Email Security

DMARC Record Check

Query the DMARC policy for a domain. View enforcement level, reporting addresses, and configuration status.

What Does This Tool Check?

What is DMARC (Domain-based Message Authentication)?

DMARC is a policy layer that ties together SPF and DKIM for email authentication. It checks whether an email passes both SPF and DKIM, and defines what should happen (monitor, quarantine, reject) based on the result.

It also enables receiving servers to send reports back to the domain owner, so you can monitor unauthorized use of your domain.

This tool queries _dmarc.<domain> and parses the policy values for display.

How to Interpret Results

Understanding DMARC policy values

p=none (monitoring)

No action is taken on emails that fail authentication. Only reporting is performed. A starting point for new configurations.

p=quarantine

Emails that fail validation are routed to spam or quarantine. They're delivered but marked as suspicious.

p=reject

Emails that fail validation are fully rejected. The strongest protection — use once you've confirmed all legitimate sending flows are working.

rua= and ruf=

rua specifies the email address for aggregate reports. ruf is for forensic error reports. Both are important for monitoring your configuration.

Common Mistakes

Frequent DMARC configuration errors

  • Enabling DMARC without configuring SPF and DKIM first. DMARC relies on both — verify them first.
  • Moving to p=reject too early. Start with p=none to review reports; confirm all legitimate flows work before escalating.
  • Not specifying a rua= address. Without reports, you can't monitor DMARC effectiveness.
  • Using pct= less than 100. This means the policy only applies to a portion of emails. Full enforcement is recommended outside of transition periods.
  • Forgetting to apply DMARC to subdomains (sp=). Without a separate sp= value, subdomains inherit the main policy differently.

FAQ

Frequently asked questions

Where can I view DMARC reports?

Reports arrive in XML format to the rua= address. Use free DMARC report viewers like MXToolbox, Postmark DMARC, or similar tools to parse them.

Will enabling DMARC hurt email deliverability?

Not if you start with p=none. After moving to p=reject, misconfigured sending flows may be blocked — that's why monitoring with reports is essential first.

What about third-party services (Mailchimp, HubSpot)?

Ensure those services have their domain's include: in your SPF record and are signing with DKIM. Otherwise they'll fail DMARC and messages will be rejected.

What's the minimum a DMARC record needs?

v=DMARC1; p=none; rua=mailto:reports@yourdomain.com — this is the minimal valid record to start monitoring.

MX Checker → SPF Checker → DKIM Checker →

Let's review your DNS and email configuration together.

Complete the technical setup with KodSanat. Full configuration including DMARC, SPF and DKIM.

Get Support →