BETA

DMARC Record Analyser

Parse every tag, validate policy strength, and check external report destinations

🔧 Related Tools

ANALYSIS TOOLS
🔒 Full Checker Complete email deliverability scan: SPF, DKIM, DMARC, MX, blacklists & more. 📨 SPF Check and visualise your SPF record including the full DNS lookup tree. 🔑 DKIM Scan all known DKIM selectors and validate key strength for your domain. 🛡️ DMARC 📧 Email Headers Analyse raw email headers to trace delivery path and authentication results. 📬 Bounce Decoder Decode NDR bounce messages and SMTP error codes to diagnose delivery failures. 🦁 BIMI Verify your BIMI logo record and VMC certificate status. 🔐 DNSSEC Validate the DNSSEC chain of trust: DS, DNSKEY, and RRSIG records. 🔒 MTA-STS Check your MTA-STS DNS record and TLS policy file for enforced encryption. 📋 TLS-RPT Validate your TLS-RPT reporting address for email transport encryption reports. 🌍 WHOIS Look up domain registration details via RDAP.
DIAGNOSTIC TOOLS
🚫 Blacklist / RBL Check IPs and domains against major email blacklists and RBLs. 📬 MX Inspector Resolve MX hosts, check A/AAAA records, validate PTR and FCrDNS for each mail server. 🌐 DNS Propagation Check DNS record propagation across multiple global resolvers simultaneously.
BUILDER TOOLS
🛡️ DMARC Builder Build a DMARC TXT record with the right policy, RUA/RUF and subdomain options. 🛠 SPF Builder Generate a validated SPF record by selecting your email senders. ✂️ Route 53 Splitter Split long DKIM or SPF TXT records for AWS Route 53's 255-character limit.

🛡️ DMARC Record Analyser

Fetch, parse and explain every tag in your DMARC record — policy strength, reporting, alignment, and external destination authorisation.

Frequently Asked Questions

Common questions about DMARC records and email policy enforcement.

DMARC is a DNS policy that tells receiving servers what to do with emails that fail SPF or DKIM checks. It sits on top of those two standards as the enforcement layer, and it adds reporting so you can see who's sending mail as your domain and whether they're passing authentication.

p=none is monitoring only — failing emails still get delivered, but reports are generated. Useful when you're still figuring out who all your legitimate senders are. p=quarantine puts failing emails in spam. Real protection, and if a legitimate sender is misconfigured, they end up in junk rather than bounced. p=reject is the strictest option — receiving servers outright reject failing emails. Once you're confident all your legitimate senders pass authentication, that's where you want to be.

The rua tag is where receiving servers send your daily aggregate reports (XML). Without one, you're flying blind — you won't know if a legitimate sender is failing, and you won't see if someone is spoofing your domain. Those reports are also how you know when it's safe to tighten your policy. The raw XML is hard to work with; most people use a reporting service (Dmarcian, Valimail, Postmark) to make sense of it.

If your rua or ruf address is on a different domain than the one you're checking — which is true for most third-party DMARC reporting services — receiving servers first look for an authorisation record confirming that domain is happy to receive your reports. They do this by querying a TXT record at yourdomain.com._report._dmarc.reportingservice.com. No record, and many servers drop your reports without saying anything. Your reporting provider should publish this automatically, but it's worth verifying — this tool checks it for you.

RUA (aggregate reports) are daily XML summaries from receiving servers, showing volumes, pass/fail rates, and source IPs for all mail claiming to be from your domain. These are what you use to actually monitor DMARC. RUF (forensic reports) are per-message failure reports — headers and sometimes body content for each individual failure. More detail, but Google and Microsoft stopped sending them over privacy concerns, so you won't get much from the big providers. For most domains, rua is all you need.

Alignment means the domain in the From: header has to match the domain that passed SPF or DKIM. Relaxed alignment (the default) allows subdomains to count, so mail.example.com passes for example.com. Strict requires an exact match. Most setups should stick with relaxed — strict tends to break things when you have subdomain senders or email marketing tools in the mix.

Yes, since February 2024. Google and Yahoo require bulk senders (5,000+ messages per day) to have at least p=none. That's the floor, not the goal — Google recommends moving to p=quarantine or p=reject for better inbox placement and domain reputation. No DMARC record at all and your emails will get rejected or filtered by both providers.