Running a DMARC check pulls the _dmarc TXT record for your domain and breaks down what it tells receivers to do. Here is how to read that result and act on the parts that matter most.
How to Read Your DMARC Check Results
The checker reports four things: whether a valid v=DMARC1 record exists, the enforcement policy (p=), the alignment mode for SPF and DKIM, and where reports are sent (rua/ruf). A healthy result has one record, a policy stronger than none, and at least an aggregate reporting address so you have visibility into who is sending as your domain.
The Three DMARC Policies: none, quarantine, reject
p=none- monitor only. Failing mail is still delivered; you just collect reports. This is the starting point, not the destination.p=quarantine- failing mail is sent to spam/junk. The first real enforcement step.p=reject- failing mail is blocked outright. This is the goal, and what stops domain impersonation.
The right rollout is none → quarantine → reject, moving up only once your reports show every legitimate sender passing. Staying on p=none indefinitely is the most common DMARC mistake - it offers no protection at all.
SPF and DKIM Alignment: Why DMARC Fails Even When SPF Passes
DMARC doesn't just check that SPF or DKIM passed - it checks that they align with the domain in the visible From address. A message can pass SPF for the sending service's own domain yet still fail DMARC because that domain doesn't match your From header. The aspf and adkim tags control how strict that match must be: r (relaxed) allows subdomains, s (strict) requires an exact match. When a valid SPF record still fails DMARC, misalignment is almost always the reason - and a passing, aligned SPF record depends on your SPF being correct in the first place.
Common DMARC Misconfigurations
- No record, or wrong host. The record must live at
_dmarc.yourdomain.com, not the apex. - Two DMARC records. Only one is allowed; a second invalidates both.
- Stuck on
p=none. Monitoring forever provides zero enforcement. - No
ruaaddress. Without aggregate reports you're enforcing blind.
Aggregate vs Forensic Reports
Aggregate reports (rua) are daily XML summaries of every source sending as your domain and whether they passed - this is where you find unauthorized senders and confirm your own are aligned. Forensic reports (ruf) capture individual failing messages for deeper investigation. To turn the raw XML into something readable, our sister product DMARC Report parses and visualizes it for you.
DMARC, SPF, and DKIM Work Together
DMARC is the policy layer on top of two checks: SPF (the sending server) and DKIM (a signature proving the message wasn't altered). Because DMARC enforcement requires a passing, aligned SPF result, keeping your SPF record valid and under the 10-lookup limit is foundational - AutoSPF handles that automatically. Read the full picture in our DMARC guide.