Instant DMARC Lookup · Policy Verification · Pass/Warn/Fail · Free

DMARC Checker

Free DMARC record checker. Instantly verify any domain's DMARC policy, check record existence, validate policy strength, and identify configuration issues.

✓ Live DNS lookup✓ Policy strength grading✓ Report URI check✓ Pass / Warn / Fail✓ No signup

Domain or email address

Queries _dmarc.yourdomain.com via Cloudflare DNS-over-HTTPS (Google DoH fallback). Nothing is sent to Best-TempMail servers.

What this tool does

Free DMARC checker: verify your domain's email authentication policy

A DMARC record (Domain-based Message Authentication, Reporting, and Conformance) is a DNS TXT entry that instructs receiving mail servers how to handle email that fails SPF or DKIM authentication. Defined in RFC 7489, DMARC builds on top of both standards to give domain owners policy control and daily reporting. This checker performs a live DNS lookup at _dmarc.yourdomain.com and validates the record against published best practices. Grading the policy strength, confirming report URIs are configured, and flagging every issue with a plain-language explanation and a specific fix.

The most critical tag is p=. A p=none record collects data but provides zero protection. Spoofed emails still reach inboxes. A p=quarantine record routes failures to spam. A p=reject record refuses unauthenticated messages outright and is the gold standard for domain protection. Most deployments start at p=none with rua= configured, review aggregate reports for two to four weeks to identify all legitimate sending sources, then step through pct= rollout increments until full p=reject enforcement is achieved.

Aggregate reports (rua=) are a non-negotiable part of safe DMARC deployment. They are XML summaries sent daily by major mailbox providers, including Gmail, Outlook, and Yahoo, showing every source sending email from your domain and whether each is passing or failing authentication. Without rua= in place, enforcing quarantine or reject risks blocking legitimate email from services you have not yet identified, such as marketing platforms, helpdesk tools, or CRMs.

Since February 2024, both Google and Yahoo have enforced mandatory DMARC for bulk senders delivering more than 5,000 messages per day to Gmail. Even below that threshold, DMARC is increasingly a baseline deliverability signal. A domain without it is scored lower by spam filters regardless of content quality. And for domains targeting BIMI (Brand Indicators for Message Identification), which displays your logo next to emails in Gmail and Apple Mail, a policy of p=quarantine or p=reject is a hard prerequisite.

What each check covers

Record existence

Confirms a _dmarc TXT record is present in DNS

v= version

Must be DMARC1 and must be the first tag

p= policy

none (monitor), quarantine (spam), or reject (block)

pct= rollout

What percentage of failures the policy applies to

rua= reports

Whether daily aggregate XML reports are configured

ruf= forensics

Whether per-failure forensic reports are configured

adkim= alignment

How strictly the DKIM domain must match From: header

aspf= alignment

How strictly the SPF envelope domain must match From:

sp= subdomain

Whether subdomains have a separate policy override

Why it matters

Why you need to check your DMARC record regularly

Email spoofing remains one of the most common vectors in phishing attacks. When a domain has no DMARC record, or a weak p=none policy, anyone can send email that appears to come from that domain. Customers, partners, and employees receive convincing fakes with no technical indicator that anything is wrong. DMARC enforcement at p=reject closes this gap completely by instructing every major receiving mail server to discard unauthenticated messages before they reach the inbox.

Most domain owners set up a DMARC record once and assume the job is done. In reality, email infrastructure changes constantly. New marketing platforms, transactional email services, CRMs, and helpdesk tools are added over time. Each requiring its own SPF authorization and DKIM signing configuration. A sending source that was not present when DMARC was first deployed can silently fail authentication for months without anyone noticing. Until a support ticket arrives asking why emails are going to spam.

Running this checker takes under ten seconds. It surfaces problems immediately: a missing rua= address that means you have been flying blind on authentication failures, a pct= value below 100 left over from a rollout that was never completed, or a subdomain policy (sp=) that is weaker than the main domain policy. Catching these issues early prevents deliverability problems, protects your sender reputation, and keeps your domain out of phishing campaigns that damage customer trust.

For teams managing multiple domains, including legacy, parked, or acquired domains, regular DMARC checks across the entire portfolio are essential. Each unprotected domain is an attack surface. A quick check with this tool confirms every domain has at minimum a p=reject record even if it sends no email, eliminating entire categories of brand impersonation risk.

Step by step

How to use the DMARC checker

Using the tool is straightforward. Here is the full process from start to finish:

1. Enter your domain. Type your domain name (e.g. example.com) or paste a full email address from that domain. The tool strips the local part and protocol automatically, so email@example.com and https://example.com both resolve to example.com.

2. Click Check DMARC. The tool performs a live DNS-over-HTTPS lookup at _dmarc.yourdomain.com via Cloudflare, with Google DoH as a fallback. Nothing is sent to Best-TempMail servers. The query goes directly from your browser to the DNS resolver.

3. Review your overall grade. The result header shows Valid, Warnings, Invalid, or Missing alongside the raw record string. This tells you at a glance whether your domain has DMARC protection in place.

4. Read each check. Expand each pass/warn/fail card to understand what is correct, what needs attention, and what the recommended fix is. Pay particular attention to any fail badges. These represent gaps that actively weaken or invalidate your DMARC posture.

5. Act on the recommendations. Each failed or warned check includes a specific remediation step. Log into your DNS provider, update the record, and re-run the checker after a few minutes to confirm the change has propagated.

Common use cases

Who uses this DMARC checker and why

Email deliverability troubleshooting

When bulk email campaigns start landing in spam, DMARC policy is often the cause. If a sending platform is not properly configured with DKIM signing and SPF alignment, its messages will fail DMARC and be quarantined or rejected. This checker identifies whether p= enforcement is active and whether pct= is set to 100%, helping email marketers and developers diagnose deliverability drops without digging through DNS manually.

Pre-launch security checks for new domains

Before going live with a new domain, security and IT teams verify that SPF, DKIM, and DMARC are all in place. A missing DMARC record on a fresh domain means it can be spoofed immediately. Running this checker confirms the record is published, the policy is set correctly, and rua= is configured before any marketing or product emails are sent.

Policy upgrade validation

Moving from p=none to p=quarantine, or from p=quarantine to p=reject, requires verifying that the DNS change propagated correctly and that no typos or tag errors were introduced. This tool confirms the new policy is live within minutes of publishing the change, and flags any syntax issues before they cause delivery problems.

Third-party vendor audits

IT security teams and compliance officers regularly audit the email posture of vendors, partners, and suppliers. A domain with p=none or no DMARC record at all represents a potential attack surface. This checker makes it fast to spot-check any domain in seconds without requiring access to their DNS panel.

Monitoring parked and inactive domains

Domains that do not send email are commonly used in phishing attacks because they rarely have authentication records. Checking all domains in a portfolio, including parked, legacy, and inactive ones, identifies unprotected domains that can be locked down with p=reject and v=spf1 -all.

Troubleshooting

Common DMARC problems and how to fix them

Most DMARC issues fall into a small number of patterns. Here are the most common failures, why they happen, and what to do about each one.

DMARC record not found (_dmarc lookup returns nothing)

Why it happens: No TXT record has been published at _dmarc.yourdomain.com, or the record was published at the wrong host name (e.g. dmarc.yourdomain.com instead of _dmarc.yourdomain.com).

Fix: Log into your DNS provider and add a TXT record with the exact host name _dmarc (not dmarc, not @). The value should start with v=DMARC1. A minimal starting record: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

DMARC is set up but email is still going to spam

Why it happens: p=none provides no enforcement. It only monitors. Mail goes to spam for other reasons: low sender reputation, missing SPF, unsigned DKIM, or inbox filter rules.

Fix: Check your SPF record with the SPF Flattening Tool and verify DKIM signing is active via the DKIM Analyzer. After confirming both pass for all your sending sources, advance from p=none to p=quarantine or p=reject.

DMARC passes SPF but still fails overall

Why it happens: SPF alignment is failing. Your sending platform uses its own Return-Path domain (very common with ESPs like Mailchimp, SendGrid, HubSpot, and Klaviyo) so the SPF envelope domain does not match your From: domain. Alignment requires either SPF or DKIM to match. Not just SPF to pass.

Fix: Enable DKIM signing for your domain through your ESP's settings. This adds a CNAME record to your DNS that creates a verified DKIM signature with d= matching your From: domain. Once DKIM alignment passes, DMARC passes regardless of the SPF envelope mismatch.

Duplicate DMARC records causing 'permerror'

Why it happens: Two or more TXT records exist at _dmarc.yourdomain.com. RFC 7489 allows only one. Most receiving servers treat duplicates as a permanent error (permerror) and effectively ignore DMARC entirely.

Fix: Open your DNS zone and delete all but one _dmarc TXT record. This usually happens when DNS control panels create a new record on each save rather than overwriting the existing one. After deleting duplicates, re-run this checker to confirm only one record is returned.

pct= is not 100 but you never changed it

Why it happens: Some DNS providers or DMARC setup wizards insert pct=10 or pct=25 as a 'safe default' during initial setup. If this was never updated, your DMARC policy is only enforced against a fraction of failing messages.

Fix: Edit your DMARC record and set pct=100 (or remove the pct= tag entirely, as 100 is the default per RFC 7489). Verify the change propagated by re-running this checker.

sp= subdomain policy is weaker than main policy

Why it happens: If you have set p=reject but omitted sp=, subdomains inherit p=reject by default. Which is correct. However if sp=none was explicitly set during a phased rollout and never updated, subdomains remain unprotected even after the main domain is hardened.

Fix: Remove the sp= tag entirely to let subdomains inherit the main p= policy, or set sp=reject explicitly. Re-run this checker and confirm the subdomain policy check no longer warns.

The email authentication stack

How DMARC, SPF, and DKIM work together

DMARC does not work in isolation. It is the policy layer that sits on top of two older authentication standards, SPF and DKIM, and uses them as evidence to make enforcement decisions. Understanding how all three interact is essential for diagnosing failures.

SPF (Sender Policy Framework) is a DNS TXT record that lists every IP address and mail server authorized to send email for your domain. When a receiving server gets a message, it checks whether the sending IP is in the SPF record for the Return-Path (envelope) domain. If it is, SPF passes. The limitation: SPF only checks the envelope, the hidden Return-Path used for bounces, not the From: address visible to recipients. Forwarded email and shared-infrastructure ESPs commonly break SPF alignment. You can check and flatten your SPF record using the dedicated tool.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages. The sending server signs the message with a private key, and the receiving server verifies the signature using a public key published in DNS. Because the signature is embedded in the email header, it survives forwarding. Which is why DKIM alignment is often more reliable than SPF alignment for third-party sending platforms. Verify your DKIM configuration with the DKIM Analyzer.

DMARC alignment is the bridge. DMARC passes only when at least one of the following is true: the SPF-authenticated domain aligns with the From: header domain, or the DKIM signing domain (d=) aligns with the From: header domain. 'Align' means either an exact match (strict mode, adkim=s / aspf=s) or a domain-parent match (relaxed mode, the default). A message that passes SPF on its own but has a mismatched Return-Path domain, which is the norm for SendGrid, Mailchimp, and similar platforms, will fail DMARC alignment unless DKIM is also correctly configured.

Beyond the core three, MTA-STS (Mail Transfer Agent Strict Transport Security) and BIMI build on DMARC to add transport security and brand display respectively. MTA-STS prevents SMTP downgrade attacks. BIMI displays your verified logo in supporting email clients. Both require DMARC to be in place at p=quarantine or p=reject before they can function.

Examples

What DMARC records look like: and how this tool grades them

These five examples cover the most common DMARC configurations you will encounter.

PassStrong enforcement. All checks pass

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com

All checks pass. v=DMARC1 is correct, p=reject provides maximum enforcement, pct=100 means 100% of failing messages are rejected, and rua= ensures you receive daily aggregate reports.

WarningsQuarantine policy. Partial enforcement

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com

Policy is set to quarantine (sends failures to spam) but pct=50 means only half of failing messages are affected. Upgrade pct to 100 and consider moving to p=reject for full protection.

WarningsMonitoring only. No enforcement

v=DMARC1; p=none; rua=mailto:reports@example.com

p=none provides zero protection against spoofing. Emails still deliver even if authentication fails. This is a valid starting configuration for monitoring, but must be upgraded to quarantine or reject.

WarningsMissing rua=. No report visibility

v=DMARC1; p=reject

Strong policy but no rua= address. Without aggregate reports, you have no visibility into authentication failures or whether legitimate email is being blocked. Always configure at least one rua= address.

FailNo DMARC record

(no _dmarc TXT record found)

No DMARC protection. Receiving servers have no policy instructions and your domain is vulnerable to email spoofing and phishing attacks. Create a DMARC record immediately. Even p=none with rua= is better than nothing.

FAQ

DMARC questions and answers

Answers to the most common questions about DMARC records, email authentication failures, and how to fix them.

What does a DMARC checker do?

A DMARC checker performs a live DNS lookup for the TXT record at _dmarc.yourdomain.com and validates it against best-practice standards. This tool checks whether the record exists, whether the policy (p=) provides real enforcement, whether aggregate reports are configured (rua=), what percentage rollout is set (pct=), and how SPF and DKIM alignment is configured. Each check returns a pass, warn, or fail status with an explanation of the issue and a concrete recommendation for fixing it.

How do I check my DMARC record?

Enter your domain name or an email address from that domain into the input above and click Check DMARC. The tool performs a real-time DNS query via Cloudflare DoH (with Google DoH as fallback) and parses the DMARC TXT record at _dmarc.yourdomain.com. Results appear within seconds showing your current policy, enforcement level, reporting addresses, and any configuration problems. No account, no API key, and no email sending is required.

Is this DMARC checker free to use?

Yes, completely free. There are no usage limits, no registration requirements, and no paid tiers. Every lookup is performed in your browser via public DNS-over-HTTPS endpoints. Best-TempMail does not receive or log the domains you check.

What is a fully passing DMARC record?

A strong DMARC record has four key elements: v=DMARC1 as the first tag, p=reject as the enforcement policy, pct=100 to apply the policy to all failing messages, and a rua= address to receive daily aggregate XML reports. A p=quarantine record with pct=100 and rua= configured is also considered good. It routes failures to spam rather than blocking them outright, which is safer during a transition from p=none to p=reject.

Why is my DMARC record missing?

A missing DMARC record means no TXT record exists at _dmarc.yourdomain.com. This is the most common gap for domains that have configured email but skipped DMARC. To fix it, add a TXT record at _dmarc.yourdomain.com starting with v=DMARC1. Use p=none with a rua= address first to collect reports without affecting delivery, then progress to quarantine and reject once you have confirmed all legitimate sending sources are authenticating correctly.

What is the difference between p=none, p=quarantine, and p=reject?

The p= tag controls what receiving servers do with mail that fails DMARC. p=none takes no action. Failures are logged in reports but mail is delivered normally. p=quarantine routes failing messages to the spam folder. p=reject refuses delivery entirely. For real protection against phishing and brand spoofing, p=quarantine or p=reject is required. p=none is only appropriate during initial monitoring and should not be left in place once your aggregate reports confirm all legitimate mail is passing authentication.

Why am I failing DMARC even though I have SPF configured?

SPF alone is not enough for DMARC to pass. DMARC requires either SPF alignment or DKIM alignment. Meaning the domain in the SPF envelope (the Return-Path address) or the DKIM d= signing domain must match the domain in the From: header. If your sending platform uses its own Return-Path domain (very common with ESPs like Mailchimp, SendGrid, and HubSpot) and you have not added DKIM signing via a CNAME record, the SPF record passes but the alignment check fails, causing a DMARC failure. The fix is almost always to add DKIM signing for your domain through your email service provider's settings.

How quickly do DMARC DNS changes propagate?

For most modern DNS providers such as Cloudflare, Route 53, and Google Cloud DNS, changes are visible globally within 5 to 30 minutes. TTL values on older records can extend propagation to a few hours in rare cases. To speed things up before making a change, temporarily reduce your DMARC record TTL to 300 seconds (5 minutes), wait for the old TTL to expire, make the change, then restore the TTL after propagation.

Can I have more than one DMARC record on a domain?

No. RFC 7489 permits only one DMARC TXT record per domain. If two or more _dmarc TXT records exist, most receiving mail servers treat it as an error and behave as if no DMARC record exists at all. Removing all protection. If this checker reports an error despite you having published a record, check your DNS zone for duplicate entries. This often happens when DNS providers create a new record on save rather than replacing the existing one.

Do I need DMARC if my domain does not send email?

Yes. Non-sending and parked domains are actively targeted in phishing campaigns because they typically have no email authentication records. Publishing p=reject on every domain you own, including inactive ones, prevents attackers from forging your domain name in phishing emails. Combine it with an SPF record of v=spf1 -all to reject all senders and a null MX record to signal no inbound mail. This takes under five minutes and is one of the highest-value security steps for any domain.

What is the difference between DMARC Checker and DMARC Analyzer?

The DMARC Checker on this page gives you a fast pass/warn/fail health check covering the most critical DMARC elements: record existence, policy enforcement, pct rollout, and rua= configuration. The DMARC Analyzer tool provides a deeper breakdown of every supported DMARC tag including alignment modes, subdomain policy, report intervals, and forensic reporting options. Use the Checker for a quick status check or regular monitoring, and the Analyzer when troubleshooting a specific tag or preparing to tighten your policy.

Why does Google require DMARC for bulk email senders?

In February 2024, Google and Yahoo began enforcing new bulk sender requirements that include mandatory DMARC authentication. Google requires senders of more than 5,000 messages per day to Gmail to have a DMARC record with at least p=none. While p=none passes the requirement technically, Google's guidance recommends progressing to p=quarantine or p=reject. The underlying reason is deliverability trust: without DMARC, Google's spam systems score your domain lower regardless of your content quality. Even senders below the 5,000-message threshold benefit from having DMARC in place, as it is increasingly a baseline signal for inbox placement.

What is BIMI and why does it require DMARC?

BIMI (Brand Indicators for Message Identification) is a standard that displays your brand logo next to your emails in supported clients including Gmail, Apple Mail, and Yahoo. To qualify for BIMI, your domain must have a DMARC policy of p=quarantine or p=reject. P=none is not sufficient. This requirement exists because BIMI is essentially a trust signal: mailbox providers only display your logo when they can verify that you have genuine enforcement in place and that attackers cannot easily spoof your domain. If your goal is to show a logo in Gmail, getting DMARC to p=reject is a prerequisite step.

What is the difference between adkim=r and adkim=s?

The adkim= tag controls how strictly the DKIM signing domain must match the From: header domain. adkim=r (relaxed, the default) allows the DKIM d= domain to be a parent domain of the From: address. So a message From: user@mail.example.com can be signed with d=example.com and still pass. adkim=s (strict) requires an exact match: d= must equal exactly the domain in From:. Most deployments use relaxed mode because it accommodates common subdomain-based sending setups. Only switch to strict if you have a specific security reason to require exact domain matching.

How do I set up DMARC for Google Workspace or Microsoft 365?

For Google Workspace: navigate to your DNS provider, create a TXT record with the host name _dmarc and a value starting with v=DMARC1; p=none; rua=mailto:your@email.com. Google also recommends enabling DKIM signing in the Admin Console (Apps > Google Workspace > Gmail > Authenticate email) before advancing the policy. For Microsoft 365: DKIM is configured under Policies & Rules > Threat Policies > DKIM in the Defender portal. Publish the two CNAME records Microsoft provides, then add your DMARC TXT record once DKIM is active. In both cases, monitor aggregate reports for 2-4 weeks at p=none before advancing to quarantine or reject.

What is email spoofing and how does DMARC prevent it?

Email spoofing is the practice of forging the From: address in an email to make it appear to come from a legitimate domain. Because the original SMTP protocol has no built-in sender verification, anyone can send an email claiming to be from any address. DMARC prevents this by requiring receiving mail servers to verify that the sending source is authorized by the domain's own DNS records (via SPF or DKIM). If a message fails this check and the domain's DMARC policy is p=reject, the receiving server refuses delivery before the message ever reaches the inbox. Stopping spoofed phishing emails that impersonate your brand.

Related Email Authentication Tools

DMARC Analyzer DKIM Analyzer SPF Flattening Tool SPF Record Checker Email Privacy Auditor Email Health Checker MX Record Checker DNS Lookup Tool Email Header Analyzer BIMI Record Checker All Tools

Need a disposable address right now?Generate a free, instant throwaway email. Zero signup, zero trace.

Get Free Temp Mail