Free DMARC Record Checker — Validate Your DMARC Policy

How DMARC Record Checking Works

When you enter a domain, the tool performs a DNS TXT lookup at _dmarc.yourdomain.com, which is the standardized location for DMARC policies as defined by RFC 7489. The retrieved record is parsed tag by tag, starting with the required v=DMARC1 version identifier and the p= policy tag. The tool then evaluates every optional tag including sp (subdomain policy), adkim (DKIM alignment mode), aspf (SPF alignment mode), pct (percentage of messages subject to the policy), rua (aggregate report addresses), ruf (forensic report addresses), ri (reporting interval), and fo (failure reporting options).

The checker validates each tag against permitted values and evaluates the overall policy strength. DMARC works by linking SPF and DKIM authentication results to the domain in the From header through a process called alignment. When a message fails both SPF alignment and DKIM alignment, the DMARC policy dictates whether the receiving server should deliver the message normally (p=none), quarantine it to spam (p=quarantine), or reject it outright (p=reject). The tool also validates that reporting addresses in rua and ruf tags use valid email formats and checks for external destination verification records when reports are sent to a different domain. This ensures your DMARC configuration is not only syntactically correct but also operationally effective.

When to Use This Tool

• Implementing DMARC for the first time — Start with a p=none policy to collect reports without affecting mail delivery, then use this tool to verify the record is properly published and that reporting addresses are correctly configured to receive aggregate XML reports.
• Progressing from monitoring to enforcement — When moving from p=none to p=quarantine or p=reject, verify that your policy change is correctly published and that all legitimate sending sources pass SPF and DKIM alignment before enforcing.
• Complying with Google and Yahoo sender requirements — Since February 2024, bulk senders must have a valid DMARC record to deliver to Gmail and Yahoo Mail. Use this tool to confirm compliance with these requirements.
• Investigating spoofing or phishing attacks on your domain — If your domain is being spoofed, check whether your DMARC policy is set to reject unauthorized messages and whether you are receiving aggregate reports that identify the spoofing sources.

Understanding Your Results

The results present your DMARC policy in a clear, readable format with color-coded indicators for each tag. The policy level is the most critical indicator: p=none provides monitoring only and does not protect against spoofing, p=quarantine sends failing messages to spam, and p=reject blocks them entirely. If your goal is full domain protection, the tool will recommend progressing toward p=reject. The alignment modes show whether your policy requires strict or relaxed matching between the From domain and the SPF or DKIM authenticated domain.

Reporting configuration is another key area highlighted in the results. If no rua tag is present, you will not receive aggregate reports, which means you have no visibility into who is sending email using your domain. The tool warns about this gap because reports are essential for identifying unauthorized senders before tightening your policy. The pct tag shows what percentage of failing messages your policy applies to, with 100 being the recommended value for full enforcement. A subdomain policy (sp) that differs from the main policy is flagged so you can ensure subdomains are equally protected. Any syntax errors, unknown tags, or missing required fields are clearly identified with specific remediation guidance.