DMARC Record Analyser
This DMARC record analyser fetches, parses and explains every tag in your record: policy strength, reporting, alignment, and external destination authorisation.
Validation results
How this DMARC checker works
DMARC (RFC 9989, which replaced RFC 7489 in May 2026) is the policy layer that sits on top of SPF and DKIM. It tells receivers what to do with mail that claims to be from you and fails both checks, and where to send the daily reports. Type a domain above and the tool pulls the TXT record at _dmarc.<yourdomain>, parses every tag, and flags the configuration mistakes that quietly stop enforcement from working.
A typical record looks like this:
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; sp=reject; adkim=r; aspf=r"What does p= actually do?
Three rungs. p=none is monitoring only: failing mail still gets delivered, but you collect the reports. It's where you start when you don't yet know who all your legitimate senders are. p=quarantine drops failures into the spam folder. A misconfigured legitimate sender lands in junk rather than bounces, which is forgiving. p=reject tells the receiver to refuse the message at the gateway. That's the goal once the reports look clean.
Only quarantine and reject count as enforcement. p=none hands every spoofer a free pass.
Why rua= is the tag that pays off
The rua= address receives daily aggregate XML from every major receiver. Volumes, pass/fail rates, source IPs claiming to be you. Without it you're flying blind. You won't spot a legitimate sender failing alignment, and you won't notice when a spoofing campaign starts.
Raw XML is brutal to read. Most domains pipe it into a reporting service (Dmarcian, Valimail, Postmark, URIports). When the reporting address sits on someone else's domain, RFC 9091 requires an authorisation record at yourdomain.com._report._dmarc.reportingservice.com. No record, and many receivers drop your reports without saying anything. The checker verifies that authorisation on every run.
Do I really need ruf=?
Probably not. ruf= is per-message forensic reporting, defined in RFC 6591 with the wire format in RFC 5965. It includes headers and sometimes body content for each failure. Google and Microsoft stopped sending it years ago over privacy concerns, so coverage from the providers that actually matter is close to zero.
Our take: aggregate reports via rua= are enough for almost every domain. Skip ruf= unless you have a specific forensic workflow that consumes it.
Why this matters now
Google and Yahoo have required a published DMARC record (alongside SPF and DKIM) for any sender pushing more than 5,000 messages a day since February 2024. Microsoft turned the same rule on for Outlook.com, Hotmail and Live in May 2025. Failures bounce with 550 5.7.515.
p=none is the floor, not the goal. Google explicitly recommends moving to quarantine or reject for inbox placement and domain reputation.
The two tags that catch domains off guard
First, sp=. It sets the policy for subdomains. Leave it out and DMARCbis (RFC 9989, May 2026) inherits the parent policy correctly. The older RFC 7489 behaviour, which plenty of receivers still apply, does not. Subdomains that should be locked down quietly default to none. Set sp= explicitly and stop guessing which version the other end is running.
Second, pct=. A value below 100 only enforces against a slice of failing mail. A domain stuck on p=reject; pct=10 is closer to monitoring than enforcement. RFC 9989 dropped pct= entirely in favour of t=y testing mode, but receivers running the old spec still honour it. The checker grades on what's actually enforced today, not what the policy claims.
Non-sending domains need DMARC too
Parked domain, admin-only domain, anything that doesn't legitimately send mail: publish the M3AAWG lockdown posture.
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
example.com TXT "v=spf1 -all"
*._domainkey.example.com TXT "v=DKIM1; p="Skip that and a spammer will spoof the parked domain and burn its reputation before you notice.
Where to go next
For a tag-by-tag deep dive with valid values, defaults, and RFC citations, see the DMARC tags reference. For what changed in the May 2026 revision, see DMARCbis (DMARC 2.0). To build a new record from scratch, the DMARC builder generates the syntax interactively. DMARC only enforces when SPF or DKIM passes and aligns with the From: domain, so if either is shaky, the SPF builder and DKIM checker are the next stops.
Frequently Asked Questions
Common questions about DMARC records and email policy enforcement.
What is an external destination authorisation record?
If your rua= or ruf= address sits on a different domain than the one you're checking, the receiving server looks for a permission slip before it sends anything. The permission slip is a TXT record at yourdomain.com._report._dmarc.reportingservice.com with the value v=DMARC1. No record, no reports. Most receivers drop them silently.
Your reporting provider should publish this for you. Worth verifying anyway. The checker does it on every run.
RUA vs RUF — which one do I actually need?
RUA. Aggregate reports are daily XML summaries from receivers showing volumes, pass/fail rates, and the source IPs claiming to be you. That's what you use to monitor DMARC and decide when it's safe to tighten the policy.
RUF is per-message forensic reporting (RFC 5965). Google and Microsoft stopped sending it years ago over privacy concerns, so the coverage from the providers you care about is close to zero. Leave ruf= off unless you have a specific reason for it.
Strict alignment or relaxed?
Relaxed. It's the default for a reason. Alignment means the domain in the From: header has to match the domain that passed SPF or DKIM. Relaxed lets subdomains count, so mail.example.com passes for example.com. Strict requires an exact match.
Strict alignment breaks things the moment you bring in a subdomain sender or a marketing tool that signs from its own host. The upside is small unless you have a specific spoofing threat that relies on subdomain look-alikes. Stay on adkim=r and aspf=r unless you have a reason not to.