DMARC Record Lookup

Enter any domain to check its DMARC policy. See the enforcement level, reporting addresses, alignment settings, and get actionable recommendations to strengthen your email authentication.

Domain Name

What is a DMARC Record?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It lets domain owners publish a policy in DNS that tells receiving mail servers what to do when an email fails authentication checks.

A DMARC record is a TXT record published at _dmarc.yourdomain.com. It specifies your preferred policy (none, quarantine, or reject), where to send aggregate and forensic reports, and how strictly SPF and DKIM domains must align with the From header.

Without DMARC, receiving servers have no guidance on handling emails that fail SPF or DKIM. Attackers can freely spoof your domain, and you have no visibility into who is sending email on your behalf.

DMARC Policy Levels

p=none

Monitor Only

Failing emails are delivered normally. You receive reports but no emails are blocked. This is the starting point for DMARC rollout.

p=quarantine

Quarantine

Failing emails are sent to the spam or junk folder. Legitimate email still gets through if properly authenticated, while spoofed email is flagged.

p=reject

Reject

Failing emails are blocked entirely and never reach the recipient. This is the strongest enforcement level and the ultimate goal of DMARC deployment.

DMARC Tags Explained

pRequired

Policy for the domain. Tells receivers what to do with failing emails: none, quarantine, or reject.

sp

Subdomain policy. Overrides the main policy for subdomains. If omitted, subdomains inherit the p= value.

rua

Aggregate report URI. Comma-separated mailto: addresses that receive daily XML reports summarizing DMARC results.

ruf

Forensic report URI. Addresses that receive detailed reports for individual failing messages. Not all providers send these.

adkim

DKIM alignment mode. "r" (relaxed) allows subdomain matching; "s" (strict) requires exact domain match. Default: relaxed.

aspf

SPF alignment mode. "r" (relaxed) allows subdomain matching; "s" (strict) requires exact domain match. Default: relaxed.

pct

Percentage of messages the policy applies to (1-100). Useful for gradual rollout. Default: 100.

fo

Failure reporting options. "0" = report if all fail, "1" = report if any fails, "d" = DKIM failure, "s" = SPF failure. Default: 0.

rf

Report format for forensic reports. Usually "afrf" (Authentication Failure Reporting Format). Default: afrf.

ri

Reporting interval in seconds. Requested time between aggregate reports. Default: 86400 (24 hours).

Recommended DMARC Rollout Path

Start with p=none

Publish v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com to begin collecting reports without affecting email delivery. Monitor reports for 2-4 weeks to identify all legitimate sending sources.

Move to p=quarantine

Once all legitimate senders pass SPF and DKIM alignment, switch to p=quarantine. Consider using pct=25 initially and gradually increasing to 100%.

Enforce with p=reject

After confirming quarantine causes no legitimate email loss, upgrade to p=reject for full protection. This blocks all unauthenticated email from your domain.

Frequently Asked Questions

What is a DMARC record?

A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record is a DNS TXT record published at _dmarc.yourdomain.com. It tells receiving mail servers what to do with emails that fail SPF and DKIM authentication checks — deliver them, quarantine them, or reject them entirely.

Why is DMARC important for email deliverability?

DMARC prevents domain spoofing by giving you control over what happens when someone sends unauthorized email using your domain. Without DMARC, attackers can impersonate your domain freely, and mailbox providers have no policy to follow. A properly configured DMARC record also improves your domain reputation, which directly impacts inbox placement rates.

What is the difference between p=none, p=quarantine, and p=reject?

p=none is monitor-only mode — failing emails are still delivered, but you receive reports. p=quarantine tells receivers to send failing emails to spam or junk. p=reject instructs receivers to block failing emails entirely. Most domains should start at p=none, analyze reports, then gradually move to p=quarantine and eventually p=reject.

How long does it take for DMARC changes to take effect?

DMARC records are DNS TXT records, so changes propagate based on your TTL (Time to Live) setting. Most changes take effect within 1 to 48 hours. During this time, different receivers may see different versions of your record depending on their DNS cache.

Can I have DMARC without SPF and DKIM?

Technically you can publish a DMARC record without SPF or DKIM, but it will not be effective. DMARC relies on at least one of these authentication methods passing and aligning with your From domain. For the strongest protection, configure both SPF and DKIM before enforcing DMARC.

What are DMARC aggregate reports (rua) and forensic reports (ruf)?

Aggregate reports (rua) are XML summaries sent daily by receiving servers, showing how many emails passed or failed DMARC checks. Forensic reports (ruf) contain details about individual failing messages, including headers. Aggregate reports are essential for monitoring; forensic reports provide deeper debugging but are not sent by all providers due to privacy concerns.

Related Tools

DMARC Generator

Generate a DMARC record with your preferred policy, reporting addresses, and alignment settings.

SPF Lookup

Check if your domain has a valid SPF record and see authorized sending servers.

DKIM Lookup

Verify your DKIM DNS record is published correctly and check the public key.

Monitor DMARC Across All Your Domains

Superkabe continuously monitors SPF, DKIM, and DMARC records across all your sending domains. Get alerted when records change or misconfigurations are detected.

Start free trial