DMARC Policy Check Tool
DMARC Check is a diagnostic utility that retrieves the _dmarc TXT record for a domain to analyze its email security posture. It identifies the enforcement policy and reporting destinations.
Verify your DMARC (Domain-based Message Authentication, Reporting, and Conformance) setup. Audit policies, reporting tags, and alignment rules.
Type a domain to check DNS records.
What is a DMARC Record?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that adds a layer of protection on top of SPF and DKIM. While SPF and DKIM verify different technical aspects of an email, DMARC provides the domain owner with a way to tell receiving servers what to do if those checks fail.
Beyond enforcement, DMARC provides a critical reporting mechanism. It allows receiving mail servers (like Gmail or Outlook) to send reports back to the domain owner, providing visibility into who is sending mail using their domain and whether that mail is passing authentication.
How DMARC Works with SPF and DKIM
DMARC introduces the concept of Alignment. For DMARC to "pass," the domain found in the visible "From" header of an email must align with the domains validated by SPF or DKIM.
"SPF and DKIM are the ID cards; DMARC is the security guard checking if the name on the ID card matches the name on the badge."
The Verification Flow
The Three Stages of DMARC Enforcement
Monitoring
No action. Primarily used to collect data. Pair this with our SPF Validator to ensure your sources are ready.
Soft Enforcement
Failing emails are sent to spam. This reduces impact of spoofing while testing. Verify signatures with our DKIM Lookup.
Hard Enforcement
Failing emails are outright rejected. This is the ultimate goal. Ensure your MX settings are pristine before switching.
Essential DMARC Tags Explained
Why DMARC Reporting is a Game Changer
DMARC reports provide unparalleled visibility into your email ecosystem. Without them, you are "flying blind," unaware of whether your marketing partners or internal servers are sending mail correctly.
- Shadow IT Detection: Find out which departments are using unauthorized email services.
- Phishing Alerts: See exactly who is attempting to spoof your domain and from where.
- Deliverability Insights: Confirm that your legitimate mail from Salesforce, HubSpot, or Zendesk is actually passing checks.
Frequently Asked Questions
How long should I stay on p=none?
Typically, companies stay on p=none for 30 to 90 days. This gives you enough time to collect reports and ensure all legitimate mail sources are correctly configured with SPF and DKIM. Once you see 100% verification for your known senders, you can move to p=quarantine.
Can DMARC break forwarding?
Yes. When an email is forwarded (e.g., through a mailing list), SPF validation often fails because the sender IP changes. This is why DKIM and DMARC alignment are so important—DKIM signatures usually survive forwarding, allowing DMARC to still pass even if SPF fails.
What is strict vs. relaxed alignment?
Relaxed alignment (the default) allows subdomains to match (e.g., mail.example.com aligns with example.com). Strict alignment requires an exact match. Most organizations use relaxed alignment to maintain flexibility across their infrastructure.
DMARC Implementation Roadmap
Don"t rush to p=reject. Use this validator to monitor your current policy, read your reports diligently, and gradually tighten security only when you are sure your legitimate emails are safe. Consistent monitoring is the key to successful email authentication.