UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

DMARC Record Checker

Look up the DMARC TXT record at _dmarc.<domain>, parse every tag (p, sp, pct, rua, ruf, adkim, aspf), and flag missing aggregate report addresses or partial enforcement.

About DMARC Record Checker

The DMARC Record Checker queries the TXT record at _dmarc.<domain> (RFC 7489) and breaks every tag into a tag/value/meaning table. The most important tag is p — the policy — which can be none (monitor only), quarantine (deliver suspect mail to junk), or reject (block at the SMTP layer). The tool also flags two of the most common mistakes: a missing rua aggregate-report address (you cannot see what is failing across the internet) and a pct value below 100 (the policy is only applied to a fraction of failing mail). Tags adkim and aspf control alignment between the visible From: domain and the SPF/DKIM identity. Because Google, Yahoo, and Microsoft now require DMARC for bulk senders, every transactional and marketing domain should publish an enforced record. Use this tool to confirm yours is correctly published and tuned before raising policy strictness.

Why use DMARC Record Checker

  • Resolves the correct _dmarc subdomain automatically — no manual TXT path.
  • Color codes the policy from red (none) to green (reject) so the enforcement level is visible at a glance.
  • Warns when rua is missing, since you need it to receive aggregate failure reports.
  • Warns when pct is below 100, the most common cause of partial DMARC enforcement.
  • Documents every tag in plain English alongside the parsed value.
  • Pairs with our SPF and DKIM checkers for the full sender authentication trio.

How to use DMARC Record Checker

  1. Enter the apex domain you want to inspect — for example, example.com.
  2. Click Check DMARC to fetch the TXT record at _dmarc.example.com.
  3. Review the policy (p) row first — none, quarantine, or reject — color coded by enforcement strength.
  4. Confirm an rua mailto: target is set so you receive aggregate XML reports from receivers.
  5. Verify pct=100 once monitoring is complete; lower values mean partial enforcement.
  6. Cross-check SPF and DKIM with our matching tools so all three protocols align before tightening the policy.

When to use DMARC Record Checker

  • After adopting Google or Yahoo's bulk-sender requirements (Feb 2024 and onward).
  • When migrating from p=none to p=quarantine or p=reject and you need to confirm the change took effect.
  • When inbound mail from a partner domain spoofs your brand and you need to verify their DMARC posture.
  • Before publishing a new sending subdomain to confirm it inherits the parent policy via sp.
  • When debugging Microsoft 365 or Google Workspace inbound rules that depend on DMARC alignment.
  • Periodically as part of an email-security audit alongside SPF, DKIM, BIMI, and MTA-STS reviews.

Examples

Strong production policy

Input: example.com

Output: v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s → policy reject, aggregate reporting on, strict alignment

Monitor-only rollout

Input: newsletter.example.com

Output: v=DMARC1; p=none; rua=mailto:dmarc-rua@example.com; pct=100 → monitor only, all mail sampled

Partial enforcement (warning)

Input: marketing.example.com

Output: v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com → only 25% of failing mail quarantined

Tips

  • Always set rua to a monitored mailbox or DMARC-aggregator service — otherwise you are blind to failures.
  • Start with p=none to gather aggregate data, then move to p=quarantine, then p=reject after legitimate mail aligns.
  • Use sp= to set a strict subdomain policy even while the parent stays at p=none during rollout.
  • Strict alignment (adkim=s, aspf=s) is more secure but breaks legitimate forwarding; relaxed (r) is the safer default.
  • ruf forensic reports leak message content to whoever you list — many domains skip ruf entirely for privacy.

Frequently Asked Questions

Is the queried domain sent to any third party?
No. The TXT lookup runs from our backend directly against public DNS. Your domain string is not stored, logged, or sold.
How is this different from a dig command?
Both fetch the same TXT record. This tool tacks on _dmarc. for you, parses every tag, color-codes the policy, and warns about the two most common misconfigurations (missing rua, pct below 100).
How does this compare to mxtoolbox?
Functionally similar for the basic check. Ours is free, signup-free, and renders cleanly on mobile. We don't (yet) parse aggregate XML reports — that's a separate tool.
What does p=none actually do?
Nothing to mail flow. It tells receivers to accept failing mail but still send aggregate reports to the rua address. It's the recommended starting point for any rollout.
Can this detect a misconfigured DMARC alignment?
It surfaces the adkim and aspf modes so you can see whether they are r (relaxed) or s (strict). For full alignment-failure analysis you need to read the aggregate XML reports.
Why is no rua a problem?
Without an rua address, you can publish a DMARC record but never see who is failing or passing it. You're flying blind. A real mailbox or DMARC-as-a-service is mandatory.
What does pct mean and when should I lower it?
pct is the percentage of failing messages the policy is applied to. Lower values are useful during rollout — for example, pct=10 with p=quarantine quarantines 10% of failing mail and treats the rest as p=none.
Does DMARC require both SPF and DKIM to pass?
No. DMARC passes if either SPF or DKIM authenticates and aligns with the visible From: domain. That's why publishing both maximizes deliverability.

Explore the category

SPF Record Checker Look up and parse a domain's SPF DNS record. Validates mechanisms, counts DNS lookups against the RFC 7208 ten-lookup limit, and flags soft/hard fail qualifiers. DKIM Record Checker Fetch a DKIM TXT record at <selector>._domainkey.<domain>, parse the public key tags, infer key length, and warn about short keys, revoked keys, or testing flags. DMARC Record Generator Build a valid DMARC TXT record with policy, percentage, alignment modes, and aggregate or forensic reporting addresses — with live validation, fully in-browser. MX Record Lookup Look up the Mail Exchange (MX) records for any domain to see which mail servers handle its incoming email. Email Header Analyzer Summarize Received chains and auth hints from pasted headers. DNS Propagation Checker Check DNS propagation across multiple global nameservers to see how widely a recent DNS change has spread.
JSON Schema Explained: Validate Your APIs Like a Pro JSON Schema gives you contract-driven validation for any JSON payload. We walk through the spec, the keywords that matter, and how it powers May 2026 · 9 min Content Security Policy (CSP): What It Stops, What It Doesn't CSP is the most powerful XSS defense most sites either don't use or deploy wrong. Here's what it actually stops, what it doesn't, and how to May 2026 · 11 min

Glossary

DMARC
Domain-based Message Authentication, Reporting & Conformance — RFC 7489 — uses SPF and DKIM alignment to prevent visible-From spoofing.
Policy (p)
The enforcement instruction sent to receivers: none, quarantine, or reject. The strongest stance is p=reject.
rua
Aggregate report address — receivers send daily XML reports here listing every IP and authentication result for your domain.
ruf
Forensic / failure report address — receivers send per-message redacted samples for failing mail. Many domains omit this for privacy.
Alignment
The requirement that the visible From: domain match the SPF or DKIM identity. Relaxed (r) lets subdomains match; strict (s) does not.
Subdomain policy (sp)
A per-subdomain DMARC policy that inherits when absent. Useful for locking down sending subdomains while monitoring the parent.