🔍 /

DMARC Record Checker & Analyzer

Professional DMARC diagnostic tool. Validate DNS records, visualize policy impact, check external reporting authorization, and generate compliant DMARC configurations instantly.

User Rating 0.0
Total Usage 0 times
Category Security

Record Generator / Builder

Create a compliant record or fix the current one.

Generated Record
Is this tool helpful?

Your feedback helps us improve.

About

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is the industry standard for preventing email spoofing. Without a valid DMARC record, email receivers cannot distinguish between legitimate communications and phishing attempts claiming to be from your organization.

This tool performs a real-time Recursive DNS Lookup via secure HTTPS to fetch the TXT record located at _dmarc.domain.com. Unlike basic validators, it parses the syntax against RFC 7489 standards, verifies external reporting authorizations (rua destinations), and provides a visual security impact assessment. It validates critical tags including the policy mode (p), alignment strictness (aspf, adkim), and reporting intervals.

email-security dns-tools spoofing-prevention deliverability sysadmin

Formulas

The DMARC evaluation logic follows a specific hierarchy to determine the final disposition of an email message.

{
PASS if (SPF = PASS SPF_Align) (DKIM = PASS DKIM_Align)FAIL otherwise

If the result is FAIL, the action taken depends on the p tag:

Action(msg)
{
Deliver if p = noneSpam Folder if p = quarantineBlock if p = reject

Reference Data

TagNameRequiredDescriptionExample
vProtocol VersionTRUEMust be the first tag. Identifies the record as DMARC.v=DMARC1
pPolicyTRUEAction to take on failed emails. Options: none, quarantine, reject.p=reject
ruaAggregated ReportsFALSEURI for daily aggregate reports (XML). Critical for visibility.mailto:[email protected]
rufForensic ReportsFALSEURI for real-time failure reports (Redacted copies of emails).mailto:[email protected]
spSubdomain PolicyFALSESpecific policy for subdomains. Defaults to p if undefined.sp=none
pctPercentageFALSE% of messages subjected to filtering. Useful for phased rollout.pct=100
aspfSPF AlignmentFALSEr (relaxed) or s (strict) alignment for SPF.aspf=s
adkimDKIM AlignmentFALSEr (relaxed) or s (strict) alignment for DKIM.adkim=r

Frequently Asked Questions

p=none is "Monitoring Mode"; emails are delivered normally, but you receive reports. It is the starting point. p=quarantine sends failing emails to the Spam folder. p=reject is "Enforcement Mode"; failing emails are blocked entirely by the receiver. Do not switch to reject until you are sure all legitimate email sources are authenticated.
If you send reports to a domain different from the DMARC domain (e.g., example.com sends reports to agency.com), the receiving domain (agency.com) must publish a specific TXT record confirming they accept these reports. This prevents report spamming. This tool automatically checks for this authorization record.
DNS propagation can take anywhere from a few minutes to 48 hours. However, ensure your Hostname is correct. It must be strictly "_dmarc" (or "_dmarc.yourdomain.com" depending on your DNS provider's interface). A common mistake is creating "_dmarc.example.com.example.com".
No. RFC 7489 strictly forbids multiple DMARC records on a single domain. If multiple TXT records starting with "v=DMARC1" are found, the receiver will ignore all of them, leaving you unprotected.