Domain.Posture

dmarc checker

find and parse a domain's DMARC (domain-based message authentication, reporting, and conformance) policy record. part of the domainposture.com domain dossier.

resolving…

Overview

dmarc (RFC 7489) is a TXT record published at `_dmarc.<domain>` that tells receivers what to do with mail that fails spf or dkim alignment, and where to send aggregate and forensic reports. the policy tag `p=` picks one of three actions: `none` (monitor only — deliver, just send reports), `quarantine` (route to spam), or `reject` (refuse at smtp). alignment is tuned with `adkim` and `aspf` (`r` relaxed — organisational-domain match — or `s` strict — exact fqdn match). `rua` addresses receive daily aggregate reports; `ruf` addresses receive per-message forensic reports. `pct` gates a gradual rollout by percentage, and `sp` applies a distinct policy to subdomains. this tool queries `_dmarc.<domain>` via cloudflare's doh resolver, insists on exactly one `v=DMARC1` record per RFC 7489, and splits the semicolon-separated `k=v` pairs into a tag map.

How to use

  1. enter a bare domainpublic fqdn only. no schemes, ports, paths.
  2. run the checka single TXT doh query at `_dmarc.<domain>`, not the apex. dmarc records never live at the apex.
  3. read the policy + alignment`p` is the enforcement level, `adkim`/`aspf` tune alignment strictness, `rua`/`ruf` are the reporting addresses, and `pct` gates rollout.

Examples

example 1 — google enforces reject and collects aggregate reports; no forensic (`ruf`) subscription.
input
google.com
output
v=DMARC1; p=reject; rua=mailto:[email protected] - policy reject, aggregate reports - relaxed alignment defaults
example 2 — microsoft uses agari as its report aggregator and opts into per-message forensic feedback.
input
microsoft.com
output
v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1 - full reject - 100% rollout - both rua and ruf reporting

Common mistakes

  • dmarc requires spf OR dkim to align dmarc does not authenticate mail on its own. it only enforces alignment between the visible From: header and an already-passing spf or dkim check. publishing a dmarc record without a working spf or dkim setup means every message fails dmarc regardless of policy.
  • `p=none` is monitor-only many domains stop at `p=none` and assume they have dmarc protection. they don't — `none` only tells receivers to report, not to block or quarantine. spoofed mail still lands in the inbox. move to `quarantine` and then `reject` once reports show legitimate sources are all aligned.
  • external `rua`/`ruf` mailboxes need authorisation if your `rua=mailto:` address is in a different domain than the policy domain, the receiving domain must publish `<your-domain>._report._dmarc.<their-domain>` TXT=`v=DMARC1` to opt in. miss this and reporters drop your aggregate reports silently.

FAQ

why does the tool query `_dmarc.<domain>` and not the apex?

RFC 7489 §6.1 places the dmarc record at the `_dmarc` label under the policy domain, not at the apex. the apex TXT is where spf lives; putting dmarc there would collide with spf parsers.

what's the difference between `adkim=r` and `adkim=s`?

relaxed (`r`) accepts any subdomain under the same organisational domain — e.g. `mail.example.com` aligned with From: `example.com`. strict (`s`) requires an exact fqdn match. `aspf` works the same way for spf alignment.

does `p=reject` mean receivers must reject?

receivers are advised to reject, but dmarc is a policy signal, not a mandate. large mailbox providers (gmail, outlook) honor it; some smaller operators ignore it entirely. `pct` can gate rollout — `p=reject; pct=10` means only 10% of failing mail is rejected; the rest falls back to the `sp` or `quarantine` treatment.

can subdomains have their own dmarc policy?

yes. a subdomain may publish its own `_dmarc.sub.example.com` TXT, which overrides the parent. if it doesn't, receivers inherit the parent's policy but apply the `sp` tag instead of `p` when scoring the subdomain.

what's `fo` for?

`fo` controls when forensic reports fire: `0` (default) = report only on total dmarc failure; `1` = report when any auth check fails; `d` = dkim failure; `s` = spf failure. it only matters if you publish a `ruf` address.

what is dmarc?

dmarc (domain-based message authentication, reporting & conformance) is an email-authentication policy published as a txt record at `_dmarc.<domain>`. it tells receivers what to do with mail that fails spf or dkim alignment — monitor, quarantine, or reject — and where to send reports, closing the gap that lets spammers spoof your domain.

what does dmarc stand for?

dmarc stands for domain-based message authentication, reporting, and conformance. it builds on the two older email-authentication standards, spf and dkim, adding alignment between the visible From: address and those checks, plus a reporting channel so domain owners can see who is sending mail in their name.

how does dmarc work?

a receiver checks whether an incoming message passes spf or dkim and whether the authenticated domain aligns with the visible From: header. it then applies your published policy — `p=none`, `quarantine`, or `reject` — to anything that fails, and emails aggregate reports to the `rua` address you specified.

how do i set up dmarc?

first get spf and dkim passing for every legitimate sender. then publish a txt record at `_dmarc.<domain>` starting with `v=DMARC1; p=none; rua=mailto:[email protected]` to collect reports without blocking. once reports confirm all real mail aligns, tighten the policy to `quarantine` and finally `reject`.

what is a dmarc record?

a dmarc record is a single txt record at `_dmarc.<domain>` holding semicolon-separated tags: `v=DMARC1` (version), `p=` (policy — none/quarantine/reject), `rua`/`ruf` (report addresses), `adkim`/`aspf` (alignment mode), `pct` (rollout percentage), and `sp` (subdomain policy). this tool parses each tag for you.

do i need dmarc?

yes if your domain sends email — gmail and yahoo now require dmarc for bulk senders, and without it anyone can spoof your domain in phishing. even a monitor-only `p=none` record is worth publishing for visibility, though only `quarantine` or `reject` actually blocks spoofed mail.

Do I need a separate DMARC record for subdomains?

not usually. a DMARC record at _dmarc.yourdomain.com covers the organizational domain and, by default, its subdomains. you can override subdomains with the sp tag (subdomain policy); if sp is absent, subdomains inherit the main p value. publish a separate _dmarc record on a subdomain only when it needs its own policy or its own reporting address.

Does DMARC require DKIM, or is SPF enough?

DMARC passes if either SPF or DKIM passes with alignment, so one is technically enough. in practice you want both: SPF alignment breaks on forwarding and on ESPs that use their own return-path, while DKIM survives forwarding. relying on SPF alone makes a lot of legitimate mail fail DMARC, so sign every sender with aligned DKIM too.

Why am I not receiving DMARC (rua) reports?

common causes: the rua value is missing the mailto: prefix, a syntax error elsewhere makes receivers ignore the whole record, the report address is on another domain that has not published the _report._dmarc authorization, DNS has not propagated, or the domain sends too little mail to generate reports. confirm the record parses and that external-domain reporting is authorized.

Is DMARC required for Gmail and Yahoo?

yes for bulk senders. since february 2024 Google and Yahoo require senders of more than about 5,000 messages a day to publish SPF, DKIM and a DMARC record (at least p=none), plus one-click unsubscribe and a low spam-complaint rate. smaller senders are not strictly required to, but authenticated mail still lands far better.

Related tools

  • dns lookup resolve A, AAAA, MX, TXT, NS, or CNAME records via Cloudflare DoH.
  • dns records lookup resolve A, AAAA, NS, SOA, CAA, and TXT records for a domain in one go.
  • mx lookup list the mail exchangers (MX records) a domain advertises, sorted by priority.
  • spf checker find and parse a domain's SPF (sender policy framework) record.

References

  1. RFC 7489 — DMARC
  2. RFC 8617 — ARC
ad slot · tool-dmarc-checker