Tool

DMARC check

Check in seconds whether your DMARC record is configured correctly and your policy actually takes effect.

Permalink: ?domain=… works too.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the third building block of email authentication — and the only one that gives the other two, SPF and DKIM, a binding instruction. With only SPF and DKIM in place, receivers do check whether a mail is authentic, but they decide on their own what happens on failure. DMARC flips that around: as the domain owner, you set the policy.

A DMARC record is a TXT record at the hostname _dmarc.example.com. It defines three things: first the policy (p=none, p=quarantine or p=reject), second the reporting addresses (rua= for aggregated daily reports, ruf= for forensics), third optionally the alignment strictness (adkim, aspf) and ratio (pct).

The real lever is alignment: DMARC requires the domain in the visible From header to match the SPF Return-Path domain or the DKIM d= domain — otherwise it fails, even if SPF/DKIM individually pass. That is what makes it so effective against spoofing: an attacker can send their own mail in an SPF/DKIM-compliant way, but not under your From domain.

Dive deeper → What is DMARC?

Common DMARC mistakes

  1. p=none indefinitely

    Monitoring-only is the right entry point, but it doesn't protect. Anyone still on p=none after 3 months has never made the actual step — DMARC then only delivers reports, no effect.

  2. No rua tag → no reports

    Without a reporting address you're flying blind. You don't know which sources are failing and can't tune the setup data-driven. Configure a rua mailbox or use a report aggregator.

  3. pct below 100 without a plan

    With pct=10 the receiver only applies the policy to 10% of non-aligned mail. Useful as a ramp, dangerous as a permanent state — the other 90% still get through.

  4. SPF/DKIM not aligned

    SPF passes, DKIM passes — and DMARC still fails because the Return-Path domain differs from the From domain. Common with marketing tools, ESPs and ticketing systems that use their own bounce domain.

  5. adkim/aspf too strict for subdomains

    In strict mode the domain must match exactly. news.example.com then breaks against example.com. The default relaxed is the right choice for most setups.

  6. Multiple DMARC records on the same host

    The RFC allows only one TXT with v=DMARC1 under _dmarc.. Two records → receivers ignore both. Common after a provider switch where the old configuration wasn't removed.

  7. Quarantine without forensic backup

    If you move to p=quarantine or p=reject, run forensic reports or inbox monitoring in parallel for a while — otherwise you only notice false positives once sales starts complaining.

Fix issues — in 4 steps

Set up reporting

Configure a rua address that doesn't land in your own inbox — otherwise XML reports will flood it. Ideally a dedicated mailbox or a report aggregator.

_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; pct=100"

Analyze sources

After 1–2 weeks the first aggregate reports arrive. List every sending IP and domain and map them to a system (CRM, ERP, marketing tool, helpdesk). Unknown sources are the most important finding.

Fix alignment

For each legitimate system: add an SPF include or configure a DKIM selector, then verify that mail arrives aligned. With ESPs, this usually means configuring a custom Return-Path domain.

Step up to p=quarantine → p=reject

Once reports show all legitimate sources are aligned: p=quarantine with pct=10, then pct=50, pct=100, then p=reject. 1–2 weeks of monitoring per step.

Want to check all 8 standards?

The full SelfCheck additionally tests SPF/DKIM/DMARC, BIMI, MTA-STS, TLS-RPT, DNSSEC and MX in a single run.

Start full SelfCheck →

Frequently asked questions about DMARC

What does p=quarantine mean?
p=quarantine tells receiving servers to move non-authenticated mail to the spam folder instead of delivering it directly. It is the middle step between p=none (monitoring only) and p=reject (full rejection).
How often do DMARC reports arrive?
Aggregate reports (rua) are typically sent daily, usually every 24 hours. Forensic reports (ruf) arrive in real time, provided the receiving server still generates them — many no longer do for privacy reasons.
How long does the path to p=reject take?
With a well-inventoried sender landscape, 4–8 weeks; for grown organizations with unknown senders, 3–6 months. Completeness matters more than speed — don't forget any legitimate source.
Do I need forensic reports?
Usually not. Aggregate reports show which IPs fail SPF/DKIM. Forensic reports contain mail headers and are GDPR-sensitive; many receivers no longer send them at all.
What is alignment?
Alignment means: the domain in the SPF Return-Path or the DKIM d= tag must match the visible From domain. Without alignment, DMARC fails — even if SPF and DKIM individually pass.