Analyse your domain's DMARC policy in seconds. Verify enforcement levels, reporting configuration, and alignment settings to prevent email spoofing and phishing.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy layer that ties SPF and DKIM together into a coherent anti-spoofing strategy. While SPF verifies the sending server and DKIM verifies message integrity, DMARC decides what happens when those checks fail and, critically, reports back to you about every email that claims to be from your domain.
DMARC was developed by a consortium of major email providers including Google, Microsoft, Yahoo, and PayPal. Since its introduction, adoption has grown steadily, and major mailbox providers now require DMARC for bulk senders. Google and Yahoo began enforcing DMARC requirements for high-volume senders in February 2024, making it essential for any organisation that sends marketing emails, transactional notifications, or even basic business correspondence.
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. A typical record looks like: v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s. The p= tag is the most critical, as it defines the enforcement policy.
The journey to full DMARC enforcement typically follows three phases. First, deploy p=none to monitor without affecting mail delivery. Second, analyse the reports to identify all legitimate sending services and ensure they pass SPF and DKIM with proper alignment. Third, tighten the policy to p=quarantine and then p=reject once you're confident only authorised senders are active.
DMARC reporting is a powerful yet underused feature. Aggregate reports (rua) give you a bird's-eye view of all servers sending as your domain, both legitimate and fraudulent. Forensic reports (ruf) provide individual failure details. Combined, they form an early-warning system for spoofing attacks. For a complete view of your email security stack, check your SPF and DKIM records too, or run a full domain security scan.
Type your domain name above. We automatically look up the _dmarc subdomain, so just enter the base domain like example.com.
We query DNS for the TXT record at _dmarc.yourdomain.com and parse every tag: policy (p), subdomain policy (sp), alignment (adkim, aspf), reporting (rua, ruf), and percentage (pct).
Each tag is evaluated against RFC 7489 and current best practices. We check enforcement strength, alignment strictness, reporting completeness, and syntax correctness.
You get a clear grade plus specific recommendations, such as moving from p=none to p=quarantine, adding forensic reporting, or tightening alignment settings.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM. It tells receiving mail servers what to do when an email fails authentication: none (monitor only), quarantine (send to spam), or reject (block entirely). DMARC also provides aggregate and forensic reports so you can see exactly who is sending email as your domain, both legitimate services and bad actors.
The "p=" tag defines your DMARC enforcement level. "p=none" takes no action on failing emails but still collects reports, making it ideal for the initial monitoring phase. "p=quarantine" sends failing messages to the recipient's spam folder. "p=reject" instructs receiving servers to block failing emails outright. Most security experts recommend working towards p=reject for maximum protection, but starting with p=none to identify legitimate senders first.
DMARC works best with SPF and DKIM. Scan your domain to check all three protocols plus SSL, DNSSEC, and security headers.
The "rua=" tag specifies where aggregate reports are sent; these XML reports summarise authentication results for all mail from your domain. The "ruf=" tag specifies where forensic (failure) reports are sent and these contain details about individual failed messages. Set them to dedicated mailboxes like rua=mailto:[email protected]. Many organisations use third-party DMARC report analysers to make sense of the data.
DMARC alignment ensures that the domain in the "From:" header matches the domains authenticated by SPF and/or DKIM. Strict alignment (aspf=s, adkim=s) requires an exact domain match, while relaxed alignment (aspf=r, adkim=r) allows subdomains to pass. If your emails pass SPF and DKIM individually but the domains don't align with the From address, DMARC will still fail. This is a common misconfiguration when using third-party email services.
Our DMARC checker evaluates your record against industry best practices. An A+ means you have p=reject with proper alignment and reporting configured. Lower grades reflect weaker policies (p=none or p=quarantine), missing reporting addresses, overly high percentage tags (pct < 100), or syntax errors. We also flag common issues like missing subdomains policy (sp=) and incorrect tag formatting.