SysAdmin Tools

A DMARC lookup retrieves and analyses the Domain-based Message Authentication, Reporting and Conformance (DMARC) policy record for a domain. DMARC is the final layer of the email authentication stack — it uses the results of SPF and DKIM checks and applies a domain-owner-defined policy to tell receiving mail servers what to do with messages that fail authentication. Without DMARC, spoofed email can reach inboxes even if SPF and DKIM are configured.

DMARC works by checking that the domain in the email's visible From: header aligns with either the SPF-authenticated domain or the DKIM-signing domain. This alignment requirement closes the gap that SPF and DKIM alone cannot address. A domain's DMARC policy specifies three actions for failing messages: p=none (monitor only — deliver but send reports), p=quarantine (move to spam), or p=reject (block completely).

Our DMARC lookup tool fetches the live _dmarc TXT record for any domain and breaks down every tag: the policy, the subdomain policy, the percentage of messages to apply the policy to, and the reporting email addresses. This is essential when auditing a domain's email security posture, setting up DMARC for the first time, or investigating why email from a domain is being rejected by major providers.

Google and Yahoo now require a DMARC record for bulk email senders. Domains without DMARC are at significantly higher risk of being spoofed in phishing attacks targeting their customers and employees.

How to Use the DMARC Lookup Tool

  1. 1

    Enter the domain name

    Type the domain you want to check — for example, example.com. The tool automatically queries _dmarc.example.com, which is where DMARC records are always published.

  2. 2

    Click Lookup

    The tool fetches TXT records at the _dmarc subdomain and displays the raw DMARC policy string along with a parsed breakdown of each tag.

  3. 3

    Review the policy

    Check the p= tag: none means monitoring mode with no enforcement, quarantine sends failing messages to spam, reject blocks them entirely. For full protection, aim for p=reject.

  4. 4

    Check reporting addresses

    The rua= tag specifies where aggregate reports are sent (daily summaries of authentication results). The ruf= tag specifies forensic report addresses. Use these to monitor your email authentication at scale.

Understanding DMARC Record Results

A DMARC record is a TXT record published at _dmarc.yourdomain.com. It starts with v=DMARC1 followed by semicolon-separated tags. The most important tag is p= — the policy. none means the receiving server should take no action on failing mail but send reports. quarantine means send failing mail to the spam folder. reject means discard failing mail. The rua= tag specifies one or more email addresses (in mailto: format) where aggregate DMARC reports are sent. These daily XML reports show authentication results broken down by sending IP and are invaluable for understanding who is sending email on your behalf. The pct= tag (default 100) sets what percentage of messages the policy applies to — useful for gradually rolling out an enforcement policy. The sp= tag sets a separate policy for subdomains; if absent, subdomains inherit the main p= policy.
FieldDescription
v=DMARC1Version tag — must be the first element. Identifies this as a DMARC record.
p=Policy for the domain: none (monitor), quarantine (spam folder), or reject (block). This is the core enforcement level.
sp=Subdomain policy. If omitted, subdomains inherit the main p= policy. Set to none, quarantine, or reject independently.
pct=Percentage of failing messages to apply the policy to (1–100). Default is 100. Used to gradually roll out enforcement.
rua=Aggregate report URI — email address(es) to receive daily XML reports summarising authentication results.
ruf=Forensic report URI — email address(es) to receive individual failure reports with details of failing messages.
adkim=DKIM alignment mode: r (relaxed — subdomains allowed) or s (strict — exact domain match required). Default is relaxed.
aspf=SPF alignment mode: r (relaxed) or s (strict). Default is relaxed.

Common DMARC Lookup Use Cases

Check a domain's email security posture

Run a DMARC lookup on any domain to see whether it has email authentication protection. A missing DMARC record, or p=none, means the domain can be spoofed in phishing attacks without any enforcement. This is the first check in any email security audit.

Progress from none to reject safely

The recommended path is to start with p=none to collect reports, analyse who is sending email from your domain, then move to p=quarantine with pct=10 (10% enforcement), gradually increase to 100%, and finally move to p=reject. DMARC lookup lets you verify your policy at each step.

Verify reporting addresses are configured

DMARC aggregate reports (rua=) are essential for monitoring your email authentication. Many domains set a policy but forget to configure reporting. Use DMARC lookup to confirm both rua= and ruf= are present and pointing to valid addresses.

Investigate rejected email from a domain

When your server rejects email from another domain with a DMARC failure, look up that domain's DMARC record to understand their policy. This helps you determine whether the rejection is expected or whether there is a misconfiguration on the sending side.

DMARC Lookup — Frequently Asked Questions

What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that uses SPF and DKIM results plus an alignment check to enforce a domain owner's policy on unauthenticated email. It tells receiving mail servers what to do with messages that fail authentication: monitor (none), move to spam (quarantine), or reject completely (reject). It also provides reporting so domain owners can see who is sending email on their behalf.
How do I check the DMARC record for a domain?
Enter the domain in the DMARC lookup tool above and click Lookup. The tool queries _dmarc.yourdomain.com for a TXT record and displays the policy. Alternatively, use the terminal command: dig _dmarc.example.com TXT. The result is the raw DMARC policy string which you can then parse manually.
What is DMARC alignment?
DMARC alignment means the domain in the visible From: header must match the domain authenticated by SPF (the envelope sender) or the domain that signed the DKIM signature. In relaxed mode (the default), subdomains count as aligned. In strict mode, the domains must match exactly. Alignment is what closes the spoofing gap — without it, a sender could pass SPF and DKIM using their own domain while showing a victim's domain in the From: header.
What is the difference between p=none, p=quarantine, and p=reject?
p=none means no enforcement — failing messages are delivered normally, but DMARC reports are still sent. p=quarantine means failing messages are moved to the spam or junk folder. p=reject means failing messages are blocked entirely and not delivered. Most security experts recommend starting at p=none to collect data, then moving to quarantine and finally reject as you confirm all legitimate mail streams are passing authentication.
Do I need DMARC if I already have SPF and DKIM?
Yes. SPF and DKIM alone do not protect the visible From: header. An attacker can pass SPF using their own domain while spoofing your domain in the From: header that users see. DMARC adds the alignment requirement that ties authentication results to the From: header. Without DMARC, spoofed email using your domain can reach inboxes undetected. Google and Yahoo now require DMARC for bulk senders.
What are DMARC aggregate reports?
DMARC aggregate reports (rua=) are daily XML emails sent by receiving mail servers to the address(es) you specify. Each report summarises all email claiming to be from your domain that was received by that server over the past 24 hours, broken down by sending IP address, authentication result (SPF pass/fail, DKIM pass/fail), and DMARC disposition. These reports are essential for understanding your email flow before enforcing a strict policy.
Why does my domain not have a DMARC record?
DMARC records are not created automatically — they must be added manually as a TXT record at _dmarc.yourdomain.com in your DNS provider. Many domains skip DMARC because it is the last step of a three-part setup (SPF → DKIM → DMARC). If no DMARC record is found, any email claiming to be from your domain has no enforcement policy — it can be spoofed freely.
What is the pct= tag in DMARC?
The pct= tag (default 100) controls what percentage of messages that fail DMARC should have the p= policy applied. Setting pct=10 with p=quarantine means only 10% of failing messages go to spam; the other 90% are delivered normally. This allows a gradual rollout of an enforcement policy while you monitor DMARC reports to ensure no legitimate mail is failing authentication.
What is the sp= tag in DMARC?
The sp= (subdomain policy) tag sets a separate DMARC policy for all subdomains of the domain. For example, if your main policy is p=reject but you want subdomains to have sp=quarantine while you verify their email streams, you can set both independently. If sp= is absent, subdomains inherit the main p= policy. This is useful for organisations with many subdomains that send email.
How long does it take for a DMARC record to take effect?
A new DMARC record propagates like any other DNS change — within the TTL of the record, typically a few minutes to a few hours. However, DMARC policy changes (like moving from p=none to p=quarantine) affect ongoing mail delivery immediately once propagated. DMARC aggregate reports reflect the new policy from the first day they are generated after the change.

Related Tools

SPF Lookup

Verify the SPF record that DMARC uses for the SPF alignment check.

DKIM Lookup

Check the DKIM public key that DMARC uses for the DKIM alignment check.

MX Lookup

Check mail exchange records alongside the email authentication configuration.

DNS Lookup

Query all TXT records to see the complete email authentication stack in one view.