DMARC CheckerDMARC alignment requires SPF or DKIM to authenticate the visible From-domain, not just any envelope domain. Learn more →
Check a domain's DMARC policy — what it enforces, what's missing, and where it aligns. Instant, no signup, plain English.
Quick answer: DMARC tells receivers what to do when a message's SPF or DKIM authentication fails to align with the visible From-domain. This tool fetches the DMARC TXT record at `_dmarc.<domain>`, parses the policy (none / quarantine / reject), checks the aggregate-report and forensic-report addresses, validates alignment modes, and flags the percentage rollout. A missing or `p=none` DMARC means receivers gather data but enforce nothing — your domain is freely spoofable.
What this checksadkim=s (strict) requires DKIM signing domain to exactly match the visible From-domain. Learn more →
DMARC is a DNS TXT record that tells receivers what to do when an email's visible From-domain authentication does not align with SPF or DKIM. Per RFC 7489, it sits on top of SPF and DKIM as a policy and reporting layer. Relaymetry queries _dmarc.<domain> for the TXT record, parses every tag (v, p, sp, pct, rua, ruf, aspf, adkim, fo, rf, ri), validates the required tags (v=DMARC1, p=...), warns when the record sits at the apex instead of the _dmarc subdomain, classifies the policy strictness, and inspects the aggregate-report (rua=) and forensic-report (ruf=) addresses. We also check alignment modes: aspf=s (strict) requires the SPF envelope domain to match the From-domain exactly; aspf=r (relaxed, default) allows subdomain matches. Same for adkim=s/r for DKIM.
How to read the resultp=none is observe-only mode. Receivers report failures but do not change delivery. Learn more →
The policy tag (p=) is the headline: p=none is observe-only and enforces nothing — receivers report failures to your rua address but deliver mail anyway. p=quarantine instructs receivers to send failing mail to spam/junk. p=reject instructs receivers to block failing mail entirely. The pct= tag controls partial rollout: pct=10 means apply the policy to 10% of failing mail and leave the other 90% alone. rua=mailto:reports@example.com is where aggregate XML reports are sent — typically once per day per receiver. ruf=mailto:... is where individual failure samples (forensic reports) are sent — many receivers no longer send these for privacy reasons. The subdomain policy sp= overrides p= for subdomains; if absent, subdomains inherit p=. RFC 7489 §6.3 documents alignment evaluation: at least one of SPF or DKIM must pass AND align with the visible From-domain for DMARC to pass.
Common failures
No DMARC record published: the domain is unprotected against spoofing. Add a TXT record at _dmarc.<domain> starting with v=DMARC1; p=none; to begin observing failures, then promote to quarantine or reject once you have data. Record at the apex instead of _dmarc: the apex <domain> TXT receives all sorts of records (SPF, verification, etc.); DMARC must live at _dmarc.<domain>. Receivers ignore apex DMARC. Missing v=DMARC1 tag: DMARC parsing requires this exact prefix as the first tag. Without it the record is treated as not-DMARC and ignored. Missing p= tag: required by RFC 7489 §6.3. Without it the record is rejected. SPF or DKIM passes but DMARC fails: the underlying SPF/DKIM domain does not align with the visible From-domain. Common when third-party senders (Mailchimp, SendGrid, etc.) sign with their own domain. Either configure custom DKIM signing for the third party or accept SPF alignment via the envelope sender. Strict alignment (aspf=s or adkim=s) on a domain whose third-party senders use subdomains: subdomain mail will fail strict alignment. Use aspf=r (relaxed, the default) unless you have a specific reason for strict. pct= value above 100 or below 0: invalid; receivers may treat the entire record as malformed. Multiple DMARC records at _dmarc.<domain>: ambiguous; receivers fall back to no-DMARC. Merge into one. rua= set to an unreachable mailbox: aggregate reports bounce, you get no telemetry. Verify the address before deploying.
What this does not prove
A valid DMARC record does not mean your mail is actually authenticated. The receiver still has to evaluate SPF and DKIM on the actual message; either must pass and align with the From-domain. We do not test alignment with real messages, do not parse the aggregate reports your rua address receives, and do not detect whether your rua mailbox actually accepts the daily XML reports. We also do not verify that any third-party senders for your domain actually sign in alignment — that requires sending a real message and inspecting the receiver's Authentication-Results header. End-to-end DMARC validation requires aggregate-report aggregation tooling (Postmark, dmarcian, EasyDMARC, etc.).
Common questions
What does p=none mean?p=none is observe-only mode. Receivers report failures but do not change delivery. Learn more →
p=none is observe-only mode. Receivers report SPF/DKIM/DMARC outcomes to your rua address but do not change delivery. It is the safe starting point for any new DMARC deployment — wait until aggregate reports show all your legitimate sources pass, then promote to quarantine or reject.
What does p=reject mean?p=reject instructs receivers to block failing mail outright. The strongest enforcement tier. Learn more →
p=reject instructs receivers to refuse mail that fails DMARC. The strongest enforcement tier. Promote to reject only after p=quarantine has run cleanly for at least 30 days with no legitimate-source failures in your aggregate reports.
Why can SPF and DKIM pass but DMARC fail?
DMARC requires alignment with the visible From-domain. Per RFC 7489 §6.3, SPF can pass for an envelope sender that does not match the From-domain, and DKIM can pass for a different signing domain. DMARC additionally requires at least one of SPF or DKIM to authenticate the From-domain itself. Third-party senders (Mailchimp, SendGrid, etc.) often hit this case.
How long does it take for DMARC to work?
DNS publication is immediate (within the TTL — usually minutes to hours). Aggregate reports start arriving the next day from receivers that send rua reports. To safely promote from p=none → p=quarantine → p=reject, plan ~30 days at each tier to verify legitimate sources continue passing.
When did Gmail start requiring DMARC?
Gmail's bulk-sender requirements (effective February 2024) require senders of more than 5,000 messages per day to Gmail addresses to publish a DMARC record. Yahoo and Microsoft published parallel requirements. Below 5,000/day, DMARC is strongly recommended but not strictly enforced.
What should I set my DMARC to?
Start with v=DMARC1; p=none; rua=mailto:reports@<your-domain>; to gather data. Once aggregate reports confirm all legitimate sources pass for 30+ days, move to p=quarantine; pct=10; to ramp gradually, then increase pct to 100 over 2-4 weeks. Promote to p=reject once quarantine has run cleanly. Use aspf=r adkim=r (relaxed alignment, the defaults) unless you have a specific reason to require strict.