DMARC Checker

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that protects domains from unauthorized use in email spoofing and phishing attacks. It builds on two existing protocols — SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) — by adding a policy layer that tells receiving mail servers what to do when authentication checks fail.

Without DMARC, anyone can send email that appears to come from your domain. Phishing attacks using spoofed sender addresses account for over 90% of cyber attacks, and DMARC is the primary defense against this vector.

A DMARC record is published as a DNS TXT record at _dmarc.yourdomain.com. When a receiving mail server gets an email claiming to be from your domain, it checks this record to determine whether to deliver, quarantine, or reject the message.

How DMARC Works

The Authentication Chain

DMARC verification follows a three-step process:

1. SPF Check — The receiving server verifies that the sending IP address is authorized to send email for your domain by checking your SPF DNS record.
2. DKIM Check — The receiving server verifies the email's cryptographic signature against the public key published in your domain's DNS.
3. DMARC Alignment — Even if SPF or DKIM pass individually, DMARC requires that at least one of them “aligns” with the From header domain. This prevents attackers from passing SPF with their own domain while spoofing yours in the visible From field.

DMARC Policy Levels

DMARC supports three enforcement levels, set via the p= tag in your DMARC record:

Most organizations should start with p=none to monitor authentication results, then progressively move to p=quarantine and finally p=reject once they've confirmed all legitimate email sources are properly authenticated.

Key DMARC Record Tags

Common DMARC Problems and How to Fix Them

No DMARC Record Found

Problem: Your domain has no _dmarc TXT record in DNS.

Impact: Any attacker can send email as your domain with no policy enforcement. Cyber insurance underwriters increasingly flag this as a disqualifying risk.

Fix: Add a TXT record at _dmarc.yourdomain.com with at minimum: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Policy Set to None (p=none)

Problem: DMARC is configured but set to monitoring mode only. Failed authentication has no consequences.

Impact: You get visibility into spoofing attempts but provide no protection. Cyber insurers and compliance frameworks (SOC 2, NIST CSF) increasingly require p=quarantine or p=reject.

Fix: After reviewing aggregate reports to confirm legitimate senders pass authentication, upgrade to p=quarantine, then to p=reject.

Missing Aggregate Reports (No rua Tag)

Problem: No rua= tag means you receive no reports about who is sending email as your domain.

Fix: Add rua=mailto:dmarc-reports@yourdomain.com to your DMARC record. Consider using a DMARC reporting service to parse the XML reports.

SPF Alignment Failure

Problem: SPF passes but the authenticated domain doesn't match the From header domain.

Cause: Third-party email services (marketing platforms, CRMs, helpdesks) sending on your behalf with their own return-path domain.

Fix: Configure these services to use your domain as the return-path, or ensure DKIM alignment passes instead.

Subdomain Policy Missing

Problem: No sp= tag means subdomains inherit the parent domain's policy, which may not be appropriate.

Fix: Add sp=reject if you don't send email from subdomains, or set an appropriate policy for each subdomain.

Why DMARC Matters for Cyber Insurance

Cyber insurance underwriters now scan applicant domains for DMARC enforcement before issuing or renewing policies. In our research scanning 73 domains across the insurance ecosystem, 41% had inadequate DMARC configuration.

Key requirements most insurers look for:

• DMARC record exists
• Policy is set to quarantine or reject (not none)
• SPF record is valid with no more than 10 DNS lookups
• DKIM is configured and passing

Domains without DMARC enforcement face higher premiums, coverage exclusions, or outright denial of cyber insurance applications.

How This DMARC Checker Works

This tool queries your domain's DNS to retrieve and analyze the DMARC TXT record at _dmarc.yourdomain.com. It checks:

• Record existence — Whether a DMARC record is published
• Syntax validity — Whether all tags are correctly formatted
• Policy strength — Whether the policy provides actual protection
• Alignment mode — Whether SPF and DKIM alignment is strict or relaxed
• Reporting configuration — Whether aggregate and forensic reports are configured
• Subdomain policy — Whether subdomains have appropriate coverage

Results include a pass/warn/fail grade and specific remediation steps for any issues found. For a comprehensive assessment across all email security and infrastructure controls, run a full infrastructure risk scan.

To understand how SPF, DKIM, and DMARC work together and how to configure them for your clients, read our MSP guide to email authentication.

Frequently Asked Questions

How long does it take for DMARC changes to take effect?

DNS propagation typically takes 1-48 hours depending on your DNS provider’s TTL settings. Most changes are visible within 1-4 hours.

Can DMARC break my email?

Only if legitimate email sources aren’t properly authenticated with SPF or DKIM before you set the policy to quarantine or reject. Always start with p=none and monitor reports first.

Do I need DMARC if I already have SPF and DKIM?

Yes. SPF and DKIM alone don’t tell receiving servers what to do with failed checks. DMARC adds the policy layer and alignment requirement that makes email authentication enforceable.

What’s the difference between DMARC and DKIM?

DKIM cryptographically signs email content to verify it hasn’t been tampered with. DMARC is a policy framework that uses SPF and DKIM results to make enforcement decisions. They’re complementary, not alternatives.

Is DMARC required for compliance?

DMARC is recommended or required by NIST 800-177, PCI DSS v4.0 (March 2025), SOC 2 Trust Services Criteria, and most cyber insurance underwriters. The trend is clearly toward mandatory enforcement.