Skip to main content
Identify your DNS provider, review key DNS records, and spot email security gaps — including DMARC policy issues that can expose your domain to spoofing.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that builds on SPF and DKIM. It tells receiving mail servers what to do when an email fails authentication checks — and instructs them to send reports back to you so you can monitor who is sending mail on your domain’s behalf. Without a DMARC record, anyone can forge your domain in the From address of an email. A correctly configured DMARC policy is one of the most effective measures against phishing and brand impersonation.

What the DMARC Checker does

Enter a domain name and the tool performs a DNS lookup for the TXT record at _dmarc.yourdomain.com. It then analyzes the record and returns a structured report covering:
  • Whether a DMARC record exists at all
  • Record syntax — correct tag names, separators, and values
  • Policy setting (p=) — none, quarantine, or reject
  • Subdomain policy (sp=) — whether subdomains have their own policy or inherit the root
  • Reporting addresses — aggregate (rua) and forensic (ruf) destinations
  • Percentage coverage (pct=) — the share of traffic the policy applies to
  • Alignment mode for SPF and DKIM (aspf=, adkim=)

Understanding the policy levels

p=none No action is taken on failing emails. Use this only during an initial monitoring phase to collect report data before enforcing. p=quarantine** **Failing emails are delivered to the spam or quarantine folder. A useful intermediate step before full rejection. p=reject Failing emails are refused outright by the receiving server. This is full enforcement — the domain is protected against spoofing. Recommended path: start at p=none to gather data from aggregate reports, move to quarantine once you’ve accounted for all legitimate senders, then advance to reject. Never jump straight to reject on an active domain without first validating your SPF and DKIM setup.

How to run a check

1
Navigate to DNS Tools, or open any active domain’s detail page in the app.
2
Enter the domain name you want to check (e.g. example.com).
3
Click Check DMARC.
4
Review the results. Each finding includes an explanation and, where relevant, a recommended action.

Common issues and how to fix them

No DMARC record found

The domain has no DMARC record published in DNS. Your domain is unprotected and receiving servers have no instructions for handling forged emails. Use the DMARC Record Configurator to create a record — starting with p=none is a safe first step.

Policy is too permissive

A p=none record with no plan to advance offers no real protection. If you’ve been on none for more than a few weeks and have aggregate report data, consider moving to quarantine.

No reporting addresses configured

Without rua or ruf addresses, you receive no visibility into who is sending email on your behalf. Add at least one rua address — either your own inbox or a dedicated DMARC reporting service.

pct= is less than 100

The pct tag limits policy enforcement to a percentage of failing messages. A value below 100 means some failing emails still get through. This can be intentional during a gradual rollout, but should be raised to 100 once you’re confident in your configuration.

Subdomain policy not set

If sp= is absent, subdomains inherit the root policy. If your subdomains are not used for sending email, setting sp=reject explicitly closes that attack surface.

Availability

The DMARC Checker is available publicly in the Free Tools section without login — useful for checking any domain. It is also embedded in the detail view of every active domain in the app, and accessible from the DNS Tools section for scanning domains not in your account.