DNSTrack Logo
SSL Checker Email Verifier SPF Record Checker DMARC Checker DKIM Checker

DMARC Record Checker & Generator

Check and validate DMARC records, prevent email phishing and spoofing, and generate custom DMARC policies

Check DMARC Record

Generate DMARC Record

How to handle emails that fail DMARC authentication
Policy for subdomains (if different from main policy)
Percentage of messages to apply the policy to (use for gradual rollout)
Email address to receive daily aggregate reports (multiple emails separated by comma)
Email address to receive detailed failure reports (multiple emails separated by comma)
How strictly to check DKIM signature domain alignment
How strictly to check SPF domain alignment
When to generate forensic failure reports

Understanding DMARC Records

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that works with SPF and DKIM to protect your domain from email spoofing, phishing, and other cyber threats. It provides visibility into your email ecosystem and gives you control over how unauthenticated emails are handled.

Why DMARC Records Matter

DMARC records are essential for email security and brand protection because they:

  • Prevent Phishing: Stop attackers from impersonating your domain in phishing campaigns
  • Protect Brand Reputation: Ensure only legitimate emails are sent from your domain
  • Improve Deliverability: Authenticated emails are more likely to reach inboxes
  • Provide Visibility: Receive detailed reports on email authentication activity
  • Meet Compliance: Required by many organizations and increasingly by email providers
  • Reduce Fraud: Protect customers and employees from email-based fraud

DMARC Record Structure

A typical DMARC record looks like this:

v=DMARC1; p=quarantine; rua=mailto:reports@example.com; pct=100; adkim=r; aspf=r

Breaking down the components:

  • v=DMARC1: Identifies the DMARC version (always DMARC1)
  • p=: Policy for the domain (none, quarantine, or reject)
  • sp=: Policy for subdomains (optional)
  • rua=: Email address for aggregate reports
  • ruf=: Email address for forensic reports
  • pct=: Percentage of messages to apply policy to
  • adkim=: DKIM alignment mode (r=relaxed, s=strict)
  • aspf=: SPF alignment mode (r=relaxed, s=strict)
  • fo=: Failure reporting options

DMARC Policies Explained

p=none (Monitor): No action taken on failed emails, but reports are generated. Recommended for initial setup to understand your email ecosystem without impacting delivery.

p=quarantine (Quarantine): Failed emails are marked as suspicious or sent to spam folders. Good intermediate step before full enforcement.

p=reject (Reject): Failed emails are rejected and not delivered. Provides strongest protection but requires confidence in your email authentication setup.

How DMARC Works with SPF and DKIM

DMARC builds upon SPF and DKIM authentication:

  • SPF Check: Verifies the sending server is authorized
  • DKIM Check: Verifies the email hasn't been tampered with
  • Alignment Check: Ensures the "From" domain matches SPF/DKIM domains
  • Policy Application: If checks fail, applies the DMARC policy
  • Reporting: Sends reports back to the domain owner

DMARC Alignment Modes

Relaxed Alignment (r): Allows subdomains to pass. For example, email from mail.example.com passes for example.com. This is the default and most common setting.

Strict Alignment (s): Requires exact domain match. Only email from exactly example.com passes for example.com. More secure but can be restrictive.

DMARC Implementation Steps

  • Step 1: Ensure SPF and DKIM are properly configured
  • Step 2: Start with p=none policy to monitor without affecting delivery
  • Step 3: Set up aggregate report monitoring (rua=)
  • Step 4: Analyze reports for 2-4 weeks to identify all legitimate sources
  • Step 5: Update SPF/DKIM to include all legitimate sources
  • Step 6: Gradually move to p=quarantine with low pct value
  • Step 7: Increase pct to 100% over time
  • Step 8: Move to p=reject when confident

Best Practices for DMARC

  • Always start with p=none policy
  • Monitor reports regularly and fix authentication issues
  • Use a dedicated email address or service for DMARC reports
  • Set pct=100 once confident in your setup
  • Include both rua and ruf for comprehensive reporting
  • Document all legitimate email sources
  • Test thoroughly before moving to p=reject
  • Consider subdomain policy (sp=) separately from main domain

Instant Validation

Check and validate DMARC records in real-time with detailed policy analysis

Smart Generator

Create custom DMARC policies with our guided generator tool

Policy Recommendations

Get expert recommendations for optimal DMARC configuration

Frequently Asked Questions

What is a DMARC record?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that uses SPF and DKIM to determine the authenticity of email messages. It tells receiving servers how to handle unauthenticated emails and provides detailed reporting on email authentication activity. DMARC is published as a TXT record at _dmarc.yourdomain.com.

How do I check my DMARC record?

Enter your domain name in the DMARC checker tool above and click "Check DMARC Record". We'll automatically query _dmarc.yourdomain.com, retrieve your DMARC record, parse all tags and policies, validate the configuration, and display detailed results including any warnings or recommendations for improvement.

What should my DMARC record look like?

A basic DMARC record should look like: v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com; pct=100. It must start with v=DMARC1, include a policy tag (p=), and should include at least one reporting address (rua=) to receive aggregate reports about email authentication.

What's the difference between p=none, p=quarantine, and p=reject?

p=none monitors emails without taking action - recommended for initial setup to understand your email ecosystem. p=quarantine marks suspicious emails as spam or sends them to junk folders. p=reject completely blocks unauthenticated emails - provides strongest protection but requires confidence in your setup.

Do I need both SPF and DKIM for DMARC to work?

You need at least one of them (SPF or DKIM) for DMARC to pass, but it's strongly recommended to have both configured. DMARC checks if either SPF or DKIM passes AND aligns with the From domain. Having both provides redundancy and stronger authentication, as DKIM can pass even if the email is forwarded (which often breaks SPF).

Where do I add my DMARC record?

Add the DMARC record as a TXT record in your DNS settings with the hostname _dmarc (or _dmarc.yourdomain.com depending on your DNS provider). The record should contain your DMARC policy. For example, if your domain is example.com, add a TXT record at _dmarc.example.com. DNS changes typically take 24-48 hours to propagate.

What are DMARC aggregate reports (RUA)?

Aggregate reports (rua=) are XML files sent daily by receiving mail servers that contain statistics about emails from your domain - how many passed/failed SPF and DKIM, source IPs, and volume. These help you understand your email ecosystem and identify authentication issues. Use a dedicated email or DMARC reporting service to process these reports.

What are DMARC forensic reports (RUF)?

Forensic reports (ruf=) are detailed, individual failure reports sent in real-time when an email fails DMARC authentication. They include message headers and can help diagnose specific problems. However, many receiving servers don't send forensic reports due to privacy concerns. Aggregate reports (RUA) are more commonly used and usually sufficient.

What is the pct tag in DMARC?

The pct= tag specifies the percentage of messages to apply the policy to, from 1-100. For example, pct=25 applies the policy to 25% of failed messages. This allows gradual rollout of stricter policies. Start with a low percentage when moving from p=none to p=quarantine or p=reject, then increase to 100% once confident.

How long does it take for DMARC to start working?

After adding your DMARC record to DNS, it typically takes 24-48 hours for the record to propagate globally. Once propagated, receiving mail servers will immediately start checking your DMARC policy. However, you'll start receiving aggregate reports within 24-48 hours after propagation. Allow 2-4 weeks of monitoring with p=none before moving to stricter policies.