Home/DMARC Record Checker
[ E.3 — DMARC ]

DMARC Record Checker

Look up and validate any domain's DMARC policy — see who receives reports, what happens to failing messages, and whether the record is actually doing anything.

Last reviewed: May 2026

// look up a domain
Reads the _dmarc.{domain} TXT record via Cloudflare DoH, parses every tag, and grades the policy.
Try: google.com github.com microsoft.com yahoo.com

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance sits on top of SPF and DKIM. SPF validates that the sending server is authorized to send for the domain. DKIM cryptographically signs the message body and headers. DMARC ties the two together — it tells receiving mail servers what to do when a message fails both SPF and DKIM alignment (meaning the validated domain matches the From: header domain), and where to send reports about it.

Without DMARC, even a perfect SPF and DKIM setup gives the receiver no policy guidance — they have to guess. With DMARC, the policy is explicit: ignore failures, quarantine them, or reject them outright.

The three DMARC policies

  • p=none — monitoring only. Receivers collect reports and take no action. This is the right starting point when you first deploy DMARC, but it should never be the destination.
  • p=quarantine — failing messages go to spam/junk. The middle ground — better than nothing, but the message still gets through to the recipient in a non-prominent folder.
  • p=reject — failing messages are dropped at the SMTP layer. The gold standard. Spoofed mail with your domain as From: never reaches the recipient at all.

Why reporting matters

The rua= tag — the destination for aggregate reports — is arguably more valuable than the policy itself when you're starting out. Receivers send daily summaries of every message they saw claiming to be from your domain, whether it passed or failed. That's how you discover legitimate senders you forgot about (marketing automation, CRM, transactional email providers) and attackers actively spoofing your domain right now.

Since February 2024, Google and Yahoo both require DMARC for any sender pushing more than 5,000 messages a day to their users. Bulk senders without DMARC simply don't get delivered. The bar will only keep moving upward.

The alignment concept

DMARC isn't just checking that SPF or DKIM passed — it's checking that the domain they validated aligns with the From: header domain the user actually sees. The adkim and aspf tags control how strict the comparison is. Relaxed (the default, r) allows subdomains — mail from news.example.com aligns with example.com in the From: header. Strict (s) requires an exact match. Most domains use relaxed for both because it allows legitimate subdomain-based sending without breaking DMARC.

DMARC + SPF + DKIM — the three legs

Email authentication is a three-leg stool. SPF authorizes IPs. DKIM signs messages. DMARC ties them to the visible From: header and tells receivers what to do on failure. Skip any of the three and the others give weaker guarantees. The DNS records tool shows your full TXT, MX, and CNAME picture in one view if you need to audit everything together.