DMARC Analyze

Parse DMARC policies and get actionable recommendations

Enter a domain to analyze its DMARC policy
Analyzing DMARC record...

DMARC (Domain-based Message Authentication, Reporting, and Conformance), defined in RFC 7489, ties together SPF and DKIM under a single policy framework. It tells receiving servers what to do when authentication fails and where to send aggregate reports about your domain's email traffic. Use the InboxTooling DMARC Analyze tool to check your record and identify misconfigurations.

What the DMARC Checker Evaluates

The tool queries DNS for the TXT record at _dmarc.yourdomain.com and performs a complete analysis of every tag.

Record Validation

  • Record existence: Confirms a DMARC TXT record is published at the correct _dmarc. subdomain.
  • Policy tag (p=): Validates the domain policy. Accepted values are none (monitor only), quarantine (send to spam), and reject (block delivery).
  • Subdomain policy (sp=): Checks whether a separate policy applies to subdomains. If absent, the p= policy is inherited.
  • Alignment mode: Evaluates adkim= (DKIM alignment) and aspf= (SPF alignment), each of which can be r (relaxed) or s (strict). Relaxed alignment allows subdomain matches; strict requires an exact domain match.
  • Percentage tag (pct=): Indicates what percentage of failing messages the policy applies to. A value below 100 means the policy is being gradually rolled out.
  • Reporting tags: Validates rua= (aggregate report recipients) and ruf= (forensic report recipients) for correct mailto: URI syntax.

How to Use the DMARC Checker

Enter your domain in the DMARC Analyze tool. The checker retrieves the record and returns a structured breakdown of every tag, along with actionable recommendations.

Interpreting the Results

Green (Pass): Your DMARC record is syntactically valid, the policy is enforced, and reporting is properly configured.

Yellow (Warning): The record works but has issues that weaken your posture. Common warnings include:

  • Policy set to none with no plan to escalate. A p=none policy provides monitoring data but does not protect against spoofing.
  • Missing rua= tag. Without aggregate reports, you have no visibility into who is sending email as your domain.
  • pct= set below 100 for extended periods.

Red (Fail): The record is missing, contains syntax errors, or has conflicting tags that prevent proper evaluation.

Why DMARC Checking Matters

Provider Requirements

Gmail, Yahoo, and Microsoft require DMARC records for bulk senders. Gmail specifically mandates at least p=none with a valid rua= address for domains sending over 5,000 messages per day. Without a DMARC record, your domain is ineligible for BIMI (Brand Indicators for Message Identification) and lacks protection against exact-domain spoofing.

The Path to Enforcement

DMARC is designed for incremental deployment:

  1. Monitor (p=none): Collect aggregate reports to identify all legitimate sending sources.
  2. Quarantine (p=quarantine): Route unauthenticated mail to spam. Start with pct=10 and increase gradually.
  3. Reject (p=reject): Block unauthenticated mail entirely. This is the target state for full domain protection.

Our checker tells you exactly where you are on this path and what to do next.

Alignment Verification

DMARC requires that at least one of SPF or DKIM passes and aligns with the From: header domain. A common failure is passing SPF at the envelope level but failing alignment because the MailFrom domain differs from the header From: domain. The Full Report evaluates both alignment paths in detail.

Common DMARC Record Errors

  • Publishing at the wrong location: The record must be a TXT record at _dmarc.yourdomain.com, not at the domain root.
  • Multiple DMARC records: Like SPF, only one DMARC record is permitted per domain.
  • Invalid rua addresses: The reporting URI must use the mailto: scheme. If the report recipient is on a different domain, that domain must publish a corresponding authorization record.
  • Skipping SPF and DKIM: DMARC depends on SPF and DKIM. Check both before troubleshooting DMARC failures.

FAQ

What is DMARC and why does it matter?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol defined in RFC 7489. It builds on SPF and DKIM to let domain owners publish a policy that tells receiving mail servers how to handle messages that fail authentication. Without DMARC, anyone can send email that appears to come from your domain, making it essential for preventing phishing and spoofing. Use the DMARC Analyze tool to check whether your domain has a valid record in place.

What do the DMARC policies none, quarantine, and reject mean?

The three DMARC policies represent increasing levels of enforcement. p=none is monitor-only mode — it collects reports but takes no action on failing mail. p=quarantine instructs receivers to route unauthenticated messages to the spam folder, while p=reject tells them to block those messages entirely. Most organizations start at none, review their aggregate reports, and gradually move toward reject for full protection.

How do I set up a DMARC record for my domain?

Create a TXT record in your DNS at _dmarc.yourdomain.com with a value starting with v=DMARC1. At minimum, include a policy tag (p=none to start) and a reporting address (rua=mailto:[email protected]) so you receive aggregate data. For example: v=DMARC1; p=none; rua=mailto:[email protected]. Before publishing, make sure you already have valid SPF and DKIM records, since DMARC depends on both. After publishing, verify the record with the DMARC Analyze tool.

What are DMARC aggregate reports (rua) and how do I use them?

DMARC aggregate reports are XML files sent by receiving mail servers to the address specified in your rua= tag. They contain data on every message that claimed to come from your domain, including SPF and DKIM pass/fail results and the sending IP addresses. Reviewing these reports helps you identify all legitimate senders before tightening your policy, and exposes unauthorized sources attempting to spoof your domain. As required by RFC 7489, reports are typically delivered once every 24 hours.

How does DMARC alignment work?

DMARC alignment requires that the domain authenticated by SPF or DKIM matches the domain in the message's visible From: header. In relaxed mode (the default), a subdomain match is sufficient — for example, mail.example.com aligns with example.com. In strict mode, the domains must match exactly. At least one of SPF or DKIM must both pass and align for the message to pass DMARC. The Full Report tool evaluates both alignment paths in detail.

What happens if my domain does not have a DMARC record?

Without a DMARC record, receiving servers have no policy guidance and may deliver spoofed messages that appear to come from your domain. Your domain also becomes ineligible for BIMI brand logos in the inbox and may not meet the sender requirements imposed by Gmail, Yahoo, and Microsoft for high-volume senders. Publishing even a p=none record with a rua= address gives you visibility into your email traffic and is the critical first step toward protection. Check your current status with the DMARC Analyze tool.

Stay on top of your email authentication. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.

Frequently Asked Questions

What is DMARC and why does it matter?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol defined in RFC 7489. It builds on SPF and DKIM to let domain owners publish a policy that tells receiving mail servers how to handle messages that fail authentication. Without DMARC, anyone can send email that appears to come from your domain, making it essential for preventing phishing and spoofing. Use the DMARC Analyze tool to check whether your domain has a valid record in place.

What do the DMARC policies none, quarantine, and reject mean?

The three DMARC policies represent increasing levels of enforcement. p=none is monitor-only mode — it collects reports but takes no action on failing mail. p=quarantine instructs receivers to route unauthenticated messages to the spam folder, while p=reject tells them to block those messages entirely. Most organizations start at none, review their aggregate reports, and gradually move toward reject for full protection.

How do I set up a DMARC record for my domain?

Create a TXT record in your DNS at _dmarc.yourdomain.com with a value starting with v=DMARC1. At minimum, include a policy tag (p=none to start) and a reporting address (rua=mailto:[email protected]) so you receive aggregate data. For example: v=DMARC1; p=none; rua=mailto:[email protected]. Before publishing, make sure you already have valid SPF and DKIM records, since DMARC depends on both. After publishing, verify the record with the DMARC Analyze tool.

What are DMARC aggregate reports (rua) and how do I use them?

DMARC aggregate reports are XML files sent by receiving mail servers to the address specified in your rua= tag. They contain data on every message that claimed to come from your domain, including SPF and DKIM pass/fail results and the sending IP addresses. Reviewing these reports helps you identify all legitimate senders before tightening your policy, and exposes unauthorized sources attempting to spoof your domain. As required by RFC 7489, reports are typically delivered once every 24 hours.

How does DMARC alignment work?

DMARC alignment requires that the domain authenticated by SPF or DKIM matches the domain in the message's visible From: header. In relaxed mode (the default), a subdomain match is sufficient — for example, mail.example.com aligns with example.com. In strict mode, the domains must match exactly. At least one of SPF or DKIM must both pass and align for the message to pass DMARC. The Full Report tool evaluates both alignment paths in detail.

What happens if my domain does not have a DMARC record?

Without a DMARC record, receiving servers have no policy guidance and may deliver spoofed messages that appear to come from your domain. Your domain also becomes ineligible for BIMI brand logos in the inbox and may not meet the sender requirements imposed by Gmail, Yahoo, and Microsoft for high-volume senders. Publishing even a p=none record with a rua= address gives you visibility into your email traffic and is the critical first step toward protection. Check your current status with the DMARC Analyze tool.

Stay on top of your email authentication. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.