DMARC Record Checker — Check Your DMARC Policy
Verify your DMARC record, understand your policy and get actionable improvement recommendations.
DMARC Record Checker
Enter your domain to look up its DMARC record, analyse the policy strength and get recommendations for improvement.
What Is DMARC and Why Does It Matter?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer that ties SPF and DKIM together. While SPF and DKIM authenticate your messages, DMARC tells receiving servers what to do when authentication fails — and gives you visibility into who is sending email from your domain.
Without DMARC, authentication failures are handled inconsistently. Some receivers might spam-folder the message, others might deliver it, and you have no way to know it happened. DMARC solves this by publishing an explicit policy and requesting reports.
How DMARC Works
- An email arrives at the receiving server claiming to be from your domain
- The server checks SPF alignment — does the Return-Path domain match the From domain?
- The server checks DKIM alignment — does the d= domain match the From domain?
- If both SPF and DKIM alignment fail, DMARC policy is applied
- The result (pass, fail, policy applied) is included in the aggregate report sent to your rua address
DMARC Record Syntax
A DMARC record is a TXT record published at _dmarc.yourdomain.com. Example:
| Tag | Purpose | Values |
|---|---|---|
| p= | Policy for the domain | none, quarantine, reject |
| rua= | Aggregate report address | mailto:dmarc@yourdomain.com |
| ruf= | Forensic report address | mailto:dmarc-forensic@yourdomain.com |
| sp= | Subdomain policy | none, quarantine, reject (inherits p= if omitted) |
| pct= | Percentage of messages to apply policy | 1-100 (default 100) |
| adkim= | DKIM alignment mode | r (relaxed) or s (strict) |
| aspf= | SPF alignment mode | r (relaxed) or s (strict) |
Understanding DMARC Policies
p=none — Monitor Only
The starting policy. Authentication failures are reported but no action is taken — messages are delivered normally. Use this phase to discover all legitimate senders and fix authentication issues before enforcing.
p=quarantine — Send Failures to Spam
The intermediate step. Messages that fail both SPF and DKIM alignment are sent to the spam folder. This protects your recipients while giving you a safety net — quarantined messages can still be found if a legitimate sender was missed.
p=reject — Block Unauthenticated Mail
Maximum protection. Messages that fail authentication are rejected outright — they never reach the recipient. This is the gold standard for anti-spoofing. Gmail, Yahoo and Microsoft all recommend p=reject for domains that have completed their authentication setup.
The Recommended Migration Path
Common DMARC Failures and How to Fix Them
SPF Alignment Failure
The envelope sender (Return-Path) domain does not match the From header domain. This commonly happens with third-party senders that use their own envelope domain. Fix: configure the service to use your domain as the Return-Path, or rely on DKIM alignment instead.
DKIM Alignment Failure
The d= domain in the DKIM signature does not match the From header domain. This happens when your email provider signs with their own domain instead of yours. Fix: configure custom DKIM signing with your provider so they sign with d=yourdomain.com.
Third-Party Senders Breaking DMARC
SaaS tools (CRM, helpdesk, marketing platform) sending from your domain without proper SPF or DKIM configuration. Each sender needs to either be included in your SPF record OR have DKIM signing configured with your domain. Fix: audit each sender, configure authentication, then verify with the checkers above.
No Reporting Address Configured
Without a rua= tag, you get no aggregate reports and have no visibility into authentication results. You are flying blind. Fix: add rua=mailto:dmarc@yourdomain.com to your DMARC record. You can also use a third-party DMARC report processor for easier analysis.
Subdomain Policy Not Set
Without an sp= tag, subdomains inherit the parent domain's p= policy. If your policy is p=reject but a subdomain has no SPF or DKIM, email from that subdomain will be rejected. Fix: either set sp= explicitly, or ensure all sending subdomains have proper authentication.
DMARC Compliance With NexusProMail
- All sends are SPF-aligned — we use your domain as the envelope sender
- All sends are DKIM-signed with d= set to your domain
- Our domain warming process includes DMARC policy ramp guidance
- Compatible with p=reject from day one — no authentication gaps
Complete Your Email Authentication
DMARC Record FAQ
What is a DMARC record?
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. It tells receiving mail servers what to do when an email fails both SPF and DKIM authentication — monitor it (p=none), send it to spam (p=quarantine) or reject it (p=reject). It also specifies where to send aggregate reports about authentication results.
What DMARC policy should I use?
Start with p=none to monitor your email authentication without affecting delivery. Review the aggregate reports for 2-4 weeks to identify all legitimate senders. Then move to p=quarantine to send failing messages to spam. Once you are confident all legitimate email passes, upgrade to p=reject for maximum protection.
How long before I should move to p=reject?
Most organisations take 4-8 weeks to move from p=none to p=reject. The timeline depends on how many email senders you discover in the monitoring phase. Simple setups (one email provider) can move faster. Complex setups (multiple marketing tools, CRM, helpdesk, transactional email) should take longer to audit each sender.
What are DMARC aggregate reports (rua)?
Aggregate reports are XML files sent daily by receiving mail servers to the address specified in your rua= tag. They summarise authentication results for all email sent from your domain — which IPs sent email, whether SPF and DKIM passed, and what policy was applied. They are essential for monitoring your domain's authentication health.
Does DMARC protect against phishing?
DMARC significantly reduces domain-based phishing by ensuring unauthenticated messages are quarantined or rejected. However, it only protects your exact domain (and subdomains). Lookalike domains (nexuspr0mail.com) require separate monitoring. DMARC at p=reject is the single most effective anti-phishing measure a domain owner can deploy.
Can DMARC break legitimate email?
Yes, if deployed incorrectly. Moving to p=quarantine or p=reject before all legitimate senders are authenticated will cause those messages to be spam-foldered or rejected. This is why the p=none monitoring phase is critical — it reveals all senders before you start enforcing. Always check reports before escalating your policy.
How do I read a DMARC failure report?
Aggregate reports are XML and difficult to read raw. Look for rows where the disposition is not "none" — these are messages that failed authentication. Check the source IP against your known senders. If a legitimate sender appears as failing, you need to add them to your SPF record or configure DKIM signing for that service.