DMARC Checker
Check the DMARC record for any domain — instantly see your policy, alignment, and what's missing. No signup required.
About the dmarc record checker
DMARC (Domain-based Message Authentication, Reporting & Conformance, RFC 7489) tells receiving mail servers what to do with messages that fail SPF or DKIM authentication for your domain. A correctly configured DMARC record is what stops spammers from sending mail that looks like it came from you, and it's what makes inbox providers like Gmail and Microsoft 365 trust your sending domain.
This checker fetches the TXT record at `_dmarc.<your-domain>` over DNS, parses every tag, and shows you the policy (`p=`), subdomain policy (`sp=`), coverage (`pct=`), alignment modes (`adkim=`, `aspf=`), and reporting URIs (`rua=`, `ruf=`). It also surfaces common problems like missing reporting addresses, partial coverage, or a `p=none` policy that's been sitting there for years without progressing to enforcement.
Use it before you launch a cold-email campaign, when onboarding a new sending domain, when an inbox provider tells you mail is failing DMARC, or as a quick sanity check after changing DNS.
How it works
- Resolves the TXT record at `_dmarc.<domain>` using authoritative DNS.
- Parses each tag per RFC 7489 — policy, subdomain policy, percentage, alignment, reporting URIs, failure options.
- Validates that any `mailto:` reporting address is well-formed and matches a working domain.
- Flags the four most common deliverability-killing misconfigurations: missing record, syntactically invalid record, `p=none` with no reporting, and `pct<100` left in place after rollout.
- Returns the raw record verbatim so you can paste it into a ticket or DNS console.
Frequently asked questions
What is a DMARC record?
A DMARC record is a TXT DNS record published at `_dmarc.<your-domain>` that tells receiving mail servers what to do when an email claiming to be from your domain fails SPF or DKIM authentication. It also tells them where to send aggregate and forensic reports about mail purporting to come from you.
Is DMARC mandatory in 2026?
Effectively yes for any domain that sends business email. Since February 2024 Gmail and Yahoo require DMARC for bulk senders (5,000+ messages/day) and at least `p=none` with a valid `rua` for everyone else; Microsoft 365 followed with similar requirements in 2025. Without DMARC, mail to those providers either lands in spam or is silently dropped.
Why is my DMARC failing?
Three common causes: (1) SPF passes but the domain in the SPF check doesn't align with the From: header domain — typically because mail is sent through a third-party provider whose Return-Path is a different domain; (2) DKIM signs with a selector whose `d=` tag doesn't match the From: header domain; (3) someone is genuinely spoofing your domain. The aggregate reports at the address in your `rua=` tag will tell you which.
What does p=none, p=quarantine, and p=reject mean?
`p=none` is monitor-only — receivers report failures but still deliver them. `p=quarantine` tells receivers to send failing mail to spam. `p=reject` tells receivers to refuse delivery outright. Best practice is to start at `p=none` with reporting on, fix all alignment problems surfaced in the reports, then progress to `p=quarantine` and finally `p=reject`.
How do I check my DMARC record?
Enter your root domain (e.g. `example.com`, not `mail.example.com`) into the form above. The tool resolves `_dmarc.example.com` against authoritative DNS and parses every tag. You can also run `dig +short TXT _dmarc.example.com` from a terminal to see the raw record.