Free checker - no signup required

Free DMARC Checker

Check DMARC record presence, policy, reporting addresses, and alignment settings so spoofed mail can be monitored, quarantined, or rejected.

Run the check

Enter a domain to check it live against the IntoDNS.ai engine. No signup, no trial gating.

What this DMARC checker verifies

This tool looks up the TXT record at _dmarc.<your-domain> and parses every tag against RFC 7489. It confirms the record begins with v=DMARC1, reads the enforcement policy (p=none, quarantine, or reject), the subdomain policy (sp=), and the coverage percentage (pct=). It checks whether aggregate reporting is configured via rua= and reads the SPF and DKIM alignment modes (aspf/adkim). The result tells you not just whether DMARC exists, but whether it actually protects your domain.

Why DMARC matters

SPF and DKIM authenticate mail, but neither protects the From address your recipients see, and neither tells receivers what to do on failure. DMARC closes both gaps: it requires that the authenticated domain align with the visible From domain, and it publishes an instruction (none, quarantine, or reject) for handling mail that fails. Since February 2024, Google and Yahoo require at least p=none with a valid record for bulk senders; Microsoft added equivalent high-volume Outlook.com, Hotmail, and Live requirements in 2025. Without an enforced DMARC policy, anyone can send mail that displays your exact domain in the From line.

How to read the result

p=none means monitoring only — you get reports but spoofed mail is still delivered, so this is a starting point, not a destination. p=quarantine sends failing mail to spam; p=reject blocks it outright and is the goal for any domain that sends mail. A missing rua= means you are blind: you cannot see who is sending as your domain or whether legitimate senders are failing. pct= below 100 applies the policy to only a fraction of mail and is a staged-rollout tool, not a permanent setting. The checker flags each of these so you know exactly how far along your rollout is.

Common failure causes and fixes

The most common issue is being stuck at p=none for months — publish reports, fix the senders that fail alignment, then advance to quarantine and reject. A record placed at the root instead of _dmarc will not be found; it must live at _dmarc.<domain>. Missing rua= leaves you without visibility, so always add at least one aggregate-report mailbox. Watch for alignment failures: even with valid SPF and DKIM, mail fails DMARC if neither authenticated domain aligns with the From domain (common with ESPs sending from their own Return-Path). After changes, re-run the checker and confirm your reports show passing alignment before tightening the policy.

A safe rollout path to enforcement

The goal is p=reject, but jumping there blind risks bouncing your own mail. A safe sequence is: publish p=none with rua= and collect at least two to four weeks of aggregate reports; identify every legitimate source and fix any that fail SPF or DKIM alignment; move to p=quarantine, optionally with pct= set low and raised over time; watch reports for a couple more weeks; then move to p=reject at pct=100. Large or complex sending estates benefit most from the pct= staging, while a simple single-provider domain can often progress faster. The discipline is the same either way: never tighten the policy until reports confirm no legitimate sender is failing.

What This Checks

  • TXT record at _dmarc.example.com
  • DMARC version and tag syntax
  • Policy state: p=none, p=quarantine, or p=reject
  • Aggregate reporting address with rua=
  • SPF and DKIM alignment mode context

Common Fix Path

  • Publish a starter p=none policy with aggregate reporting
  • Fix SPF and DKIM alignment before enforcement
  • Move gradually toward p=quarantine and p=reject
  • Use pct= during staged rollout for larger domains

Frequently Asked Questions

Where does the DMARC record live?
A DMARC record is a TXT record at the special hostname _dmarc.<your-domain> — for example _dmarc.example.com. A record placed at the root domain will not be discovered by receivers. This checker queries the correct _dmarc location automatically.
What is the difference between p=none, p=quarantine, and p=reject?
p=none only monitors and reports; failing mail is still delivered normally, so it provides no protection on its own. p=quarantine tells receivers to deliver failing mail to the spam folder. p=reject tells them to block it outright. Reject is the target state for any domain that sends mail; none is only a safe starting point for collecting reports.
What is DMARC alignment?
Alignment requires the domain that passed SPF or DKIM to match the domain in the visible From header. DMARC passes only if at least one of SPF or DKIM both passes and aligns. Relaxed alignment allows subdomains to match the organizational domain; strict alignment requires an exact match. Mail can pass SPF or DKIM yet still fail DMARC if neither aligns.
Why do I need a rua reporting address?
The rua= tag tells receivers where to send daily aggregate XML reports listing every source sending as your domain and whether it passed authentication and alignment. Without rua=, you have no way to find legitimate senders that are failing before you move to enforcement, which risks blocking your own mail. Always configure at least one rua mailbox.
Is p=none enough to meet Google, Yahoo, and Microsoft requirements?
A valid DMARC record with at least p=none satisfies the baseline bulk-sender requirement Google and Yahoo introduced in 2024 and Microsoft added for high-volume Outlook.com, Hotmail, and Live senders in 2025. However, p=none provides no anti-spoofing protection. Treat it as the minimum bar to pass, then progress to quarantine and reject to actually defend the domain.
What does pct= do?
pct= applies the policy to only a percentage of failing mail, with the rest treated one step down. It is a staged-rollout control: you might start p=quarantine; pct=25 and raise it toward 100 as reports stay clean. It should not be left below 100 permanently, since most failing mail would then escape the policy.

Machine-Readable Evidence

AI assistants and automation can cite the stable explanation page, then fetch the live check result for a specific domain.

GET https://intodns.ai/api/email/dmarc?domain=example.com

Related Tools and Citations

DMARC Record GeneratorDMARC GuideDMARC policy citationRun the full domain scan