Skip to main content
New SPF lookups must resolve in milliseconds — why a DMARC tool's add-on isn't enough Learn Why → →

Free DMARC Record Checker

Validate your DMARC policy, check alignment settings, verify reporting configuration, and detect duplicate records or missing authorization.

Up to 90% of security breaches start with phishing emails

Check Your DMARC Record

Enter your domain to analyze your DMARC configuration and get actionable insights.

What is a DMARC Record?

A DMARC (Domain-based Message Authentication, Reporting & Conformance) record is a DNS entry that instructs receiving mail servers on how to handle emails that don't pass SPF or DKIM authentication checks. Think of it as a digital bouncer - ensuring only legitimate emails make it to your recipients' inboxes.

Without a DMARC record, anyone could impersonate your domain and send malicious emails. DMARC ties together SPF and DKIM into a unified policy, giving you control over what happens when authentication fails and providing visibility through aggregate and forensic reports.

Record Anatomy

Components of a DMARC Record

Version

Always v=DMARC1

Identifies this as a DMARC record.

Policy (p=)

none | quarantine | reject

How to handle emails that fail authentication.

Subdomain Policy (sp=)

Separate policy for subdomains

Optionally apply different rules to subdomains.

Aggregate Reports (rua=)

mailto:reports@example.com

Where to send summary authentication reports.

Forensic Reports (ruf=)

mailto:failures@example.com

Where to send detailed failure reports.

Alignment (adkim/aspf)

s (strict) | r (relaxed)

How strictly DKIM/SPF domains must match the From header.

Example DMARC record:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; adkim=s; aspf=s;
Step by Step

Creating Your DMARC Record

1

Ensure SPF and DKIM are configured

DMARC builds on SPF and DKIM. Before creating a DMARC record, verify that both are properly set up for your domain. Use our free SPF checker to validate your SPF record.

2

Choose a policy

Start with p=none to monitor email traffic without affecting delivery. Once you're confident, move to quarantine or reject for full enforcement.

3

Define reporting addresses

Set up aggregate (rua) and forensic (ruf) report destinations to gain visibility into your email authentication landscape.

4

Specify alignment and publish

Choose strict or relaxed alignment for SPF and DKIM. Then add the record as a TXT entry at _dmarc.yourdomain.com in your DNS.

5

Verify and monitor

Use a DMARC testing tool to confirm your record is published correctly. Regularly review reports and adjust your policy as you gain confidence in your authentication setup.

Benefits

Why Use a DMARC Generator?

Eliminate Syntax Errors

Generators ensure proper formatting, avoiding the misconfigurations that can silently break email authentication.

Save Time

Implementation time is reduced by up to 50% compared to manually crafting DMARC records from scratch.

Customization

Tailor policies for subdomains, set reporting preferences, and choose alignment modes to fit your organization's needs.

Reduce Phishing by up to 99%

Enforcing a reject policy can virtually eliminate domain impersonation in phishing attacks.

Reading Your Results

Understanding Your DMARC Check Results

Running a DMARC check pulls the _dmarc TXT record for your domain and breaks down what it tells receivers to do. Here is how to read that result and act on the parts that matter most.

How to Read Your DMARC Check Results

The checker reports four things: whether a valid v=DMARC1 record exists, the enforcement policy (p=), the alignment mode for SPF and DKIM, and where reports are sent (rua/ruf). A healthy result has one record, a policy stronger than none, and at least an aggregate reporting address so you have visibility into who is sending as your domain.

The Three DMARC Policies: none, quarantine, reject

  • p=none - monitor only. Failing mail is still delivered; you just collect reports. This is the starting point, not the destination.
  • p=quarantine - failing mail is sent to spam/junk. The first real enforcement step.
  • p=reject - failing mail is blocked outright. This is the goal, and what stops domain impersonation.

The right rollout is nonequarantinereject, moving up only once your reports show every legitimate sender passing. Staying on p=none indefinitely is the most common DMARC mistake - it offers no protection at all.

SPF and DKIM Alignment: Why DMARC Fails Even When SPF Passes

DMARC doesn't just check that SPF or DKIM passed - it checks that they align with the domain in the visible From address. A message can pass SPF for the sending service's own domain yet still fail DMARC because that domain doesn't match your From header. The aspf and adkim tags control how strict that match must be: r (relaxed) allows subdomains, s (strict) requires an exact match. When a valid SPF record still fails DMARC, misalignment is almost always the reason - and a passing, aligned SPF record depends on your SPF being correct in the first place.

Common DMARC Misconfigurations

  • No record, or wrong host. The record must live at _dmarc.yourdomain.com, not the apex.
  • Two DMARC records. Only one is allowed; a second invalidates both.
  • Stuck on p=none. Monitoring forever provides zero enforcement.
  • No rua address. Without aggregate reports you're enforcing blind.

Aggregate vs Forensic Reports

Aggregate reports (rua) are daily XML summaries of every source sending as your domain and whether they passed - this is where you find unauthorized senders and confirm your own are aligned. Forensic reports (ruf) capture individual failing messages for deeper investigation. To turn the raw XML into something readable, our sister product DMARC Report parses and visualizes it for you.

DMARC, SPF, and DKIM Work Together

DMARC is the policy layer on top of two checks: SPF (the sending server) and DKIM (a signature proving the message wasn't altered). Because DMARC enforcement requires a passing, aligned SPF result, keeping your SPF record valid and under the 10-lookup limit is foundational - AutoSPF handles that automatically. Read the full picture in our DMARC guide.

DMARC needs SPF - and SPF needs AutoSPF

DMARC alignment requires a passing SPF check. AutoSPF keeps your SPF record optimized and within the 10-lookup limit automatically.

Rated 5/5 on G2 · Trusted since 2018

What Our Customers Say

"AutoSPF Flattens SPF Records Seamlessly & Keeps Changes Logged - I am quite pleased with the product"

It does what it promises to do, and does it very well. I appreciate that it keeps a log of changes made, which prevents many mistakes. A client's SPF record would have way too many lookups, but AutoSPF makes that problem go away. The length of the SPF record is typically not the issue; it's the amount of lookups in the record that are. AutoSPF "flattens" the record, automatically expanding the defined lookups to IP addresses or ranges. And it auto-updates the record when the un-flattened lookups change.
PJ

Peter J.

President · Small-Business (50 or fewer emp.)

"Helped us go beyond capacity"

AutoSPF did exactly as described, it helped us get past our 10 lookup limit. Afterwards, we hit another limit regarding overall capacity and when contacted, they quickly provided us with a new solution to eliminate capacity issues entirely going forward, so now we can add as many SPF records as needed. They also provided us with a personalized support video explaining their new method in its entirety using our instance as the example.
VU

Verified User

Financial Services · Mid-Market (51-1000 emp.)