tools
DMARC Checker and DMARC Lookup for Policy, Alignment, and Reports
Use this DMARC checker and lookup guide to validate DMARC records, policy tags, reporting addresses, SPF/DKIM alignment, and rollout readiness.
If you are searching for dmarc lookup, dmarc checker, or check dmarc record, the real job is not only to prove that a TXT record exists in DNS.
The real job is to confirm that:
- the DMARC record is valid
- the visible From domain aligns with real mail
- reporting destinations work
- your policy is safe for the current rollout stage
MailSlurp helps teams turn that check into a repeatable sender-auth workflow with DMARC, SPF, DKIM, DNS, header, and inbox-placement evidence.
Quick answer
A useful DMARC lookup should answer five things:
- does a DMARC TXT record exist at
_dmarc.yourdomain.com - is the syntax valid
- do the
p,adkim,aspf,pct,rua, and optionalruftags make sense - are reporting addresses reachable and authorized
- do live messages actually align with the policy you want to enforce
A syntactically valid record is not the finish line. It is the start of a safe DMARC rollout.
What a DMARC lookup should tell you
A DMARC checker is really a DNS lookup plus a policy sanity check.
At minimum, it should confirm:
- the record exists at
_dmarc.<domain> v=DMARC1is present- the policy is defined with
p=none,quarantine, orreject - reporting addresses in
rua=and optionalruf=are correctly formatted - alignment settings such as
adkim=andaspf=match your enforcement plan - optional rollout tags such as
pct=are valid
The lookup result should then point you to the next operational question: are legitimate senders actually aligned well enough for that policy?
DMARC record anatomy
These are the tags teams should understand before changing policy:
| Tag | Purpose | What to check |
|---|---|---|
v=DMARC1 |
declares the record type | it appears once at _dmarc.<domain> |
p= |
sets the domain policy | none, quarantine, or reject matches rollout maturity |
rua= |
sends aggregate reports | the mailbox or processor can receive reports |
ruf= |
sends forensic reports when used | privacy and provider behavior are understood |
adkim= |
controls DKIM alignment strictness | relaxed or strict matches the sender model |
aspf= |
controls SPF alignment strictness | relaxed or strict matches the return-path model |
pct= |
applies policy to a percentage of mail | staged rollout is deliberate and documented |
Use a checker for syntax, then inspect real messages for alignment.
Example DMARC records
A monitoring-first record often looks like this:
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; pct=100
A stricter record can look like this:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s; pct=100
The correct record depends on how complete your sender inventory is and whether real mail already passes alignment.
DMARC policy rollout path
Most teams should tighten DMARC in stages:
- publish
p=nonewith aggregate reporting - collect reports and identify every legitimate sender
- fix SPF or DKIM alignment gaps
- test real product, campaign, billing, and support messages
- move selected traffic to
quarantinewhen the evidence is clean - move to
rejectonly when legitimate senders are aligned - monitor continuously after enforcement
This is safer than treating p=reject as a setup shortcut.
How to read common DMARC checker outputs
| Checker output | What it usually means | Next action |
|---|---|---|
| No DMARC record found | the domain has no DMARC policy | publish a monitoring-first record |
| Invalid DMARC syntax | tags are malformed or incorrectly separated | fix formatting before rollout |
Record valid, policy p=none |
monitoring is enabled but not enforced | review reports and sender inventory |
Record valid, rua missing |
no aggregate reporting destination | add report collection before tightening policy |
| DMARC valid, alignment still failing | SPF or DKIM does not align with the From domain | inspect real message headers |
Step-by-step DMARC lookup workflow
- Query
_dmarc.yourdomain.com. - Confirm
v=DMARC1and the intendedp=policy. - Review
rua=andruf=reporting addresses. - Check
adkim=andaspf=against your sender model. - Send real mail from every important platform.
- Inspect headers with Email header analyzer.
- Review aggregate reports before tightening policy.
This sequence matters because a DNS lookup can tell you the record is present, but only live mail can tell you whether the policy will break legitimate sending.
Alignment checks that matter
DMARC passes when SPF or DKIM passes and aligns with the visible From domain. That means a message can pass SPF or DKIM technically but still fail DMARC when the domains do not line up.
Check:
- visible From domain
- DKIM signing domain
- Return-Path or envelope sender domain
- forwarded or relayed mail behavior
- third-party tools sending on behalf of the domain
- subdomains used by product, marketing, billing, and support systems
Use Email header analyzer with the DMARC checker so the team can see what real messages are doing.
DMARC lookup vs DMARC monitoring
A lookup is a point-in-time check.
Monitoring is the ongoing system around that check:
- report collection
- sender inventory review
- alerting when pass rates change
- validation after provider, DNS, or template changes
That is why teams often start with a lookup and then move into DMARC monitoring or broader DMARC, SPF, and DKIM monitoring.
When to run a DMARC checker
Run a DMARC check:
- before sending from a new domain or subdomain
- after DNS propagation for DMARC, SPF, or DKIM edits
- before Gmail or Yahoo bulk-sender compliance reviews
- after provider migrations or sender infrastructure changes
- before tightening policy from
nonetoquarantineorreject - when Google Postmaster Tools, inbox placement, or spam checks show sender-health drift
For the surrounding workflow, pair this page with Google Postmaster Tools guide and Inbox placement test.
Common DMARC issues and fixes
No DMARC record found
Publish a DMARC TXT record at _dmarc.yourdomain.com. Start with p=none if you are still discovering senders.
Invalid tag formatting
DMARC tags must be semicolon-separated. Avoid broken quoting, line breaks, or stray whitespace patterns introduced by DNS providers.
Policy is too strict too early
If you move to quarantine or reject before sender inventory is complete, legitimate mail can fail. Start with monitoring, then tighten policy in stages.
Reports do not arrive
Confirm the rua= destination accepts reports and that cross-domain authorization is correct when reports go to another domain.
SPF or DKIM passes, but DMARC still fails
That usually means alignment is broken. Compare the visible From domain with the DKIM signing domain and return-path domain in the live message headers.
For the failure-analysis path, continue with DMARC fail. If the problem appears only after enforcement, use DMARC reject.
A forgotten sender is still using your domain
Billing tools, CRMs, support systems, and legacy apps commonly cause DMARC failures because they were never included in the rollout plan.
Related authentication tools
- SPF checker
- DKIM checker
- SPF record generator
- DKIM record generator
- Email header analyzer
- DNS lookup
- DMARC fail
- DMARC reject
- Google Workspace DMARC
Use MailSlurp for DMARC checks and rollout monitoring
MailSlurp helps teams move from one-off DMARC lookups to repeatable sender-auth controls.
Use it to:
- validate live-message headers with Email header analyzer
- watch authentication posture over time with DMARC, SPF, and DKIM monitoring
- run an Email deliverability test before major DNS or sender changes
- check SPF, DKIM, MX, DNS propagation, and blacklist exposure from the same sender-health workflow
- connect sender-auth checks to warmup, Postmaster, spam testing, and inbox placement workflows
That is the difference between "the record exists" and "the sender is ready for enforcement."
FAQ
What does a DMARC lookup check?
A DMARC lookup queries the DMARC TXT record in DNS and validates whether the policy, tags, and reporting fields are present and well formed.
Does a valid DMARC record mean email is fully protected?
No. It only proves the record exists and parses correctly. You still need real SPF or DKIM alignment and report review.
Should every domain start with p=reject?
Usually no. Most domains should start with p=none, review reports, fix alignment gaps, and then tighten enforcement in stages.
Why do I still need header analysis after a DMARC checker passes?
Because a checker validates DNS. Header analysis validates what your real messages are doing in production.
What is the best DMARC policy to start with?
For most teams, start with p=none, collect reports, fix legitimate sender alignment, then tighten policy in stages.
How is DMARC related to SPF and DKIM?
DMARC depends on SPF or DKIM passing and aligning with the visible From domain. Use all three checks together.
Can DMARC improve deliverability?
DMARC helps mailbox providers trust the sender identity when alignment is correct. It works best alongside clean sender behavior, inbox placement testing, and ongoing monitoring.
Final take
A DMARC lookup is useful only if it leads to the next operational step. Validate the record, inspect live headers, review reports, and tighten policy only when legitimate senders are aligned.