DMARC Record Checker
Look up and analyze your DMARC record. Check your policy enforcement level, verify reporting addresses, and get recommendations for improvement.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is defined in RFC 7489. It builds on top of SPF and DKIM to provide a unified email authentication framework. DMARC does two critical things: it tells receiving servers what to do when SPF and DKIM fail, and it sends you reports about who is sending email as your domain.
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. It specifies your policy (p=), where to send aggregate reports (rua=), and optional alignment requirements for SPF and DKIM.
The three policy levels — none, quarantine, reject — represent increasing levels of enforcement. Most domains should aim to reach p=reject, but it's a journey that requires monitoring your DMARC reports first.
Security risks & attack vectors
p=none means no protection
Your DMARC policy says "none" — that means you're watching but not blocking. Attackers can still send email as your domain right now. Many domains stay on p=none indefinitely because nobody reads the reports.
Reports going to an unmonitored mailbox
You set up rua= to a mailbox that nobody checks. DMARC reports pile up as unread XML files. You're generating data but gaining zero insight from it.
pct set below 100%
If pct=25, your DMARC policy only applies to 25% of messages. The other 75% are unprotected. This is meant for gradual rollout but is often left at a low value permanently.
The set-and-forget trap
The most common DMARC failure is the domain that set up p=none years ago "to start monitoring" — and never moved beyond it. The DMARC reports arrive as XML attachments to an inbox nobody reads. Meanwhile, attackers send phishing emails as the domain with zero consequences.
Even domains that reach p=reject need ongoing monitoring. New email services that aren't properly authorized will have their emails rejected. Changes to SPF or DKIM can break DMARC alignment without warning.
Track your DMARC enforcement journey from p=none to p=reject. Join the Sendvery beta for guided steps and automated report parsing.
Frequently asked questions
DMARC builds on SPF and DKIM to tell receiving servers what to do when authentication fails. It also sends you reports about who is sending email as your domain, making unauthorized use visible.
p=none means monitoring only. Receiving servers send you reports but take no action on failing emails. Attackers can still spoof your domain. It is a starting point, not a destination.
p=quarantine sends failing emails to spam. p=reject blocks them entirely. Reject provides the strongest protection but requires confidence that all legitimate senders are properly authenticated.
rua=mailto:... tells receivers where to send aggregate XML reports (daily summaries). ruf=mailto:... requests forensic reports (individual failure details). At minimum, configure rua.
First, analyze your DMARC reports to identify all legitimate senders. Ensure they pass SPF and DKIM with proper alignment. Then move to p=quarantine, monitor for issues, and finally p=reject.
Want ongoing monitoring?
Checking once is a start. But email authentication breaks silently over time. Get alerted the moment something changes.
Free plan includes 1 domain. No credit card required.