Free DMARC Checker
Check your domain's DMARC configuration instantly. Verify record syntax, policy strength, reporting setup, and subdomain policy — all in one scan.
Free, no account required. Enter any domain to get started.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol defined in RFC 7489. It ties together SPF and DKIM — the two foundational email authentication mechanisms — and adds a critical missing piece: a policy that tells receiving mail servers what to do when authentication fails.
Without DMARC, even if you have SPF and DKIM configured correctly, there is no way for receivers to know your intent. Should they deliver a message that fails SPF? Quarantine it? Reject it? DMARC answers that question by publishing a policy in your DNS that receivers can look up and act on automatically.
DMARC also introduces the concept of alignment: the domain in the visible “From” header must match the domain authenticated by SPF or DKIM. This prevents attackers from passing SPF with their own domain while spoofing yours in the From field — a technique that SPF alone cannot catch.
Beyond policy enforcement, DMARC provides a reporting mechanism. Receivers send aggregate reports (RUA) back to you, showing exactly who is sending email using your domain, whether they pass or fail authentication, and from which IP addresses. This visibility is essential for identifying unauthorized senders and safely tightening your policy over time.
What this checker verifies
Our DMARC checker performs a comprehensive scan of your domain's DMARC record and reports issues with clear explanations.
DMARC Record Presence & Syntax
Verifies that a DMARC TXT record exists at _dmarc.yourdomain.com, is correctly formatted, and contains a valid version tag (v=DMARC1) with no syntax errors.
Policy Strength
Evaluates your DMARC policy (p=) to determine whether it is set to none, quarantine, or reject. A stronger policy gives receiving servers clearer instructions on how to handle unauthenticated email.
Reporting Configuration
Checks whether aggregate report (rua=) and forensic report (ruf=) addresses are configured, so you receive visibility into who is sending email as your domain and where authentication fails.
Subdomain Policy
Inspects the subdomain policy tag (sp=) to verify whether your subdomains inherit the parent policy or have their own. Unprotected subdomains are a common vector for spoofing attacks.
Understanding DMARC policies
Your DMARC policy tells receiving servers how to handle email that fails authentication. Each level offers a different balance between visibility and protection.
p=noneMonitor only
No action is taken on failing email. Receivers deliver messages normally but send you DMARC reports. This is the right starting point: it gives you visibility into all senders without risking legitimate mail.
p=quarantineQuarantine suspicious email
Email that fails DMARC authentication is treated as suspicious. Receivers typically move it to the spam or junk folder. This is a good intermediate step once you have confirmed all legitimate senders pass authentication.
p=rejectReject unauthorized email
Email that fails DMARC authentication is rejected outright and never reaches the recipient. This is the strongest protection against domain spoofing and impersonation, recommended once you are fully confident in your setup.
Why monitor DMARC?
Publishing a DMARC record is not a one-time task. Your email infrastructure changes as you add new services, switch providers, or onboard third-party senders. Without continuous monitoring, misconfigurations go unnoticed and legitimate email starts failing authentication silently.
Ongoing DMARC monitoring gives you the confidence to enforce stronger policies, because you can see exactly what will happen before you make the change. It turns DMARC from a static DNS record into an active layer of defense.
- Improve deliverability by ensuring all legitimate email passes authentication
- Protect your domain against spoofing and phishing attacks that damage your brand
- Meet Google and Yahoo sender requirements that mandate DMARC for bulk senders
- Gain full visibility into every service sending email on your behalf
- Safely move from monitoring (none) to full enforcement (reject) without breaking mail flow
- Detect unauthorized senders using your domain before they reach your customers
Take control of your DMARC
Get continuous DMARC monitoring, automatic report processing, and step-by-step guidance to full enforcement. Free plan includes 2 domains with all protocol checks.