AUTH-03 / EMAIL AUTHENTICATION
DMARC Checker
Parse a domain's DMARC record into its policy, alignment, and reporting tags — and see how strong the enforcement really is.
About the DMARC Checker
DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails authentication — and where to send reports. Without DMARC, attackers can spoof your domain with no consequences. This tool reads your published DMARC policy and shows its enforcement level and reporting setup.
What this tool checks
It queries the TXT record at _dmarc.yourdomain.com and displays the full policy, including the p= enforcement level, any rua/ruf reporting addresses, and the pct percentage.
Policy levels explained
p=none only monitors and reports without affecting delivery. p=quarantine sends failing mail to spam. p=reject blocks it outright. Most domains start at none to gather reports, then move to quarantine and finally reject once legitimate mail is confirmed to pass.
Frequently asked questions
What DMARC policy should I use?
Start with p=none to collect reports without affecting delivery. Once your reports confirm all legitimate mail passes SPF or DKIM with alignment, move to p=quarantine and then p=reject for full protection.
What are rua and ruf in DMARC?
rua is the address for aggregate reports — daily summaries of authentication results. ruf is for forensic reports on individual failures. Aggregate reports (rua) are the most useful for tuning your setup.
Why is my DMARC failing even though SPF passes?
DMARC requires alignment, not just a pass. The domain SPF authenticates must match your From domain. A common cause is mail sent through a third party that passes SPF for their domain but not yours — DKIM signing with your domain usually fixes this.