Free DMARC Checker – Validate Your DMARC Record

Instantly check any domain’s DMARC record, syntax, policy, alignment, and reporting tags.

DMARC Record Checker

Use this tool to lookup and validate your DMARC record.

Please enter a valid domain name, without http:// prefix

DMARC Status

This record has been correctly setup
This record has been correctly setup, but contains unsupported DMARCbis tags
This DMARC record is invalid

Record Checks

Valid DMARC record
DMARC policy
Aggregate Report (RUA) addresses
Forensic Report (RUF) addresses
Error Details
Warning

Tags Found

Tag Value Description
v DMARC Version
p DMARC policy
pct Percentage of emails to which the DMARC policy will be applied
rua Aggregate (RUA) reports URI(s)
ruf Aggregate (RUF) report URI(s)
fo The FO tag pertains to how forensic reports are created and presented to DMARC users.
aspf SPF alignment mode
adkim DKIM alignment mode
rf Format of failure reports
ri The ri tag corresponds to the aggregate reporting interval and provides DMARC feedback for the outlined criteria.
sp This tag represents the requested handling policy for subdomains.

0+

Organisations worldwide

0+

Fortune 100 and governments

0+

countries served

How to Use the DMARC Checker

1

Enter Domain

Enter your domain name without the http:// prefix (e.g., company.com).

2

Click Check DMARC

Initiate the live DNS mapping process by clicking the primary lookup action button.

3

Review Results

Analyze your detailed security posture and the clean tag-by-tag record breakdown.

The tool works on any domain. You do not need to own it to run a check.

What Your DMARC Check Results Mean

Your result falls into one of three categories. Here’s how to read each one and what to do next.

DMARC Record Found

Valid

A valid result means your domain publishes a correctly formatted _dmarc TXT record that mail receivers can read and act on. Check the policy (p=) value, because it determines whether the record actually protects you:

  • p=none Monitoring-only. You’re collecting reports, but receivers take no action against spoofed mail, so the domain is not yet protected against abuse. Once you’ve reviewed your reports and confirmed your legitimate senders are aligned, move to quarantine or reject. See our hosted DMARC option to manage this transition safely.
  • p=quarantine Failing mail is sent to spam/junk. Partial enforcement.
  • p=reject Failing mail is blocked outright. This is full enforcement and the recommended end state.
How your p= policy protects you A spoofed email fails DMARC — watch where it lands at each level.
Spoofed email fails DMARC
Inbox Spoof still delivered
Spam / Junk Quarantined
Blocked Spoof rejected
Protection Monitoring only — not yet protected

DMARC Record Found

Invalid

An invalid result means a record exists but contains errors that prevent it from working as intended. The most common causes:

  • Missing mandatory tags. Every record must begin with v=DMARC1 and include a p= policy tag. If either is absent, the record fails validation.
  • Syntax errors. Tags must be semicolon-separated with no stray characters. A misplaced space, missing semicolon, or duplicate tag will break parsing.
  • Malformed RUA/RUF addresses. Reporting addresses must use the mailto: prefix (e.g. rua=mailto:[email protected]). A bare email address without mailto: is invalid.

Fix the specific error, or regenerate a clean record from scratch using our free DMARC record generator tool.

No DMARC Record Found

Unprotected

No record means your domain has no DMARC protection at all. The implications:

  • The domain is unprotected against spoofing and impersonation, and anyone can send mail that appears to come from you.
  • You are non-compliant with Google and Yahoo bulk sender requirements, which can cause your legitimate mail to be rejected or filtered.
Use Our Free DMARC Generator

What Is a DMARC Checker?

A DMARC checker looks up the _dmarc TXT record published on a domain’s DNS, validates its syntax and configuration, and surfaces any issues it finds. In seconds, it tells you whether a record exists, whether it’s valid, and what policy is in force.

It’s used by IT administrators, email marketers, and security teams typically to verify a domain before launching a campaign, or to confirm a configuration change took effect after editing DNS.

You don’t need to read a full explainer to use it, but if you want the background on how DMARC works, check below:

What is DMARC Guide

DMARC Tags Explained

Tag Status What It Does Example Value
v Required DMARC protocol version identifier. Must always be the first tag in the record with the exact value DMARC1. v=DMARC1
p Required Policy for the main domain to instruct receivers how to handle failing mail. none = monitor only; quarantine = send to spam/junk; reject = block delivery entirely. p=reject
rua Optional Destination address(es) for aggregate (summary) reports. These reports summarize authentication activity across your sending domain. Recommended for monitoring. rua=mailto:[email protected]
ruf Optional Destination address(es) for forensic/failure reports. Generates individual email-level redactable reports for specific authentication failures. ruf=mailto:[email protected]
sp Optional Policy applied specifically to subdomains. If omitted, subdomains automatically inherit the main domain's p= policy value. sp=quarantine
np Optional Policy for non-existent subdomains (where DNS returns NXDOMAIN). Closes a common subdomain-spoofing security gap. np=reject
pct Optional Percentage of failing messages to which the DMARC policy is applied. Useful for a gradual enforcement rollout. Defaults to 100 if omitted. pct=50
adkim Optional DKIM alignment mode. Set to r (relaxed, default) to allow organizational subdomain matching, or s (strict) to require an exact domain match. adkim=s
aspf Optional SPF alignment mode. Set to r (relaxed, default) to allow organizational subdomain matching, or s (strict) to require an exact domain match. aspf=r
t Optional Testing mode (RFC 9989). Asks receiving mail servers to explicitly test configurations or apply the next less-strict fallback policy rule. t=y
fo Optional Forensic reporting options. Fine-tunes when failure reports are generated (e.g., if SPF fails, DKIM fails, or both fail). fo=1
psd Optional Public Suffix Domain flag. Used explicitly during evaluating recursive DNS tree-walk processes. Most standard corporate domains should omit this. psd=y

Next Steps After Your DMARC Check

Pick the path that matches your result:

No record found?

Create a valid DMARC record in under 2 minutes with the free generator — no manual editing required.

DMARC Generator

At p=none? Move to enforcement.

PowerDMARC's hosted DMARC guides you safely from monitoring to full p=reject enforcement with real-time visibility.

Hosted DMARC

Want ongoing monitoring?

PowerDMARC automatically parses aggregate reports and alerts you when new senders appear or authentication issues arise.

Start Free

Want ongoing monitoring instead of one-off checks? PowerDMARC automatically parses your DMARC aggregate reports and alerts you when issues arise. 

Frequently Asked Questions

Is the DMARC checker free?
Yes. You can check any domain's DMARC record for free, with no sign-up required.
Do I need to own the domain I'm checking?
No. DMARC records are published in public DNS, so you can check any domain.
How often should I check my DMARC record?
Check after any DNS or email configuration change, before launching a campaign, and periodically as part of routine email security hygiene.
Why does my domain show "no DMARC record" when I just added one?
DNS changes can take time to propagate. Wait for the TTL to expire (often up to a few hours) and check again.
What's the difference between a valid record and an enforced one?
A valid record is correctly formatted, but if its policy is p=none it only monitors and doesn't block spoofed mail. Enforcement means p=quarantine or p=reject.

Use our Free DMARC Record Checker Today!

Book a demo Start 15-day trial