Deliverability Score

Free tool · No signup

Free DMARC record checker

Check your DMARC policy, parse your reporting setup, and find out if your domain is actually protected from spoofing.

Results in 5 seconds · 100% free

Primer

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It's the third pillar of modern email authentication, building directly on top of SPF and DKIM. By itself, SPF tells receivers which IPs can send for your domain, and DKIM cryptographically signs each message — but neither one tells the receiver what to do when those checks fail. DMARC fills that gap with an explicit policy directive and a feedback loop.

The difference DMARC makes is the difference between “your authentication failed” and “your authentication failed and the email got delivered anyway”. A receiver seeing failing SPF/DKIM without DMARC has to guess at the right action; with DMARC, you tell it explicitly — do nothing (p=none), send to spam (p=quarantine), or reject outright (p=reject). DMARC also requires alignment: the domain DKIM signed and the domain in SPF must match the visible From: header, which closes the loophole that lets spoofers fake the part users actually see.

Since February 2024, Gmail and Yahoo require DMARC for any sender pushing more than 5,000 messages per day. Microsoft followed with similar enforcement for Outlook.com bulk senders. Domains without a DMARC record are routinely throttled and increasingly filtered into spam, regardless of content quality or how clean SPF and DKIM look individually.

A DMARC record is a TXT record at _dmarc.yourdomain.com that specifies the policy (p=), the percentage of mail it applies to (pct=), aggregate report destinations (rua=), subdomain policy (sp=) and alignment requirements for DKIM (adkim=) and SPF (aspf=). The recommended progression for most senders is: start at p=none for monitoring (2–4 weeks), graduate to p=quarantine once SPF and DKIM are clean, then move to p=reject once you've seen weeks of clean aggregate reports.

Anatomy

How to read your DMARC record

A well-tuned DMARC record packs policy, enforcement percentage, reporting and alignment into one TXT entry. Here's what each tag does.

Example record

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com; sp=reject; adkim=s; aspf=s
v=DMARC1

Version tag. Always exactly v=DMARC1 — case-sensitive, and the only valid value.

p=quarantine

Policy: what receivers should do with mail that fails DMARC. p=none (monitor only), p=quarantine (send to spam), or p=reject (block entirely).

pct=100

Percentage of failing mail the policy applies to. Defaults to 100. Lower values let you ramp up enforcement gradually (pct=10, then 25, then 50).

rua=mailto:dmarc@yourdomain.com

Aggregate report address. Receivers send daily XML reports here showing who's sending as you and whether SPF/DKIM passed.

sp=reject

Subdomain policy. Without sp=, subdomains inherit the main policy, but setting it explicitly prevents subdomain spoofing gaps.

adkim=s

DKIM alignment mode. s = strict (exact domain match required); r = relaxed (subdomain match allowed). Relaxed is the safer default for most senders.

aspf=s

SPF alignment mode. Same s/r options as adkim. Strict requires the SPF-authenticated domain to exactly match the From: domain.

Common pitfalls

Common DMARC mistakes

Stuck at p=none forever

p=none only monitors — it doesn't actually protect anyone from spoofing. Most domains publish p=none on day one and never graduate, which gives a false sense of security. p=quarantine or p=reject is the only configuration that actually blocks spoofed mail.

No rua reporting address

Without aggregate reports (rua=), you have no visibility into who's sending mail using your domain. You can't see whether your ESPs are authenticating cleanly, you can't catch spoofers impersonating you, and you can't safely graduate policy because you're flying blind.

Setting p=reject too early

Jumping to p=reject before SPF and DKIM are aligned across every legitimate sender kills real mail. Customer notifications bounce, ESP messages get blocked, internal forwarders break. Stay at p=none until reports are clean, ramp up p=quarantine with pct= step-ups, then move to p=reject.

Misaligned DKIM domain

Your ESP might sign with its own domain (dkim.esp.com) instead of yours. Even with valid DKIM, DMARC fails because the signing domain doesn't align with the visible From: address. Fix it by configuring branded DKIM — your ESP gives you a CNAME to publish at selector._domainkey.yourdomain.com.

Forgetting sp= for subdomains

By default, your main domain's policy applies to subdomains, but you should set sp= explicitly. Without it, a misconfigured subdomain (notice.yourdomain.com) becomes an easy target for spoofers, and the main-domain policy doesn't always inherit cleanly across every receiver.

The full picture

Want the full picture?

DMARC is one of six checks in our complete deliverability audit. See your SPF, DKIM, DMARC, BIMI, blacklists and tracking domain all at once.

Run free audit

FAQ

Frequently asked questions

What's the difference between p=none, p=quarantine, and p=reject?
p=none is monitor-only mode — receivers report authentication failures but deliver mail normally. p=quarantine asks receivers to send unauthenticated mail to spam. p=reject asks receivers to block unauthenticated mail entirely. The recommended path is to start at p=none for 2–4 weeks while you collect aggregate reports and confirm your legitimate senders, then graduate to p=quarantine, then to p=reject.
How do I read DMARC aggregate reports?
Aggregate reports (RUA) arrive daily as XML files showing which servers sent mail using your domain and whether SPF/DKIM passed. Raw XML is dense, so most teams use a tool like Postmark's DMARC Digests, Valimail Monitor, or EasyDMARC to parse them into readable summaries. Look for unfamiliar source IPs (potential spoofers) and legitimate senders that are failing (gaps in your SPF or DKIM setup).
Do I need both SPF and DKIM for DMARC to work?
You need at least one. DMARC passes when EITHER SPF or DKIM passes AND is aligned with the From: domain. In practice you want both — SPF can break on email forwarding while DKIM survives it, so having both gives you redundancy. Most ESPs configure both by default.
What's the safest way to move from p=none to p=reject?
Stay at p=none until aggregate reports show 100% of your legitimate mail authenticating cleanly. Then move to p=quarantine with pct=10 (apply quarantine to only 10% of failing mail) and ratchet up: pct=25, pct=50, pct=100 over 2–4 weeks each. Only after a full month at p=quarantine pct=100 with clean reports should you move to p=reject.
What's DMARC alignment (relaxed vs strict)?
Alignment means the domain that authenticated (via SPF or DKIM) must match the domain in the visible From: header. Strict (s) requires an exact match; relaxed (r — the default) allows subdomains to match the organizational domain. For most senders, relaxed is correct because ESPs often sign with subdomains.
Why is my DMARC failing even though SPF and DKIM pass?
The most common cause is alignment. Your DKIM might validly sign as dkim.esp.com, but if your From: is you@yourdomain.com, the domains don't align and DMARC fails. Fix it by configuring your ESP to DKIM-sign with your own domain — they give you a CNAME to publish at selector._domainkey.yourdomain.com.
Do I need DMARC if I have SPF and DKIM?
Yes. SPF and DKIM by themselves don't tell receivers what to do when authentication fails. Without DMARC, a spoofed email that fails SPF and DKIM can still be delivered. DMARC closes that gap, and Gmail and Yahoo now require it for bulk senders regardless of how well your SPF and DKIM are set up.
What happens if I don't have DMARC in 2026?
Bulk senders without DMARC are throttled and filtered to spam at Gmail, Yahoo and Outlook.com — even legitimate, well-authenticated mail. For senders under the 5,000-per-day bulk threshold, missing DMARC is still a meaningful negative signal that hurts inbox placement and leaves your domain open to spoofing campaigns that damage reputation downstream.

Related tools

Keep auditing

SPF checker

Validate SPF and count DNS lookups.

DKIM checker

Find DKIM keys across common selectors.

Blacklist check

Scan against major DNSBL providers.