediate levels of subdomain alignment.
  • s: Strict mode. Requires exact domain name alignment.
aspf Specifies how SPF (Sender Policy Framework) alignment should be handled. SPF alignment verifies that the SMTP MAIL FROM domain matches the domain used in the RFC5322.From header field.

Possible Values:

  • r: Relaxed mode. Allows for intermediate levels of subdomain alignment.
  • s: Strict mode. Requires exact domain name alignment.
fo Determines the level of detail in forensic reports generated when DMARC authentication fails.

Possible Values:

  • 0: Generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result.
  • 1: Generate reports if any underlying authentication mechanism produces something other than a DMARC pass result.
  • d: Generate reports regardless of the authentication result.
  • s: Generate an SPF failure report if the message failed SPF evaluation, regardless of alignment.
rf This tag specifies the format for forensic DMARC reports sent to the specified reporting addresses (ruf).

Possible Values:

  • afrf: Specifies the use of the Abuse Reporting Format (ARF) for forensic reports.
  • iodef: Specifies the use of the Incident Object Description Exchange Format (IODEF) for forensic reports.
pct Specifies the percentage of messages subjected to DMARC policy filtering. Allows gradual enforcement of DMARC policies to monitor impact before full enforcement. Any integer value from 0 to 100.
ri Specifies the interval at which aggregate DMARC reports should be generated and sent by receivers to the specified reporting addresses (rua). For example: ri=86400 indicates that aggregate reports should be sent daily (every 86400 seconds).

Frequently Asked Questions

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that protects your domain from phishing and spoofing. It builds on SPF and DKIM by adding a policy that tells receiving mail servers what to do when a message fails authentication — and sends you reports so you can monitor what's happening. Without DMARC, anyone can send email that appears to come from your domain with no consequences.

DMARC requires that at least one of SPF or DKIM passes and that the authenticated domain aligns with the From header domain. SPF checks that the sending server is authorized for the envelope sender domain. DKIM checks a cryptographic signature in the message headers. DMARC then enforces your policy (none, quarantine, or reject) when both checks fail or when alignment fails.

  • p=none: Monitor only. Messages are delivered regardless of authentication results, but aggregate reports are sent to you. Use this when you're first setting up DMARC.
  • p=quarantine: Failed messages are routed to the recipient's spam or junk folder. Use this as an intermediate enforcement step.
  • p=reject: Failed messages are blocked outright and never delivered. This is the strongest protection and the goal for most domains.
Most senders start at none, gather report data, fix authentication gaps, then move progressively to quarantine and finally reject.

Aggregate reports (rua) are daily XML summaries sent by receiving mail servers. They show authentication pass/fail counts, sending IP addresses, and policy dispositions — giving you a broad view of who is sending mail claiming to be from your domain.

Forensic reports (ruf) are near-real-time message-level reports sent when individual emails fail DMARC. They can include headers and body content. However, many major providers have stopped sending forensic reports due to privacy concerns, so rua is the more reliable source of ongoing visibility.

Alignment means the domain used in SPF or DKIM must match the domain in the visible From address. In relaxed alignment (the default, r), subdomains are allowed to match — so mail.example.com aligns with example.com. In strict alignment (s), only an exact match passes. You can configure alignment separately for SPF (aspf) and DKIM (adkim) in your DMARC record. Most senders use relaxed alignment for both.

  1. Publish p=none with rua set to an address you actively monitor.
  2. Review aggregate reports for 2–4 weeks to identify all legitimate sending sources.
  3. Ensure each sending source has valid SPF and DKIM configured with alignment to your From domain.
  4. Move to p=quarantine; pct=10 to enforce on a small percentage first, then increase gradually.
  5. Once reports show consistently high pass rates, move to p=reject for full protection.

Are You Ready To Experience The Difference?

CC Logo

Become a part of the Campaign Cleaner community today, and join countless satisfied customers who have witnessed significant improvements in their email deliverability and campaign success. Don't let HTML issues hold you back; let Campaign Cleaner optimize your campaigns and boost your inbox rates.

Let's Get Started