Domain Intelligence Tool

DMARC Checker & Validator

Protect your clients from domain spoofing and email impersonation. Our AI-driven engine provides instant DMARC validation and deep protocol analysis for MSP-level efficiency.

Live check —

Policy —

Score —

Free DMARC checker — works on any domain.

DMARC Record Analysis

Target:

warning

Policy Weakness

Raw Record

verified Policy Type

forward_to_inbox Protocol Score

priority_high

Fix This Now

DMARC AI can automatically generate a hardened record and manage your RUA reports for all 100+ subdomains.

Secure Domain

Protocol Snapshot

SPF Status

DKIM Key

DMARC Policy

What is a DMARC Checker?

A DMARC Checker is a diagnostic tool designed to verify if a domain has a valid DMARC (Domain-based Message Authentication, Reporting, and Conformance) record published in its DNS. For MSPs and security professionals, this is the first line of defense in identifying misconfigurations that could allow cybercriminals to impersonate a brand.

Without a proper checker, small syntax errors can invalidate your entire email security posture, leading to massive deliverability issues or successful phishing campaigns against your clients.

Validator vs. Analyzer

While a DMARC Validator checks for syntax and basic existence, a DMARC Analyzer goes deeper. It processes the complex RUA/RUF reports sent by ISPs like Google and Microsoft to show exactly who is sending mail on behalf of your domain.

DMARC AI combines both functions, providing a technical audit of your DNS records and translating raw XML data into actionable human intelligence for your security dashboard.

construction

How to Fix DMARC Errors

Audit DNS Syntax

Check for double-quoted values, missing semicolons, or invalid 'p' tags in your TXT record.

Verify Alignment

Ensure your SPF (Return-Path) and DKIM (d=tag) match the domain in the From: header.

Escalate Policy

Move from p=none to p=quarantine once you've confirmed all legitimate sending services are authenticated.

verified_user

SOC2 Type II Ready

Your domain data is processed with enterprise-grade security protocols.

speed

Real-time Lookups

Direct integration with global DNS clusters for sub-second analysis.

groups

Built for MSPs

Multi-tenant architecture designed to manage thousands of domains.

Stop Spoofing Before It Happens

Built for MSPs who run DMARC as a managed service — protect client reputations at portfolio scale.

Start free account Book demo

Free check is good — running a portfolio is better

Two ways to go from a one-off check to a managed practice.

Self-serve No credit card

Start a free 30-day Premium trial

Sign up, add a domain, see real DMARC reports inside 48 hours. No credit card. Premium AI features included for the trial; drop back to free Basic monitoring afterwards or convert per-active-domain.

Start a free 30-day Premium trial arrow_forward

Guided 30 minutes with an engineer

Book demo

Walk through the multi-tenant dashboard with a real engineer. Bring a client domain — we will load it live and show what the reports look like for your portfolio.

Book demo north_east

DMARC FAQ for Professionals

What is a DMARC checker? expand_more

A DMARC checker reads the TXT record published at _dmarc.<your-domain> and reports the policy, alignment settings, reporting addresses, and any common configuration mistakes. It tells you what receivers like Gmail, Microsoft, and Yahoo see when they evaluate mail from your domain.

How do I know if my DMARC record is valid? expand_more

A valid DMARC record starts with v=DMARC1, has exactly one policy tag (p=none, p=quarantine, or p=reject), and is published at a single _dmarc subdomain. Running the checker above confirms the syntax, surfaces any duplicate records, and flags missing rua= addresses or weakened sp= sub-policies.

What does “no DMARC record found” mean? expand_more

Receivers cannot find any TXT record (or CNAME chain that resolves to one) at _dmarc.<your-domain>. Without that record, no policy is enforced — attackers can spoof your domain and Gmail/Yahoo will treat your bulk mail with extra suspicion. Publish at least v=DMARC1; p=none; rua=mailto:dmarc@yourdomain to start receiving aggregate reports.

Can I have more than one DMARC record? expand_more

No. RFC 7489 specifies that exactly one DMARC record must exist at _dmarc.<your-domain>. When receivers find two, they ignore both and treat the domain as if no DMARC were published. The checker above flags this as an error.

What is the difference between p=none, p=quarantine and p=reject? expand_more

p=none means receivers send aggregate reports but take no action on failing mail. p=quarantine asks receivers to route failing mail to spam. p=reject tells receivers to drop failing mail at the SMTP layer. Most domains start at p=none for 4–6 weeks, then move to quarantine, then reject as confidence in their sender inventory grows.

Does DMARC work without SPF or DKIM? expand_more

No. DMARC enforces alignment of either SPF or DKIM (and ideally both) against the From: header domain. A domain with neither SPF nor DKIM published will fail DMARC by definition. The minimum viable setup is one published SPF record OR DKIM signing enabled at the sending platform, plus the DMARC TXT record above.

Why do MSPs need continuous DMARC monitoring? expand_more

Client environments change weekly — new marketing platforms come online, SaaS tools rotate sending domains, DKIM keys quietly rotate, SPF records bump past the 10-lookup limit. A point-in-time checker catches the snapshot you take today. Continuous monitoring catches the changes that happen next week before they affect deliverability or client trust.

Example DMARC records

Three real-world DMARC records that show the typical progression from monitoring-only through partial quarantine to full enforcement. Copy any of these as a starting point and adapt the rua= address for your own reporting endpoint.

Monitoring-only (start here)

_dmarc.example.com  TXT  v=DMARC1; p=none; rua=mailto:[email protected]; pct=100

Receives aggregate reports without affecting deliverability. Use during the first 4–6 weeks while you inventory legitimate senders.

Phased quarantine (50% of mail)

_dmarc.example.com  TXT  v=DMARC1; p=quarantine; rua=mailto:[email protected]; adkim=s; aspf=s; pct=50

Quarantines half of failing mail with strict SPF and DKIM alignment. Raise pct= incrementally (25 → 50 → 75 → 100) as confidence grows.

Full enforcement (p=reject)

_dmarc.example.com  TXT  v=DMARC1; p=reject; rua=mailto:[email protected]; sp=reject

Full DMARC enforcement at the apex and across subdomains. The end-state for any production sending domain.

Every DMARC tag, explained

v Version Required: Always DMARC1. Must be the first tag in the record — receivers that find anything else here ignore the record entirely. v=DMARC1
p Policy Required: What receivers do with mail that fails DMARC. One of none (monitor only), quarantine (route to spam), or reject (drop at SMTP). p=reject
sp Subdomain policy: Optional override applied to subdomains. When absent, subdomains inherit p= — which is the safest default. Only set sp= when you genuinely want different behaviour for subdomains. sp=reject
pct Percent: Share of failing mail the policy applies to. Defaults to 100. Use lower values (25, 50, 75) during phased rollouts so a misconfiguration affects only a fraction of traffic. pct=100
rua Aggregate reports: mailto: addresses that receive the daily XML aggregate reports. Comma-separated; up to two addresses. Without rua= you publish DMARC but have zero visibility into what receivers see. rua=mailto:[email protected]
ruf Forensic reports: mailto: addresses that receive per-failure forensic reports. Few providers send these today, and the volume + PII concerns mean most MSPs leave ruf= off. ruf=mailto:[email protected]
adkim DKIM alignment: How DKIM alignment is evaluated against From:. s = strict (d= must equal the From: domain exactly), r = relaxed (a registered-domain match is enough, the default). adkim=s
aspf SPF alignment: Same as adkim but for SPF. s = strict (envelope-from must match From: exactly), r = relaxed (the default). aspf=s
fo Failure reporting: When to generate forensic reports. 0 = both SPF and DKIM failed; 1 = either failed; d = DKIM signature did not validate; s = SPF did not pass. fo=1

Common DMARC mistakes and how to fix them

These are the seven failure modes a DMARC checker catches most often. Every one of them silently breaks enforcement; most are a one-line DNS fix.

Issue	What it means	How to fix it
No DMARC record found	No TXT record (or CNAME chain) is published at _dmarc.<your-domain>.	Add a TXT record at _dmarc.example.com starting with v=DMARC1; p=none; rua=mailto:[email protected].
Multiple DMARC records	More than one TXT record exists at _dmarc. Receivers ignore both and treat the domain as if DMARC is missing.	Delete every duplicate. Exactly one DMARC TXT record must exist at the apex DMARC hostname.
Invalid DMARC version	The record does not start with v=DMARC1 (or has a typo like v=DMARC).	Edit the record so v=DMARC1 is the very first tag. Anything else makes receivers skip the record entirely.
Missing policy	The record has v=DMARC1 but no p= tag.	Add p=none for monitoring, p=quarantine for spam routing, or p=reject for full enforcement.
Invalid rua destination	rua= points to a malformed address, a non-mailto URI, or a domain that has not authorized external reports.	Use mailto:[email protected] format. If receiving reports for a different domain, publish the cross-domain authorization TXT record.
Policy still at p=none	Reports are collected but no enforcement happens. The domain remains spoofable.	After 4–6 weeks of monitoring, move to p=quarantine with pct=25 and ramp up to p=reject.
SPF or DKIM never aligns	Authentication passes but the authenticating domain does not align with the From: header.	Configure the sending service to use an aligned return-path, or rely on aligned DKIM signing of the From: domain.

No DMARC record found

What it means: No TXT record (or CNAME chain) is published at _dmarc.<your-domain>.
How to fix it: Add a TXT record at _dmarc.example.com starting with v=DMARC1; p=none; rua=mailto:[email protected].

Multiple DMARC records

What it means: More than one TXT record exists at _dmarc. Receivers ignore both and treat the domain as if DMARC is missing.
How to fix it: Delete every duplicate. Exactly one DMARC TXT record must exist at the apex DMARC hostname.

Invalid DMARC version

What it means: The record does not start with v=DMARC1 (or has a typo like v=DMARC).
How to fix it: Edit the record so v=DMARC1 is the very first tag. Anything else makes receivers skip the record entirely.

Missing policy

What it means: The record has v=DMARC1 but no p= tag.
How to fix it: Add p=none for monitoring, p=quarantine for spam routing, or p=reject for full enforcement.

Invalid rua destination

What it means: rua= points to a malformed address, a non-mailto URI, or a domain that has not authorized external reports.
How to fix it: Use mailto:[email protected] format. If receiving reports for a different domain, publish the cross-domain authorization TXT record.

Policy still at p=none

What it means: Reports are collected but no enforcement happens. The domain remains spoofable.
How to fix it: After 4–6 weeks of monitoring, move to p=quarantine with pct=25 and ramp up to p=reject.

SPF or DKIM never aligns

What it means: Authentication passes but the authenticating domain does not align with the From: header.
How to fix it: Configure the sending service to use an aligned return-path, or rely on aligned DKIM signing of the From: domain.

For MSPs

How MSPs use this checker during client onboarding

A free checker is the right tool for two specific moments: the first conversation with a prospect, and the technical kick-off of a new managed contract.

During prospecting, run the checker on a prospect's apex domain (and their three or four most-used subdomains — marketing, support, billing) before the first call. The output gives you something concrete to point at: "your apex domain is at p=none, your marketing subdomain has no DMARC record at all, and your SPF has 14 DNS lookups — that's an open spoofing vector and the deliverability story you've been seeing on Mailchimp."

During onboarding, the same checker becomes a baseline. Take a screenshot of every client domain on day one — apex + 3 subdomains — and store it alongside the engagement docs. Three months later when the client asks "what have you actually done for me," the before-and-after comparison writes itself.

What the checker does not give you is the ongoing visibility — the new SaaS tool the client adopted last week, the marketing platform that just rotated its sending domain, the DKIM key that quietly broke after a Microsoft 365 tenant migration. For that, the same data needs to live in a dashboard you can check daily.

See how DMARC AI works for MSPs

From manual to managed

When a checker is not enough: why continuous monitoring matters

A DMARC checker reads what is in DNS the moment you press Analyze. It is a flashlight, not a watchtower.

The configurations that break DMARC the most often are not the ones an editor mis-typed at noon. They are the slow drifts: marketing rotates a sender, a new SaaS tool is procured without IT signoff, an SPF record grows past the 10-lookup limit one include= at a time. None of these show up in a manual quarterly check because the snapshot you took last quarter looked fine.

DMARC AI watches the DNS records, ingests aggregate reports, and surfaces drifts as they happen — across every domain in a single multi-tenant dashboard. The same checker you use today for prospecting becomes the continuous monitor that closes the loop on every client environment.

Start a free trial