How to Check Your DMARC Record (Step-by-Step Guide)
Learn how to check, validate, and fix your DMARC record using free tools. Includes DNS lookup steps, policy levels, alignment explained, and enforcement best practices.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS-based email authentication protocol that protects your domain from spoofing and phishing. If your DMARC record is missing or set to p=none, attackers can send emails impersonating your domain — and mail clients will deliver them.
This guide shows you exactly how to check your DMARC record, interpret what it means, and move toward full enforcement.
What Is a DMARC Record?
A DMARC record is a TXT record published in your DNS at _dmarc.yourdomain.com. It tells receiving mail servers what to do when they receive a message claiming to be from your domain that fails SPF or DKIM authentication.
A complete DMARC record looks like this:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100; adkim=s; aspf=s
The key tags:
| Tag | Values | Meaning |
|---|---|---|
v | DMARC1 | Version — always required, always first |
p | none, quarantine, reject | Policy for failing mail |
rua | mailto:... | Where to send aggregate reports |
ruf | mailto:... | Where to send forensic reports |
pct | 0–100 | Percentage of mail to apply policy to |
adkim | r (relaxed), s (strict) | DKIM alignment mode |
aspf | r (relaxed), s (strict) | SPF alignment mode |
How to Check Your DMARC Record with dig
The fastest way to look up a DMARC record is with dig on macOS or Linux:
dig TXT _dmarc.yourdomain.com +short
Replace yourdomain.com with the domain you're checking. Expected output:
"v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com"
If you get no output, the DMARC record is missing entirely — your domain is wide open to spoofing.
Checking DMARC on Windows (nslookup)
nslookup -type=TXT _dmarc.yourdomain.com
Look for a line starting with v=DMARC1 in the output. If there is no such line, DMARC is not configured.
Understanding the Three DMARC Policy Levels
p=none — Monitor Only
Email that fails DMARC is delivered as normal. You only receive reports at your rua address. Use this when you're first deploying DMARC to map all legitimate mail sources before enforcing anything.
Problem: Many organizations set p=none and never move beyond it. This provides zero protection — anyone can still spoof your domain.
p=quarantine — Soft Enforcement
Failing mail is sent to the recipient's spam/junk folder. A good stepping stone before full rejection.
p=reject — Full Enforcement
Failing mail is rejected at the server level — it never reaches the recipient's inbox or spam folder. This is the gold standard and what both Google and Yahoo now require for bulk senders sending more than 5,000 messages per day.
What Is DMARC Alignment?
DMARC doesn't just require SPF or DKIM to pass — it requires them to align with the From: domain.
- SPF alignment: The domain in the
Return-Pathheader must match theFrom:domain (relaxed: same organizational domain; strict: exact match) - DKIM alignment: The
d=tag in the DKIM signature must match theFrom:domain (same relaxed/strict rules)
If neither SPF nor DKIM aligns with the From: domain, DMARC fails — even if both SPF and DKIM individually passed for other domains.
This is the most common reason legitimate mail fails DMARC: a third-party sender (Mailchimp, Salesforce, SendGrid) doesn't align their signing domain with your From: domain.
Common DMARC Record Errors
1. DMARC record is missing
No TXT record exists at _dmarc.yourdomain.com. Add one immediately, even if just v=DMARC1; p=none; rua=mailto:you@yourdomain.com.
2. Policy permanently stuck at none
Monitoring only. Move to quarantine after 30 days of clean reports, then reject after another 30 days.
3. Wrong DNS hostname
The record must be at _dmarc.yourdomain.com. Common mistake: publishing at yourdomain.com or dmarc.yourdomain.com.
4. No rua address
Without aggregate reports you're flying blind. Always include rua=mailto:your-dmarc-inbox.
5. SPF or DKIM not configured DMARC requires at least one to pass and align. If neither is set up for your sending sources, all your legitimate outbound mail will also fail DMARC.
6. Subdomain not covered
Sub-domains inherit the root DMARC policy unless they have their own record or you use the sp= tag. Attackers often spoof subdomains if they're not covered.
Step-by-Step: Moving to p=reject
-
Publish a monitoring record
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com" -
Verify SPF is correct — Your SPF record should include all IPs and services that send mail on your behalf (Google Workspace, SendGrid, Mailchimp, your server, etc.)
-
Configure DKIM for each sending source — Every ESP you use should be signing outbound mail with DKIM using a key that aligns with your domain.
-
Review aggregate reports for 30 days — Use a DMARC report parser (Postmark's DMARC Digests, MXToolbox, or dmarcian) to identify any sources failing alignment.
-
Fix failing sources — For each failing source, either add them to your SPF record, configure DKIM signing, or stop using them.
-
Move to
p=quarantine; pct=25— Apply quarantine to 25% of failing mail as a safety check. -
Increase pct to 100, then move to
p=reject
The entire process takes 60–90 days if done carefully. After that, email spoofing of your domain by external attackers becomes nearly impossible for all major mail providers that enforce DMARC.
Checking DMARC for All Your Domains
Don't forget parked domains — domains you own but don't send email from are easy targets for spoofing. Publish a lockdown record for every domain you own that doesn't send mail:
v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s
No rua needed — there's no legitimate mail to report on.