DMARC Checker: Free Tool to Check Your Domain's DMARC Records
Enter your domain and get an instant verdict: is your DMARC set to monitor, quarantine, or reject? See every tag parsed, flagged by severity, with next steps to fix issues.
What Makes This DMARC Checker Different?
Most DMARC checkers dump a raw TXT record and leave you to figure out what it means. This one parses every tag, gives you a plain-English policy verdict — monitoring only, partially enforced, or fully enforced — and flags misconfigurations by severity: green (correct), yellow (suboptimal), red (needs immediate attention). If your domain is stuck at p=none or has an unreachable reporting address, the tool tells you what to fix and links you directly to the DMARC Generator or managed DMARC platform to do it.
What Is a DMARC Record and Why Does It Matter?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol published as a DNS TXT record at _dmarc.yourdomain.com. It instructs receiving mail servers how to handle messages that fail SPF or DKIM authentication checks — either monitor them (none), send them to spam (quarantine), or block them entirely (reject). Without a properly configured DMARC record, attackers can send emails that appear to come from your domain, putting your customers, partners, and brand reputation at risk. Phishing remains the number one attack vector in cybersecurity, and domain spoofing is at the heart of most phishing campaigns.
What Does This Tool Check?
Our free DMARC Record Checker performs an instant DNS lookup on the domain you provide and parses the complete DMARC TXT record. It validates every tag in the record — policy (p), subdomain policy (sp), alignment modes (aspf, adkim), percentage (pct), reporting URIs (rua, ruf), and failure reporting options (fo). The tool flags common misconfigurations including: records with syntax errors that silently fail, policies stuck at 'none' without progression toward enforcement, reporting URIs pointing to external domains that lack DNS authorization (missing the corresponding report.dmarc TXT record), invalid percentage values, and conflicting subdomain policies. Each issue is categorized by severity with a plain-language recommendation for how to fix it.
Who Should Use This Tool?
Domain administrators deploying DMARC for the first time should run this checker before and after publishing their record to confirm it resolves correctly. MSPs and IT consultants can use it to audit client domains during onboarding or periodic security reviews. Security professionals conducting due diligence on vendor or partner domains can quickly assess their email authentication posture. Marketing teams concerned about email deliverability can verify that DMARC is not causing legitimate campaign emails to be quarantined or rejected. Any organization subject to compliance frameworks that mandate DMARC — including PCI DSS 4.0, NIST 800-177, and Google/Yahoo sender requirements — should check their records regularly.
How to Read Your DMARC Checker Results
After the lookup, the tool displays your raw DMARC record and a parsed breakdown of each tag. A green status indicates the tag is correctly configured. Yellow flags indicate suboptimal settings that could be improved, such as using relaxed alignment when strict would be more secure. Red flags indicate errors that need immediate attention, such as a missing policy tag or an unreachable reporting address. The overall result summary tells you whether your domain is in monitoring mode (p=none), partially enforced (p=quarantine), or fully enforced (p=reject). For domains still at p=none, we recommend analyzing your aggregate reports to identify all legitimate senders, then progressing toward quarantine and ultimately reject.
Tag Reference
The following tags/parameters are checked or generated by this tool:
Tag | Description |
v | Protocol version. Must be DMARC1. This is a required tag. |
p | Domain policy: none (monitor only), quarantine (mark suspicious), or reject (block unauthorized email). |
sp | Subdomain policy. Overrides the main policy for subdomains. If absent, subdomains inherit the p= value. |
rua | Aggregate report URI. Email address(es) where daily XML reports are sent (e.g., mailto:dmarc@yourdomain.com). |
ruf | Forensic report URI. Address for per-message failure reports. Not supported by all mailbox providers. |
adkim | DKIM alignment mode: strict (s) requires exact domain match; relaxed (r) allows subdomain alignment. |
aspf | SPF alignment mode: strict (s) or relaxed (r). Controls how the envelope sender aligns with the From header. |
pct | Percentage of messages subject to the DMARC policy (1-100). Useful for gradual enforcement rollout. |
fo | Failure reporting options: 0 (both SPF and DKIM fail), 1 (either fails), d (DKIM fails), s (SPF fails). |
rf | Report format. Default is AFRF (Authentication Failure Reporting Format). |
ri | Reporting interval in seconds. Default is 86400 (24 hours). |
Frequently Asked Questions
What is a DMARC record?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps protect your domain from unauthorized use. A DMARC record is a DNS TXT entry published at _dmarc.yourdomain.com that tells receiving email servers how to handle messages failing SPF or DKIM checks. It also specifies where to send authentication reports.
Why do I need DMARC lookup?
A DMARC lookup helps you verify that your DMARC record is correctly published in your DNS and is valid. A DMARC lookup verifies that your record is published correctly in DNS, has valid syntax, and does not contain misconfigurations that could leave your domain unprotected or cause legitimate email delivery issues.
Does DMARC replace SPF and DKIM?
No. DMARC builds on top of SPF and DKIM. It uses the results of both protocols to make enforcement decisions. You need at least one of SPF or DKIM to pass and align for DMARC to pass.
What is the difference between p=none, p=quarantine, and p=reject?
p=none only monitors — no action is taken on failing email. p=quarantine directs receivers to treat failing messages as suspicious (typically sending them to spam). p=reject instructs receivers to block failing messages entirely.
How often should I check my DMARC record?
Check your DMARC record after any DNS change, email infrastructure migration, or provider onboarding. For ongoing assurance, use SimpleDMARC's managed platform for continuous real-time monitoring.
What does 'external destination verification' mean?
If your rua or ruf reporting address is on a different domain than the one being protected, the receiving domain must publish a DNS TXT record authorizing it (e.g., yourdomain.com._report._dmarc.reportingdomain.com). Without this, reports will not be delivered.
Can I have multiple DMARC records on one domain?
No. A domain must have exactly one DMARC record. Multiple records cause parsing errors and may result in the DMARC policy being ignored entirely by receiving servers.
What is DMARC alignment?
Alignment means the domain in the From header matches the domain authenticated by SPF (envelope sender) or DKIM (d= domain). Strict alignment requires an exact match; relaxed alignment allows organizational domain matches (e.g., sub.example.com aligns with example.com).
How do I check my DMARC record?
Enter your domain in the checker above and click "Check DMARC." The tool performs a real-time DNS lookup for the TXT record at _dmarc.yourdomain.com and shows results in seconds. No signup, no selector, no technical setup needed. If no record is found, it means DMARC isn't configured yet — use our DMARC Generator to create one. If you see an error, check your domain spelling and allow up to 24 hours for DNS propagation after any recent changes.
Is DMARC required in 2026?
For bulk email senders, yes. Google and Yahoo require a DMARC record for anyone sending 5,000+ messages per day to their users. PCI DSS 4.0 mandates DMARC for organizations handling cardholder data, effective March 2025. Several government frameworks (BOD 18-01 in the US, NCSC guidance in the UK) also require DMARC at p=reject for public-sector domains.
What happens if I don't have a DMARC record?
Without a DMARC record, anyone can send email pretending to be your domain and receivers have no policy to act on. Your domain is also more likely to land in spam, because major mailbox providers now factor DMARC presence into deliverability decisions. Setting up a record at p=none with reporting is low-risk and takes five minutes with our DMARC Generator.