Free DMARC Checker Tool
Free DMARC checker — analyze DMARC policies, check enforcement levels, SPF/DKIM alignment, and reporting configuration for any domain.
What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication policy layer that builds on SPF and DKIM. While SPF verifies the sending server and DKIM verifies message integrity, DMARC ties them together by requiring alignment with the From header domain.
Without DMARC, receiving servers have no instruction on what to do when SPF or DKIM checks fail. DMARC fills this gap with an explicit policy (none, quarantine, or reject) and a reporting mechanism for domain owners.
DMARC Policies Explained
DMARC has three policy levels. "p=none" is monitor-only — failures are reported but email is delivered normally. "p=quarantine" sends failing emails to spam. "p=reject" blocks them entirely, providing the strongest protection against spoofing.
Most organizations roll out DMARC in phases: start with "p=none" to gather data, analyze reports to identify all legitimate email sources, configure SPF/DKIM, then move to "p=quarantine" and finally "p=reject".
DMARC Alignment and Reporting
DMARC requires that either SPF or DKIM "aligns" with the From header domain. Alignment can be "strict" (exact match) or "relaxed" (organizational domain match, allowing subdomains). Most domains use relaxed alignment for flexibility.
DMARC aggregate reports (rua) provide visibility into who is sending email using a domain. Forensic reports (ruf) provide details on individual authentication failures. These reports help domain owners identify unauthorized use and fix configuration issues.
Check Your DMARC Policy Now
Enter any domain above to instantly analyze its DMARC record. This DMARC checker parses the policy level, alignment mode, percentage enforcement, and reporting addresses — giving you a clear picture of a domain's email authentication posture.
DMARC depends on SPF and DKIM. After reviewing your DMARC policy, use the SPF Record Checker to verify sender authorization, or run the Email Security Checker for a complete audit of MX, SPF, DMARC, MTA-STS, and BIMI records.
Frequently Asked Questions
What is DMARC and what does it protect?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that protects your domain from being used in phishing and spoofing attacks. It builds on SPF and DKIM by adding a policy layer that tells receiving servers what to do when authentication fails. A DMARC checker verifies your policy is correctly configured and provides reporting so domain owners can monitor unauthorized use.
What should my DMARC record contain?
A basic DMARC record looks like: "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com". The "v" tag identifies the DMARC version, "p" sets the policy (none, quarantine, or reject), and "rua" specifies where to send aggregate reports. Start with "p=none" to gather data, then increase enforcement to "quarantine" and eventually "reject".
What's the difference between DMARC, SPF, and DKIM?
SPF verifies that the sending server's IP is authorized for the domain. DKIM verifies that the email content hasn't been tampered with using cryptographic signatures. DMARC ties them together by requiring that at least one (SPF or DKIM) aligns with the From header domain, and provides a policy for handling failures. All three work together for comprehensive email authentication.
What does a DMARC policy of "none" mean?
A DMARC policy of "p=none" is monitoring-only mode. Receiving servers will check SPF and DKIM alignment but will deliver email normally regardless of the result. Authentication results are sent to the reporting address (rua) so domain owners can analyze who is sending email on their behalf before enabling enforcement. This is the recommended starting point for DMARC deployment.
Why am I getting DMARC failures?
DMARC failures occur when neither SPF nor DKIM aligns with the From header domain. Common causes include: sending through a service not listed in your SPF record, missing or misconfigured DKIM signing, email forwarding that breaks SPF alignment, and third-party services sending on your behalf without proper authentication setup. Review your DMARC aggregate reports to identify the specific sources of failure.