DMARC Check

Check the DMARC policy for any domain. We query _dmarc. automatically across 14 public DNS resolvers.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy layer on top of SPF and DKIM. It tells receiving mail servers what to do when an incoming message fails authentication: accept, quarantine, or reject: and where to send aggregate reports.

DMARC lives at _dmarc.<your domain> as a TXT record. Just type your bare domain above: we'll add the _dmarc. prefix automatically.

Anatomy of a DMARC record

A typical DMARC record looks like: v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100. The key tags:

• v=DMARC1: version marker (always this).
• p=: policy: none (monitor), quarantine (send to spam), or reject (block).
• rua=: where to send aggregate (daily) reports.
• ruf=: where to send forensic (per-failure) reports.
• pct=: what percentage of failing mail to apply the policy to (0–100).
• sp=: policy for subdomains (defaults to p if unset).
• adkim=, aspf=: alignment strictness (r=relaxed, s=strict).

Common errors and pitfalls

• No DMARC record at all: domain has no protection against spoofing. Start with p=none to collect data, then ratchet up.
• Policy stuck at p=none forever: common. Monitor mode is for collecting data, not for permanent deployment. Move to quarantine then reject once you've audited your senders.
• DMARC at the wrong name: must be at _dmarc.example.com, not example.com itself. WhereIsDNS handles the prefix for you.
• Missing rua: without it, you get no visibility into who's sending mail "as you." Strongly recommended.
• Multiple DMARC records: only the first is honored, and some receivers reject the domain entirely. Always exactly one.

FAQ

What policy level should I start with?

p=none with rua reporting. Run that for 2–4 weeks, audit the reports to identify legitimate senders, fix SPF/DKIM gaps, then graduate to quarantine, then reject.

Do I need DMARC if I already have SPF and DKIM?

Yes. SPF and DKIM are mechanisms; DMARC is the policy and reporting layer. As of 2024, Google and Yahoo require DMARC on any domain sending bulk mail to their users.

Why is my DMARC failing despite SPF passing?

"Alignment." DMARC requires that the domain SPF validated aligns with the visible From: domain. A forwarder or ESP can pass SPF on its own envelope-from while the From header is yours: that fails DMARC unless DKIM also passes and aligns.

Background reading

See the DMARC glossary entry, plus SPF and DKIM for context. The DNS Records Explained guide ties it all together.