Policy Inspector · Tag Parser · Report URI Check · Free

DMARC Analyzer

Free DMARC record checker and inspector. Instantly look up any domain's DMARC DNS record, analyze every tag, assess policy strength, and get actionable configuration advice.

✓ Full tag-by-tag parsing✓ Policy strength analysis✓ Report URI validation✓ Alignment mode detection✓ No signup

Domain to inspect

Queries _dmarc.yourdomain.com via Cloudflare DNS-over-HTTPS (Google DoH fallback). Nothing is sent to Best-TempMail servers.

What this tool does

Free DMARC analyzer: inspect and validate any domain's DMARC record

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS-based email authentication protocol defined in RFC 7489 that lets domain owners specify what receiving mail servers should do when an email fails SPF or DKIM checks. Published as a TXT record at _dmarc.yourdomain.com, a DMARC record defines the policy (none, quarantine, or reject), where to send authentication failure reports, how strictly the sending domain must match the authenticated domain, and how aggressively the policy should be applied during a phased rollout.

DMARC is the capstone of the email authentication stack. SPF authorizes which servers are allowed to send on behalf of your domain. DKIM cryptographically signs messages so recipients can verify they were not altered in transit. DMARC ties these together with alignment requirements, the domain in the From: header must match the domain authenticated by SPF or DKIM, and adds a reporting mechanism that gives you daily visibility into what is happening to email sent from your domain across the internet.

This analyzer queries your domain's DMARC record in real time using Cloudflare DNS-over-HTTPS and decodes every tag. It assesses your policy strength, checks whether aggregate reports are configured (essential for visibility into authentication failures), identifies partial rollout configurations (pct= below 100%), evaluates alignment modes (adkim= and aspf=), and surfaces less-visible tags like fo= failure options and ri= report interval that most tools ignore. Each finding includes plain-English guidance so you know exactly what needs to change and why.

Since February 2024, Google and Yahoo require DMARC for bulk senders delivering more than 5,000 messages per day to Gmail. Even below that threshold, DMARC is a baseline deliverability signal. Domains without it are scored lower by spam filters. For organizations targeting BIMI (Brand Indicators for Message Identification), which displays your logo next to emails in Gmail and Apple Mail, a policy of p=quarantine or p=reject with pct=100 is a hard prerequisite. This analyzer identifies exactly where your current configuration stands and what steps remain.

What this tool analyzes

v= tag

Version. Must be DMARC1

p= tag

Policy: none (monitor), quarantine (spam), or reject (block)

sp= tag

Subdomain policy override. Can differ from the main domain

pct= tag

Rollout percentage. What fraction of failures the policy applies to

rua= tag

Aggregate report addresses. Where daily XML reports are sent

ruf= tag

Forensic report addresses. Per-failure message details

adkim= tag

DKIM alignment: relaxed (default) or strict

aspf= tag

SPF alignment: relaxed (default) or strict

fo= tag

Failure reporting options. Which failure types trigger reports

ri= tag

Report interval. How often to receive aggregate reports

Why it matters

Why DMARC analysis matters for every domain owner

Publishing a DMARC record once and never revisiting it is one of the most common email security gaps. Email infrastructure is not static. Marketing platforms, CRM tools, helpdesk systems, and transactional email services are added and changed regularly. Each new sending source needs to be authorized in SPF and signed with DKIM before the DMARC policy can safely be enforced. A quarterly DMARC analysis confirms that nothing has broken and that the policy is still covering all failure scenarios correctly.

The most dangerous gap is a domain stuck at p=none. This is the monitoring-only policy that most deployments start with. And many never leave. A p=none record collects data but provides zero protection. Anyone can forge the From: address for that domain and the message will reach the inbox without any authentication enforcement stopping it. Running this analyzer surfaces whether a domain is genuinely protected or merely has the appearance of DMARC coverage.

Beyond enforcement, the analyzer highlights missing rua= addresses. A surprisingly common omission. Without aggregate reports, you have no window into what is happening to email from your domain. You cannot tell which sending sources are passing, which are failing, or whether a legitimate service has started failing authentication after a configuration change. Setting rua= costs nothing and takes thirty seconds; the daily XML reports it generates are the foundation of any DMARC improvement program.

For domain portfolios, including acquired, legacy, or parked domains, this analyzer gives you a quick read on each domain's posture without requiring access to the DNS panel. Security teams, email deliverability specialists, and IT administrators regularly use it to audit domains they did not originally configure and to confirm that partner or vendor domains meet baseline authentication standards before an email integration goes live.

Troubleshooting

Common DMARC configuration problems and how to fix them

Most DMARC issues fall into a small number of patterns. The analyzer flags them. Here is what each one means and what to do about it.

No DMARC record found at _dmarc.yourdomain.com

Why it happens: No TXT record has been published, or the record was created at the wrong host name. For example, dmarc.yourdomain.com instead of _dmarc.yourdomain.com (note the underscore).

Fix: In your DNS provider, add a TXT record with the host name _dmarc (the underscore is required). The value must start with v=DMARC1. A safe starting record: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

DMARC passes but email is still going to spam

Why it happens: p=none provides monitoring only, not enforcement. Mail goes to spam for unrelated reasons: poor sender reputation, spam content triggers, or inbox filter rules. Not because of DMARC specifically.

Fix: Check your SPF record with the SPF Flattening Tool and confirm DKIM is active via the DKIM Analyzer. Once both pass for all sending sources, advance from p=none to p=quarantine, then p=reject. Improving your sending infrastructure quality is a separate step from DMARC enforcement.

DMARC fails even though SPF is passing

Why it happens: SPF alignment is failing. Your ESP (Mailchimp, SendGrid, HubSpot, Klaviyo, etc.) uses its own Return-Path domain, so SPF passes for their servers but the envelope domain does not match your From: domain. DMARC requires alignment, not just a bare SPF pass.

Fix: Enable DKIM signing for your domain via your ESP's settings. This involves adding one or two CNAME records to your DNS. DKIM alignment is based on the d= header you control, which does match your From: domain. Once DKIM alignment passes, DMARC passes regardless of the SPF envelope mismatch.

Duplicate DMARC records causing permerror

Why it happens: Two or more TXT records exist at _dmarc.yourdomain.com. RFC 7489 only permits one. Most receiving mail servers treat duplicates as a permanent error (permerror) and effectively ignore DMARC entirely. Removing all protection.

Fix: Open your DNS zone editor and delete all but one _dmarc TXT record. This typically happens when a DNS panel creates a new record on each save rather than overwriting the existing one. Re-run this analyzer after deletion to confirm a single record is returned.

pct= is below 100 and was never intentionally set that way

Why it happens: Some DMARC setup wizards and DNS providers insert a conservative pct=10 or pct=25 default during initial configuration. If this was never updated, only a fraction of failing messages are subject to the policy. The rest pass through regardless.

Fix: Edit your DMARC TXT record and update pct to 100, or remove the pct= tag entirely (100 is the RFC default when the tag is omitted). Re-run the analyzer to confirm.

sp= subdomain policy is weaker than the main domain policy

Why it happens: An explicit sp=none was set during rollout to protect subdomain sending flexibility, but was never tightened after the main domain reached p=reject.

Fix: Remove the sp= tag entirely to let subdomains inherit the main p= policy, or set sp=quarantine / sp=reject explicitly. Be sure to verify that all email-sending subdomains have SPF and DKIM configured before hardening sp=.

rua= address is not receiving reports

Why it happens: If the rua= address belongs to a third-party domain (e.g. a DMARC reporting service), that domain must publish a special DNS record granting permission to receive reports for your domain. Without it, most mailbox providers will not send reports to that address.

Fix: Check whether the report destination domain has published a _report._dmarc.reportdomain.com TXT record that authorizes receiving reports for your domain. Reporting services like dmarcian and postmaster tools handle this automatically; manual addresses on third-party domains require this record.

Technical background

Understanding the full email authentication stack

The DMARC record this analyzer parses does not operate in isolation. It is the policy and reporting layer built on top of two underlying standards. Understanding all three together is essential for diagnosing failures and knowing which tags to fix first.

SPF (Sender Policy Framework) is a DNS TXT record published at your root domain that lists which IP addresses and mail servers are authorized to send email on behalf of your domain. When a receiving server gets a message, it checks the sending IP against the SPF record for the Return-Path (envelope) domain. The limitation: SPF only validates the envelope sender, the hidden address used for bounces, not the visible From: header. This is why ESP-generated Return-Path addresses create alignment failures even when SPF technically passes. You can inspect and flatten your SPF record using the dedicated tool.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages using a private key held by the sending server. The receiving server retrieves the corresponding public key from DNS and verifies the signature. Because the DKIM signature is embedded in the email header and is based on the d= domain you control, it survives forwarding and is unaffected by the ESP's Return-Path infrastructure. Making it the more reliable alignment mechanism for third-party senders. Verify your DKIM configuration with the DKIM Analyzer.

DMARC alignment is the bridge. A message passes DMARC when at least one authentication mechanism passes with alignment to the From: header domain. In relaxed mode (adkim=r / aspf=r, both defaults), a subdomain match is sufficient. In strict mode (adkim=s / aspf=s), an exact match is required. The analyzer highlights your current alignment settings and flags if strict mode could be causing unexpected failures.

Two additional standards build on a working DMARC deployment: MTA-STS (Mail Transfer Agent Strict Transport Security) prevents SMTP downgrade attacks by requiring TLS on inbound connections, and BIMI (Brand Indicators for Message Identification) displays your verified brand logo next to emails in supporting clients including Gmail and Apple Mail. Both require DMARC at p=quarantine or p=reject before they can be configured. The DMARC Checker gives you a fast pass/warn/fail health summary if you need a quicker read on policy enforcement before doing a full tag-level analysis here.

Examples

Real DMARC records decoded: what the analyzer finds in each case

Six configurations covering the most common patterns seen in production. Each shows what this analyzer returns and why.

Example 1Reject policy. Maximum protection

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s

A fully enforced DMARC record. p=reject blocks all unauthenticated email outright. rua= is set for monitoring. Strict alignment (adkim=s, aspf=s) ensures exact domain match is required. This is the gold standard for domains not used for sending email, or mature senders who have reviewed their aggregate reports.

Example 2Quarantine policy with 25% rollout

v=DMARC1; p=quarantine; pct=25; rua=mailto:reports@example.com; ruf=mailto:forensics@example.com

A common configuration during phased policy rollout. p=quarantine sends failures to spam, but pct=25 means only 25% of failing messages are affected. Both aggregate (rua=) and forensic (ruf=) reports are configured. Gradually increase pct to 100 as confidence grows.

Example 3None policy. Monitoring only

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; aspf=r; adkim=r

A monitoring-only configuration. p=none means no action is taken on failures, but aggregate reports are sent to the rua= address. This is the recommended starting point for new DMARC deployments. Analyze the reports for 2-4 weeks before tightening the policy.

Example 4Missing rua=. No visibility

v=DMARC1; p=reject

A valid reject policy but with no rua= address. Without aggregate reports, you have no visibility into authentication failures or whether legitimate email is being rejected. Always configure rua= to at least one report address.

Example 5Subdomain policy override

v=DMARC1; p=reject; sp=none; rua=mailto:dmarc@example.com

The main domain uses reject but subdomains use none (sp=none). This is useful when the main domain is fully authenticated but some subdomains send email from third-party services that are not yet DKIM-signed. The sp= tag lets you protect the root domain while giving subdomains more flexibility.

Example 6Advanced reporting configuration with fo= and strict alignment

v=DMARC1; p=reject; pct=100; rua=mailto:reports@example.com; ruf=mailto:forensics@example.com; adkim=s; aspf=s; fo=1

A fully hardened record with every major tag configured. p=reject with pct=100 enforces the policy against all failing messages. fo=1 generates a forensic report if either SPF or DKIM fails. Giving maximum diagnostic detail. Strict alignment (adkim=s, aspf=s) requires exact domain matching, which is appropriate when the domain has tightly controlled sending infrastructure and no subdomain-based ESPs. The ri= tag is intentionally omitted as most providers ignore it.

FAQ

DMARC analyzer questions and answers

Answers to the most common questions about DMARC tags, alignment failures, reporting, and policy enforcement.

What is a DMARC record?

A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record is a DNS TXT entry published at _dmarc.yourdomain.com that tells receiving mail servers what to do when a message fails SPF and DKIM authentication checks. It specifies a policy (none, quarantine, or reject), reporting addresses for aggregate and forensic reports, and alignment requirements. Without a DMARC record, receiving servers have no policy guidance and make their own decisions about unauthenticated mail from your domain.

What is the difference between DMARC none, quarantine, and reject?

The p= tag sets the policy. 'none' means monitor only. Emails pass regardless of authentication failures, but reports are generated. 'quarantine' means unauthenticated messages are sent to the spam folder. 'reject' means unauthenticated messages are refused outright. Most organizations start with none for monitoring, move to quarantine once they have confidence in their sending sources, then graduate to reject for maximum protection.

How do I look up a DMARC record?

Enter any domain into the analyzer above and click Analyze DMARC. The tool queries the DNS TXT record at _dmarc.yourdomain.com using live DNS over HTTPS lookups via Cloudflare DoH with Google DoH as fallback. Results appear within seconds. You can look up any domain, your own or a competitor's, as DMARC records are publicly accessible in DNS. No login or email address is required.

What is DMARC alignment?

Alignment means the domain in the From: header of the email must match the domain authenticated by SPF or DKIM. In relaxed alignment (the default), subdomains are accepted. In strict alignment, the domains must match exactly. The adkim= tag controls DKIM alignment and aspf= controls SPF alignment. If alignment fails on both mechanisms, DMARC fails regardless of whether SPF and DKIM individually pass.

What are DMARC aggregate reports (rua)?

Aggregate reports are XML files sent daily by major mail providers (Gmail, Outlook, Yahoo) to the address specified in rua=. They show how many messages were sent from your domain, which passed or failed SPF and DKIM, which senders were involved, and what policy action was applied. Setting up rua= is essential for understanding your email traffic before tightening your DMARC policy.

What are DMARC forensic reports (ruf)?

Forensic reports (specified in ruf=) contain details of individual authentication failures, including the message headers and sometimes the message body. They are sent in near real-time to the ruf= address when a message fails DMARC evaluation. Because forensic reports may contain sensitive email content, many receiving mail servers no longer send them due to privacy concerns. Aggregate reports (rua=) remain the primary monitoring mechanism for DMARC deployments and are supported by all major mail providers.

What does the pct= tag do in DMARC?

The pct= tag specifies what percentage of non-authenticating messages the policy should be applied to. For example, pct=10 means only 10% of failing messages are quarantined or rejected. The rest pass through as if the policy were 'none'. This allows gradual rollout of stricter policies. Once monitoring confirms no legitimate email is failing, increase pct to 100. Start with pct=10 and double it each week as you confirm authentic senders are passing authentication.

Why does my DMARC record show 'none' policy?

A 'none' policy is common when a domain has just set up DMARC and is in monitoring mode. It means authentication failures are logged in reports but not acted on. To actively protect your domain from spoofing and phishing, you need to progress to 'quarantine' and eventually 'reject' once you have reviewed your aggregate reports and confirmed all legitimate sending sources are properly authenticated.

Does DMARC work without SPF and DKIM?

DMARC depends on SPF and/or DKIM to function. A DMARC pass requires at least one of these mechanisms to pass with proper alignment. If neither SPF nor DKIM is configured, all email from your domain will fail DMARC. Set up SPF to authorize your sending servers and DKIM to cryptographically sign messages before implementing DMARC. SPF authenticates the envelope sender; DKIM authenticates the message content. DMARC ties both together at the From: header level.

How is this DMARC analyzer different from mxtoolbox or dmarcian?

This tool runs directly in your browser using Cloudflare DNS-over-HTTPS. No server-side processing, no data collection, no signup. It provides plain-English analysis of every DMARC tag with specific actionable advice for each one. For organizations managing DMARC at scale with XML report ingestion and trend analytics, dedicated platforms like dmarcian offer additional features beyond what any free single-lookup tool provides.

Why am I failing DMARC even though SPF is passing?

SPF passing is not enough on its own. DMARC requires SPF alignment. Meaning the domain in the SPF envelope (the Return-Path address) must match the From: header domain. Most email service providers (Mailchimp, SendGrid, HubSpot, Klaviyo, and others) use their own Return-Path domains, so SPF passes for their infrastructure but fails alignment for your domain. The solution is to enable DKIM signing for your domain through your ESP's settings. DKIM alignment is usually more reliable than SPF alignment for third-party platforms, and only one needs to pass for DMARC to pass.

What do the fo= failure reporting options mean?

The fo= tag controls which failure conditions trigger forensic reports. fo=0 (the default) only generates a report if both SPF and DKIM fail. fo=1 generates a report if either SPF or DKIM fails. This gives much more visibility. fo=d generates a report specifically when DKIM signature evaluation fails. fo=s generates a report specifically when SPF evaluation fails. For maximum diagnostic visibility during a new DMARC deployment, fo=1 is often recommended alongside an active ruf= address.

What is the ri= tag and does it matter?

The ri= tag specifies the requested report interval in seconds. How often you would like to receive aggregate reports. The default is 86400 (24 hours, i.e. daily). Most major mailbox providers ignore this tag entirely and send reports daily regardless of what ri= specifies. Setting a non-default ri= value has no practical effect for most senders and can be safely omitted from your DMARC record.

Does DMARC affect whether I can qualify for BIMI?

Yes. BIMI (Brand Indicators for Message Identification), the standard that displays your brand logo next to emails in Gmail, Apple Mail, and Yahoo, requires a DMARC policy of p=quarantine or p=reject. A p=none policy does not qualify. This makes advancing from p=none to enforcement a prerequisite for any brand that wants to display a verified logo in supported inboxes. Once your DMARC is at quarantine or reject with pct=100, you can begin the BIMI and VMC (Verified Mark Certificate) setup process.

What did Google and Yahoo change for bulk senders in 2024?

In February 2024, Google and Yahoo began enforcing authentication requirements for bulk senders. For Gmail, senders of more than 5,000 messages per day are required to have a DMARC record with at least p=none, properly configured SPF, and DKIM signing. While p=none technically satisfies the minimum, both Google and Yahoo recommend advancing to p=quarantine or p=reject for stronger deliverability signals. Even senders below the 5,000-message threshold benefit from compliance, as authentication is increasingly a baseline trust signal used by spam filters to score inbox placement.

Related Email Authentication Tools

DMARC Checker DKIM Analyzer SPF Flattening Tool SPF Record Checker Email Health Checker Email Privacy Auditor MX Record Checker DNS Lookup Tool Email Header Analyzer BIMI Record Checker All Tools

Need a disposable address right now?Generate a free, instant throwaway email. Zero signup, zero trace, ready in seconds.

Get Free Temp Mail