App StoreApp Store
Google PlayGoogle Play
Temp Mail Logo

Temp Mail safeguards your privacy while keeping your inbox free from spam.

Instant DMARC Lookup · Policy Verification · Pass/Warn/Fail · Free

DMARC Checker

Free DMARC record checker -- instantly verify any domain's DMARC policy, check record existence, validate policy strength, and identify configuration issues.

✓ Live DNS lookup✓ Policy strength grading✓ Report URI check✓ Pass / Warn / Fail✓ No signup
Queries _dmarc.yourdomain.com via Cloudflare DNS-over-HTTPS (Google DoH fallback). Nothing is sent to Best-TempMail servers.
What this tool does

Free DMARC checker -- verify your domain's email authentication policy

A DMARC record (Domain-based Message Authentication, Reporting, and Conformance) is a DNS TXT entry that tells receiving mail servers what to do with email that fails SPF or DKIM authentication. This checker performs a live DNS lookup at _dmarc.yourdomain.com and validates the record against best-practice standards -- grading the policy strength, checking whether aggregate reports are configured, and flagging specific issues with actionable remediation advice.

The most important element is the policy tag (p=). A p=none record provides monitoring data but zero protection -- phishing emails can still reach recipients. A p=quarantine record routes failures to spam. A p=reject record refuses unauthenticated messages outright and is the strongest available protection. Most organizations start with p=none to collect aggregate reports (rua=), identify all legitimate sending sources, fix any authentication gaps, then ramp up through quarantine to reject using the pct= percentage tag.

Aggregate reports (rua=) are essential for safe DMARC deployment. They are XML files sent daily by major providers like Gmail and Outlook showing which sources are sending email on behalf of your domain and how much is passing or failing authentication. Without rua= configured, you cannot safely enforce a quarantine or reject policy -- you risk blocking legitimate email you are not aware of.

What each check covers
Record existence
Confirms a _dmarc TXT record is present in DNS
v= version
Must be DMARC1 and must be the first tag
p= policy
none (monitor), quarantine (spam), or reject (block)
pct= rollout
What percentage of failures the policy applies to
rua= reports
Whether daily aggregate XML reports are configured
ruf= forensics
Whether per-failure forensic reports are configured
adkim= alignment
How strictly the DKIM domain must match From: header
aspf= alignment
How strictly the SPF envelope domain must match From:
sp= subdomain
Whether subdomains have a separate policy override
Examples

What DMARC records look like -- and how this tool grades them

These five examples cover the most common DMARC configurations you will encounter.

PassStrong enforcement -- all checks pass
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com
All checks pass. v=DMARC1 is correct, p=reject provides maximum enforcement, pct=100 means 100% of failing messages are rejected, and rua= ensures you receive daily aggregate reports.
WarningsQuarantine policy -- partial enforcement
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@example.com
Policy is set to quarantine (sends failures to spam) but pct=50 means only half of failing messages are affected. Upgrade pct to 100 and consider moving to p=reject for full protection.
WarningsMonitoring only -- no enforcement
v=DMARC1; p=none; rua=mailto:reports@example.com
p=none provides zero protection against spoofing -- emails still deliver even if authentication fails. This is a valid starting configuration for monitoring, but must be upgraded to quarantine or reject.
WarningsMissing rua= -- no report visibility
v=DMARC1; p=reject
Strong policy but no rua= address. Without aggregate reports, you have no visibility into authentication failures or whether legitimate email is being blocked. Always configure at least one rua= address.
FailNo DMARC record
(no _dmarc TXT record found)
No DMARC protection. Receiving servers have no policy instructions and your domain is vulnerable to email spoofing and phishing attacks. Create a DMARC record immediately -- even p=none with rua= is better than nothing.
FAQ

Frequently asked questions

What does a DMARC checker do?
A DMARC checker performs a live DNS lookup for the TXT record at _dmarc.yourdomain.com and validates it. This tool checks whether the record exists, whether the policy (p=) provides real enforcement, whether aggregate reports are configured (rua=), what percentage rollout is set (pct=), and how SPF and DKIM alignment is configured. The result shows exactly what is correct, what needs improvement, and why.
How do I check my DMARC record?
Enter your domain name (or an email address from that domain) into the checker above and click Check DMARC. The tool queries your DNS in real time via Cloudflare DoH and parses the DMARC TXT record found at _dmarc.yourdomain.com. Results appear within seconds showing your current policy, enforcement level, reporting addresses, and any configuration warnings. No signup, no API key, and no email sending is required.
What is a passing DMARC record?
A strong DMARC record has four key elements: v=DMARC1 as the first tag confirming the record type, p=reject or p=quarantine as the enforcement policy, pct=100 to apply the policy to all failing messages, and a rua= address to receive aggregate reports. A record is considered fully passing when p=reject and pct=100 are both present, giving maximum protection against domain spoofing and phishing. The rua= address enables ongoing monitoring of authentication results.
Why is my DMARC record missing?
A missing DMARC record means no TXT record exists at _dmarc.yourdomain.com in your DNS. This is the most common configuration gap for domains that have set up email but skipped the DMARC step. To fix it, add a new TXT record at _dmarc.yourdomain.com with a value starting with v=DMARC1. Start with p=none to enable monitoring without affecting delivery, then upgrade to quarantine and reject after reviewing your aggregate reports. Most DNS changes propagate within minutes.
What is the difference between DMARC none, quarantine, and reject?
The p= policy tag controls what happens to emails that fail DMARC authentication. 'none' takes no action -- emails are delivered normally and failures are only logged in reports. 'quarantine' routes failing messages to the recipient's spam folder. 'reject' instructs receiving servers to refuse delivery entirely. For real protection against phishing and spoofing, you need p=quarantine or p=reject. p=none is only useful during initial monitoring -- it provides no protection and should not be left in place long-term once reporting confirms legitimate senders are authenticated.
How quickly do DMARC changes take effect?
DNS changes typically propagate within minutes to a few hours for most providers, though TTL settings can extend this to 24-48 hours in rare cases. For most major DNS providers like Cloudflare, Route 53, and Google Cloud DNS, DMARC record changes are visible globally within 5-30 minutes. Once the new record has propagated, receiving mail servers will begin applying the updated policy to incoming messages. Reducing your DNS record TTL to 300 seconds before making changes speeds up propagation.
Can I have multiple DMARC records on one domain?
No. Only one DMARC record is permitted per domain. If multiple _dmarc TXT records exist, most receiving mail servers will treat the result as a DMARC configuration error and behave as if no DMARC record exists -- effectively giving you no protection or enforcement. Check your DNS for duplicate records if this checker reports a DMARC error despite you having published a record. Some DNS providers inadvertently create duplicate records when records are edited rather than replaced.
What is pct= in a DMARC record?
The pct= tag specifies what percentage of failing messages the policy is applied to. For example, pct=10 means only 10% of messages that fail DMARC are quarantined or rejected -- the rest are treated as if the policy were 'none'. This is commonly used during phased rollout. Once you are confident your legitimate email is authenticating correctly, increase pct to 100.
Do I need DMARC even if I do not send email from my domain?
Yes. Parked domains and domains that never send email are frequently used for phishing attacks because they often have no authentication records in place. Adding DMARC with p=reject to a non-sending domain costs nothing and prevents attackers from using your domain name in phishing emails. Pair it with an SPF record of v=spf1 -all (rejecting all senders) and a null MX record to signal that the domain does not send or receive email. This is a critical security step for every domain you own, even inactive ones.
What is the difference between DMARC Checker and DMARC Analyzer?
The DMARC Checker on this page gives you a fast pass/warn/fail assessment of the most important checks for your DMARC record including policy enforcement level, pct value, and presence of reporting addresses. The DMARC Analyzer on a separate page provides a deeper breakdown of every DMARC tag including alignment modes, subdomain policies, report intervals, and failure reporting options. Use the Checker for a quick health check and the Analyzer when troubleshooting a specific configuration or preparing to upgrade your policy.
Related Email Authentication Tools

Need a disposable address right now?Generate a free, instant throwaway email -- zero signup, zero trace.

Get Free Temp Mail