Free DMARC Lookup & Generator Tool — Configure Your Domain's Email Policy
10 min read · Updated April 2026
DMARC is the policy layer that ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Without DMARC, ISPs have no instructions for handling spoofed emails from your domain. Use our free DMARC lookup tool to check your current policy, or the DMARC generator to create one from scratch.
Key Takeaways
- ▸ DMARC tells ISPs what to do when SPF and DKIM fail: nothing (none), spam (quarantine), or block (reject)
- ▸ Google and Yahoo require DMARC for all bulk senders since February 2024
- ▸ Start with
p=none, monitor reports, then progress top=quarantineandp=reject - ▸ Enable aggregate reports (rua) to see who is sending email using your domain
- ▸ Use the
pcttag to gradually roll out stricter policies
Table of Contents
- What Is DMARC and Why Does Every Domain Need It?
- DMARC Policy Levels: none, quarantine, reject
- The Safe DMARC Rollout Strategy
- DMARC Reporting: Understanding rua and ruf
- How to Use the Free DMARC Lookup and Generator Tools
- DMARC Alignment: Strict vs Relaxed
- Google and Yahoo DMARC Requirements
- Frequently Asked Questions
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the third and final layer of the email authentication stack. While SPF authorizes sending servers and DKIM cryptographically signs each email, DMARC provides the enforcement policy. It tells receiving servers exactly what to do when an email fails authentication — and gives domain owners visibility into who is sending email on their behalf.
What Is DMARC and Why Does Every Domain Need It?
DMARC is a DNS TXT record published at _dmarc.yourdomain.com. It serves two critical functions: it tells receiving mail servers what policy to apply when emails fail SPF and DKIM authentication, and it provides a mechanism for receiving reports about email authentication results.
# Example DMARC record
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100; adkim=r; aspf=r
Without DMARC, receiving servers have no explicit instructions for handling emails that fail SPF or DKIM checks. They may deliver spoofed emails, route them to spam, or reject them — the behavior is entirely up to each ISP's internal heuristics. DMARC removes this ambiguity by giving domain owners explicit control over failure handling.
For outbound email teams, DMARC is also a compliance requirement. Since February 2024, Google and Yahoo mandate that all bulk senders have a published DMARC record. Domains without DMARC will have their emails throttled or rejected by these providers, regardless of SPF and DKIM status.
DMARC Policy Levels: none, quarantine, reject
The p= tag in your DMARC record defines the policy level. Each level represents a different response to authentication failures:
p=none (Monitor Only)
This policy tells receiving servers to take no action on emails that fail authentication. Emails are delivered normally regardless of authentication results. The purpose of p=none is purely monitoring — you receive aggregate reports showing who is sending email using your domain and whether those emails pass or fail authentication.
When to use: During initial DMARC deployment, or when you are still identifying all legitimate email sources for a domain.
p=quarantine (Route to Spam)
This policy instructs receiving servers to route emails that fail authentication to the spam or junk folder. The email is still delivered, but it is flagged as suspicious. This is a significant step up from p=none because it actively protects your domain from spoofing while still allowing recipients to find misclassified legitimate emails.
When to use: After you have monitored with p=none for 2-4 weeks and confirmed all legitimate sources pass authentication.
p=reject (Block Entirely)
This is the strongest policy level. It tells receiving servers to reject emails that fail authentication outright — they are never delivered to the recipient. This provides maximum protection against domain spoofing but carries risk: if any legitimate email source is not properly configured for SPF/DKIM alignment, those emails will be blocked.
When to use: After running p=quarantine successfully for 2-4 weeks with no legitimate emails being affected.
The Safe DMARC Rollout Strategy
Deploying DMARC too aggressively can block legitimate emails. The recommended rollout strategy uses the pct tag to gradually increase enforcement:
- Week 1-2: p=none — Publish a DMARC record with
p=noneandrua=mailto:your-reports@domain.com. Monitor aggregate reports to identify all email sources. - Week 3-4: p=quarantine; pct=25 — Move to quarantine but only apply the policy to 25% of failing emails. This catches major issues without blocking all traffic.
- Week 5-6: p=quarantine; pct=100 — Increase to 100% quarantine. Monitor for any legitimate emails landing in spam.
- Week 7-8: p=reject; pct=25 — Start rejecting, but only 25% of failing emails. This gives you a safety margin during the transition.
- Week 9+: p=reject; pct=100 — Full enforcement. All emails failing authentication are rejected outright.
This phased approach ensures you don't accidentally block legitimate emails. Use the DMARC Generator tool to create records with the correct pct values at each stage of the rollout.
DMARC Reporting: Understanding rua and ruf
DMARC provides two types of reports that give domain owners visibility into email authentication activity:
Aggregate Reports (rua)
Aggregate reports are XML documents sent by receiving mail servers (typically once per day) that summarize authentication results for your domain. They show the volume of emails processed, which IPs sent them, and whether each email passed or failed SPF, DKIM, and DMARC alignment.
You should always enable rua. These reports are the foundation of DMARC monitoring. Without them, you are flying blind — you have no visibility into who is sending email using your domain or whether authentication is working.
Forensic Reports (ruf)
Forensic reports (also called failure reports) contain details about individual emails that failed authentication, including header information and sometimes message content. They are useful for diagnosing specific authentication failures.
Note: Many ISPs do not send forensic reports due to privacy concerns. Aggregate reports (rua) are far more widely supported and should be your primary monitoring mechanism.
# DMARC record with both report types
v=DMARC1; p=quarantine; rua=mailto:dmarc-agg@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100
How to Use the Free DMARC Lookup and Generator Tools
DMARC Lookup Tool
The DMARC Lookup tool checks your domain's existing DMARC configuration:
- Enter your domain — Type the domain you want to check (e.g.,
yourdomain.com). - Run the lookup — The tool queries the TXT record at
_dmarc.yourdomain.com. - Review the results — See your current policy level, reporting addresses, alignment mode, and percentage value.
DMARC Generator Tool
The DMARC Generator tool creates a properly formatted DMARC record:
- Select your policy level — Choose none, quarantine, or reject based on where you are in the rollout process.
- Add reporting addresses — Enter email addresses for aggregate (rua) and optionally forensic (ruf) reports.
- Configure alignment — Choose relaxed (default, recommended) or strict alignment for SPF and DKIM.
- Set the percentage — Specify what percentage of failing emails the policy applies to (default is 100).
- Copy the record — The tool outputs a complete DMARC TXT record ready to publish at
_dmarc.yourdomain.com.
DMARC Alignment: Strict vs Relaxed
DMARC alignment determines how strictly the domain in the From header must match the domain that passed SPF or DKIM. There are two modes:
Relaxed Alignment (adkim=r; aspf=r)
Relaxed alignment allows the organizational domain (e.g., yourdomain.com) to match, even if the specific subdomain differs. For example, an email from mail.yourdomain.com would align with DKIM signed by yourdomain.com. This is the default mode and is recommended for most outbound teams because it accommodates subdomains and third-party sending services.
Strict Alignment (adkim=s; aspf=s)
Strict alignment requires an exact domain match. The From header domain must exactly match the domain used in SPF or DKIM. This provides stronger spoofing protection but can cause legitimate emails to fail alignment if you use subdomains or third-party services that sign with a different domain.
Google and Yahoo DMARC Requirements
Since February 2024, Google and Yahoo enforce specific email authentication requirements for bulk senders. These requirements are not optional — non-compliance results in throttling and rejection of your emails. Here is what you need:
Requirements for All Senders
Additional Requirements for Bulk Senders (5,000+ emails/day)
- ● DMARC alignment must pass (SPF or DKIM domain aligns with From header)
- ● One-click unsubscribe support in marketing emails
- ● Spam complaint rate below 0.3% (target below 0.1%)
For outbound email teams, this means every sending domain must have SPF, DKIM, and DMARC configured. Use our complete authentication checker to verify all three protocols at once across all your domains.
Frequently Asked Questions
What is the difference between DMARC p=none, p=quarantine, and p=reject?
p=none tells receiving servers to take no action on failing emails — it is monitoring only. p=quarantine instructs servers to route failing emails to spam. p=reject tells servers to block failing emails entirely. Start with none, progress to quarantine, and eventually to reject.
Is DMARC required for email sending in 2024 and beyond?
Yes. Since February 2024, Google and Yahoo require all bulk senders to have a DMARC record published. Even senders below the bulk threshold benefit from DMARC because it provides ISPs with a clear policy, which positively influences inbox placement decisions.
What are DMARC aggregate reports (rua) and why should I enable them?
Aggregate reports (rua) are XML reports from receiving mail servers showing who is sending email using your domain and whether those emails pass authentication. They are essential for identifying unauthorized senders, diagnosing failures, and verifying your setup before tightening your policy. Always enable rua.
What is DMARC alignment and why does it matter?
DMARC alignment means the From header domain must match the domain that passed SPF or DKIM. There are two modes: strict (exact match) and relaxed (organizational domain match, allowing subdomains). Relaxed alignment is the default and recommended for most outbound teams.
How long should I stay on p=none before moving to p=quarantine?
Monitor with p=none for 2-4 weeks while reviewing aggregate reports. Once all legitimate email sources pass authentication, move to p=quarantine. After another 2-4 weeks with no issues, progress to p=reject. Use the pct tag to roll out gradually.
Can I apply DMARC to only a percentage of my emails?
Yes. The pct tag specifies the percentage of failing emails to which the policy applies. For example, pct=25 means only 25% of failing emails will be quarantined or rejected. Start with 25%, increase to 50%, then 100% once confident.
Stop Managing DMARC Manually
The free DMARC tools help you check and create records, but outbound teams running multiple domains need continuous policy monitoring. Superkabe tracks DMARC policies across all your sending domains, alerts you when policies are too permissive, and monitors aggregate report data to catch authentication failures before they compound.
See how Superkabe protects your infrastructure →How Superkabe prevents this problem
Superkabe continuously monitors DMARC policies across all your sending domains. When a domain is missing DMARC, has a policy that is too permissive for its maturity level, or shows authentication failures in aggregate report data, Superkabe flags the issue and recommends the appropriate policy progression.