dmarc (domain-based message authentication, reporting & conformance) is an email-authentication policy published as a txt record at `_dmarc. `. it tells receivers what to do with mail that fails spf or dkim alignment — monitor, quarantine, or reject — and where to send reports, closing the gap that lets spammers spoof your domain.

dmarc checker

find and parse a domain's DMARC (domain-based message authentication, reporting, and conformance) policy record. part of the domainposture.com domain dossier.

Overview

dmarc (RFC 7489) is a TXT record published at `_dmarc.<domain>` that tells receivers what to do with mail that fails spf or dkim alignment, and where to send aggregate and forensic reports. the policy tag `p=` picks one of three actions: `none` (monitor only — deliver, just send reports), `quarantine` (route to spam), or `reject` (refuse at smtp). alignment is tuned with `adkim` and `aspf` (`r` relaxed — organisational-domain match — or `s` strict — exact fqdn match). `rua` addresses receive daily aggregate reports; `ruf` addresses receive per-message forensic reports. `pct` gates a gradual rollout by percentage, and `sp` applies a distinct policy to subdomains. this tool queries `_dmarc.<domain>` via cloudflare's doh resolver, insists on exactly one `v=DMARC1` record per RFC 7489, and splits the semicolon-separated `k=v` pairs into a tag map.

How to use

enter a bare domain — public fqdn only. no schemes, ports, paths.
run the check — a single TXT doh query at `_dmarc.<domain>`, not the apex. dmarc records never live at the apex.
read the policy + alignment — `p` is the enforcement level, `adkim`/`aspf` tune alignment strictness, `rua`/`ruf` are the reporting addresses, and `pct` gates rollout.

Examples

example 1 — google enforces reject and collects aggregate reports; no forensic (`ruf`) subscription.

input
google.com

output
v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com - policy reject, aggregate reports - relaxed alignment defaults

example 2 — microsoft uses agari as its report aggregator and opts into per-message forensic feedback.

input
microsoft.com

output
v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1 - full reject - 100% rollout - both rua and ruf reporting

Common mistakes

dmarc requires spf OR dkim to align — dmarc does not authenticate mail on its own. it only enforces alignment between the visible From: header and an already-passing spf or dkim check. publishing a dmarc record without a working spf or dkim setup means every message fails dmarc regardless of policy.
`p=none` is monitor-only — many domains stop at `p=none` and assume they have dmarc protection. they don't — `none` only tells receivers to report, not to block or quarantine. spoofed mail still lands in the inbox. move to `quarantine` and then `reject` once reports show legitimate sources are all aligned.
external `rua`/`ruf` mailboxes need authorisation — if your `rua=mailto:` address is in a different domain than the policy domain, the receiving domain must publish `<your-domain>._report._dmarc.<their-domain>` TXT=`v=DMARC1` to opt in. miss this and reporters drop your aggregate reports silently.

FAQ

why does the tool query `_dmarc.<domain>` and not the apex?

RFC 7489 §6.1 places the dmarc record at the `_dmarc` label under the policy domain, not at the apex. the apex TXT is where spf lives; putting dmarc there would collide with spf parsers.

what's the difference between `adkim=r` and `adkim=s`?

relaxed (`r`) accepts any subdomain under the same organisational domain — e.g. `mail.example.com` aligned with From: `example.com`. strict (`s`) requires an exact fqdn match. `aspf` works the same way for spf alignment.

does `p=reject` mean receivers must reject?

receivers are advised to reject, but dmarc is a policy signal, not a mandate. large mailbox providers (gmail, outlook) honor it; some smaller operators ignore it entirely. `pct` can gate rollout — `p=reject; pct=10` means only 10% of failing mail is rejected; the rest falls back to the `sp` or `quarantine` treatment.

can subdomains have their own dmarc policy?

yes. a subdomain may publish its own `_dmarc.sub.example.com` TXT, which overrides the parent. if it doesn't, receivers inherit the parent's policy but apply the `sp` tag instead of `p` when scoring the subdomain.

what's `fo` for?

`fo` controls when forensic reports fire: `0` (default) = report only on total dmarc failure; `1` = report when any auth check fails; `d` = dkim failure; `s` = spf failure. it only matters if you publish a `ruf` address.

what is dmarc?

dmarc (domain-based message authentication, reporting & conformance) is an email-authentication policy published as a txt record at `_dmarc.<domain>`. it tells receivers what to do with mail that fails spf or dkim alignment — monitor, quarantine, or reject — and where to send reports, closing the gap that lets spammers spoof your domain.

what does dmarc stand for?

dmarc stands for domain-based message authentication, reporting, and conformance. it builds on the two older email-authentication standards, spf and dkim, adding alignment between the visible From: address and those checks, plus a reporting channel so domain owners can see who is sending mail in their name.

how does dmarc work?

a receiver checks whether an incoming message passes spf or dkim and whether the authenticated domain aligns with the visible From: header. it then applies your published policy — `p=none`, `quarantine`, or `reject` — to anything that fails, and emails aggregate reports to the `rua` address you specified.

how do i set up dmarc?

first get spf and dkim passing for every legitimate sender. then publish a txt record at `_dmarc.<domain>` starting with `v=DMARC1; p=none; rua=mailto:you@example.com` to collect reports without blocking. once reports confirm all real mail aligns, tighten the policy to `quarantine` and finally `reject`.

what is a dmarc record?

a dmarc record is a single txt record at `_dmarc.<domain>` holding semicolon-separated tags: `v=DMARC1` (version), `p=` (policy — none/quarantine/reject), `rua`/`ruf` (report addresses), `adkim`/`aspf` (alignment mode), `pct` (rollout percentage), and `sp` (subdomain policy). this tool parses each tag for you.

do i need dmarc?

yes if your domain sends email — gmail and yahoo now require dmarc for bulk senders, and without it anyone can spoof your domain in phishing. even a monitor-only `p=none` record is worth publishing for visibility, though only `quarantine` or `reject` actually blocks spoofed mail.

Related tools

dns lookup — resolve A, AAAA, MX, TXT, NS, or CNAME records via Cloudflare DoH.
dns records lookup — resolve A, AAAA, NS, SOA, CAA, and TXT records for a domain in one go.
mx lookup — list the mail exchangers (MX records) a domain advertises, sorted by priority.
spf checker — find and parse a domain's SPF (sender policy framework) record.

References

ad slot · tool-dmarc-checker