Verify DMARC DNS records are correctly configured. Check policy enforcement, alignment requirements, and reporting setup.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS TXT record that tells receiving mail servers how to handle emails that fail SPF or DKIM authentication checks, and where to send reports about those failures.
In plain English: DMARC is your domain's instruction manual for email security. When someone sends an email claiming to be from your domain, the receiving server checks your DMARC record to find out what you want done if the message looks suspicious. Should it be delivered anyway? Sent to spam? Blocked entirely? Your DMARC record answers those questions.
Every DMARC record lives as a DNS TXT record at a specific location: _dmarc.yourdomain.com. When a mail server receives a message from your domain, it does a DNS lookup at that address to find your DMARC policy. If it finds one, it follows your instructions. If it doesn't find one, the server makes its own decision about what to do with the message — and that's rarely in your favor.
Use our free DMARC checker above to pull this TXT record and break it down into its individual components so you can see exactly what instructions your domain is giving to receiving mail servers.
DMARC doesn't work alone. It sits on top of two other email authentication protocols — SPF and DKIM — and acts as the decision-maker when those checks produce results. Here's the full authentication flow:
The alignment check is what makes DMARC powerful. SPF and DKIM can both pass, but DMARC can still fail if there's an alignment problem. Alignment means the domain in the visible “From” header must match the domain authenticated by SPF or DKIM. DMARC requires either SPF alignment or DKIM alignment to pass — not necessarily both.
The organizational domains just need to match. An email from news.yourdomain.com aligns with yourdomain.com. Subdomains are allowed.
The domains must match exactly. An email from news.yourdomain.com would NOT align with yourdomain.com. Only exact match counts.
A DMARC record is a single-line TXT record made up of tag-value pairs separated by semicolons. Here's what each tag means and how to use it.
v=DMARC1 — VersionEvery DMARC record must start with this tag. It tells receiving servers this is a DMARC record. There's only one version, and it must always be DMARC1. If this tag is missing or incorrect, the entire record is ignored.
p=none|quarantine|reject — PolicyThe most important tag. It tells receiving servers what to do with messages that fail DMARC checks.
p=none — Take no action, just send me reportsp=quarantine — Send failed messages to spamp=reject — Block failed messages entirelyThe p= tag is required. Without it, your DMARC record is invalid.
rua=mailto: — Aggregate ReportsTells receiving servers where to send aggregate DMARC reports. These are XML files summarizing all email activity for your domain — which IPs sent mail, whether messages passed or failed, and what actions were taken. Example: rua=mailto:dmarc-reports@yourdomain.com
ruf=mailto: — Forensic ReportsForensic reports provide detailed information about individual messages that failed DMARC. Note: many mail providers (including Gmail) do not send forensic reports due to privacy concerns. Don't rely on ruf as your only source of failure data.
pct= — PercentageControls what percentage of messages the policy applies to (1-100). Useful for gradual rollout. Default is 100 if not specified.
sp= — Subdomain PolicySets a separate DMARC policy for subdomains. If omitted, subdomains inherit the main domain's policy.
Monitoring only (initial setup):
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comPartial enforcement (transitioning):
v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.comFull enforcement (maximum protection):
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.comChoosing the right DMARC policy is the most consequential decision in your email authentication setup.
Zero impact on email delivery. Messages that fail DMARC are delivered normally. The value is entirely in the reports you receive, which show every IP address sending mail as your domain.
Best for: Initial setup and monitoring. Always start here.
Failed messages get routed to the recipient's spam or junk folder. The message isn't blocked, but it's effectively hidden unless the recipient goes looking for it.
Best for: Transitional enforcement after confirming all legitimate senders pass authentication.
Receiving servers reject messages that fail DMARC outright. The message is never delivered — not to the inbox, not to spam, nowhere.
Best for: Full protection after running quarantine for several weeks with no issues.
After running a DMARC lookup with our tool, you'll see several result fields. Here's what each one means.
Whether a DMARC record exists at _dmarc.yourdomain.com. If no record is found, your domain has no DMARC protection.
Your current enforcement level. If it says "none", you're in monitoring-only mode. If it says "quarantine" or "reject", you're actively enforcing.
Your DKIM alignment (adkim) and SPF alignment (aspf) settings. Relaxed (r) is the default and works for most setups. If you're seeing unexpected failures with strict (s), consider switching to relaxed.
Whether you have rua (aggregate) and ruf (forensic) report addresses configured. If these are empty, you're flying blind -- you have a policy but no visibility into what's happening.
If you see an sp= value, your subdomains have a different policy than your main domain. If sp= is not present, subdomains inherit whatever p= is set to.
An email can pass SPF and DKIM individually but still fail DMARC if the authenticated domains don't match the “From” header domain.
The most common result. Your domain has zero DMARC protection.
Fix: Create a basic DMARC record starting with monitoring mode:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comAdd this as a TXT record at _dmarc.yourdomain.com in your DNS settings.
Almost always an alignment issue. SPF and DKIM are passing for one domain, but the “From” header shows a different domain.
Fix: Check that your email provider is using your domain (not theirs) for DKIM signing and SPF return-path. If you can't change this, switch to relaxed alignment with adkim=r; aspf=r.
DMARC records are picky about formatting. Common mistakes:
v=DMARC1 at the beginningp=quarintine)mailto: prefix in report addressesMarketing platforms, CRM systems, and helpdesk tools that send email on your behalf need proper authentication.
Fix: 1) Add the service's sending IPs to your SPF record. 2) Configure DKIM signing with your domain through the service's settings. 3) Verify alignment by sending a test email and checking headers.
If you have p=reject on your main domain but no sp= tag, your subdomains also inherit p=reject. This can cause problems if subdomains are used by different teams or tools.
Fix: Add an explicit subdomain policy: sp=none or sp=quarantine while you audit subdomain email sending.
DMARC, SPF, and DKIM are three separate protocols that work together as a complete email authentication system. Each one handles a different piece of the puzzle, and you need all three for proper protection.
Who Is Allowed to Send
Publishes a list of authorized sending IP addresses in your DNS. Receiving servers check whether the sending IP is on the list.
Message Integrity
Adds a cryptographic signature to every outgoing email. The receiving server uses your public key to verify the signature matches.
The Policy Layer
Ties SPF and DKIM together with alignment checks and policy enforcement. Tells servers what to do when authentication fails.
The full authentication chain works in order: SPF verifies the sender, DKIM verifies the message, and DMARC verifies the alignment and enforces the policy. Verify your SPF record is configured correctly with our SPF checker.
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's an email authentication protocol that builds on SPF and DKIM to prevent email spoofing. It lets domain owners specify how receiving servers should handle messages that fail authentication checks, and provides a reporting mechanism to monitor email activity.
Enter your domain name in the DMARC checker tool at the top of this page. The tool performs a DNS lookup at _dmarc.yourdomain.com and displays your full DMARC record with each tag broken down and explained.
Start with p=none to monitor email activity without affecting delivery. After reviewing your aggregate reports and confirming all legitimate senders pass authentication, move to p=quarantine. Once you're confident in your setup, move to p=reject for full protection. This gradual approach typically takes 4-8 weeks.
DMARC alignment checks whether the domain in the visible "From" header matches the domain authenticated by SPF or DKIM. Even if SPF and DKIM both pass, DMARC fails if the authenticated domains don't align with the "From" domain. This prevents attackers from using their own authenticated domain while spoofing your "From" address.
Yes. SPF and DKIM authenticate email, but without DMARC there's no policy telling receiving servers what to do with failed messages and no alignment check. DMARC is also required by Gmail and Yahoo for bulk senders. Think of it this way: SPF and DKIM are the locks, DMARC is the security guard who decides what happens when someone fails the lock check.
Add the rua= tag to your DMARC record with an email address where you want to receive aggregate reports. Example: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Reports are sent as XML files, typically once per day, by each receiving mail server that processes your email.
p=none is monitoring mode. It tells receiving servers to deliver messages normally regardless of whether they pass or fail DMARC checks. The purpose is to collect reports without risking email delivery. It's the recommended starting point for any new DMARC implementation.
DMARC with p=reject can stop phishing emails that spoof your exact domain. However, DMARC cannot prevent lookalike domains (like yourdoma1n.com) or display name spoofing where the attacker uses your name but a different email address.
Relaxed alignment (adkim=r or aspf=r) requires only the organizational domain to match. An email from mail.yourdomain.com aligns with yourdomain.com. Strict alignment (adkim=s or aspf=s) requires an exact domain match. Relaxed is the default and works for most configurations.
After adding or updating your DMARC DNS record, it typically takes 24-48 hours for the change to propagate across all DNS servers. Reports usually start arriving within 24-72 hours of publishing your record, depending on how much email your domain sends.
Your DMARC record is just one piece of email authentication. Make sure your full setup is solid:
ScaledMail handles SPF, DKIM, and DMARC configuration automatically for every inbox. Every domain we set up gets properly authenticated from day one — records are published, alignment is verified, and reporting is configured.
Get Started with ScaledMail