DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a TXT record at _dmarc.<domain> that tells receivers what to do when SPF or DKIM checks fail and where to send aggregate reports.

DMARC Policy Check for example.com

DMARC record looks good

Cached result — last checked 19s ago.

Raw record

v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s

Policy p=reject — failing mail is rejected outright by receivers.

v	DMARC1	provided
p	reject	provided
sp	reject	provided
pct	100	default
adkim	s	provided
aspf	s	provided
fo	0	default
rua		default
ruf		default

Warnings

No DMARC aggregate-report (rua=) address — you cannot see what is failing.
Add rua=mailto:dmarc-reports@<your-domain> per RFC 7489 §6.3; reports arrive daily once configured.
Learn how to fix this →

The policy values p=none / p=quarantine / p=reject move from observation to enforcement. p=none reports issues without acting; p=quarantine routes failing mail to spam; p=reject blocks it outright. The pct= modifier scales enforcement (start at low pct=, ramp up).

Start with p=none + a working rua= reporting address to gather data without disrupting mail flow. Once reports show clean SPF + DKIM alignment for legitimate senders, ramp pct from 25 to 100 under p=quarantine, then promote to p=reject. Without a reporting address, DMARC enforcement is blind.

Raw record

Warnings

No DMARC aggregate-report (rua=) address — you cannot see what is failing.