Free DMARC Record Checker

Look up and validate the DMARC TXT record published at _dmarc.<domain>, then read your policy, alignment, and reporting tags in plain terms. It is free, instant, and runs entirely in your browser with no signup and no data stored.

Catch problems before they cost you.

Create a free Unspam account to re-run these checks on a schedule and get alerted the moment your setup breaks. No credit card.

What is a DMARC record?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a TXT record published in DNS at _dmarc.yourdomain.com. It tells receiving mail servers what to do when a message that claims to be from your domain fails SPF and DKIM alignment, and where to send reports about those checks. DMARC builds on SPF and DKIM: a message passes DMARC when at least one of them passes and the authenticated domain aligns with the domain in the visible From header. Without DMARC, attackers can spoof your exact domain in the From address, and you have no visibility into who is sending mail in your name. Since February 2024, Google and Yahoo require bulk senders to publish a DMARC record, so a valid record is now part of basic deliverability, not just security.

How to read your result

  • v=DMARC1

    The version tag. It must be exactly v=DMARC1 and must come first, or receivers ignore the record entirely. This is what marks the TXT record as a DMARC policy rather than an unrelated string.

  • p= (policy)

    The enforcement policy for your main domain. p=none only monitors and collects reports, p=quarantine sends failing mail to spam, and p=reject blocks it outright. Google and Yahoo require at least p=none for bulk senders, but reject gives the strongest spoofing protection.

  • sp= and pct=

    sp= sets a separate policy for subdomains (it inherits p= if absent), and pct= applies the policy to only a percentage of mail for a staged rollout. Note that pct was removed in the latest DMARC specification (RFC 9989, published 2026), which replaces it with a simpler t flag for test mode, so newer guidance favors moving straight to full enforcement.

  • rua= and ruf=

    rua= is the mailbox (for example mailto:dmarc@yourdomain.com) that receives daily aggregate reports showing every source sending as your domain. ruf= receives per-message failure reports. Aggregate reports are how you safely move from p=none toward enforcement.

  • aspf= and adkim=

    These set alignment strictness for SPF and DKIM. The default value r (relaxed) allows subdomains of your organizational domain to align, while s (strict) requires an exact match. Relaxed is the right default for most senders that use subdomains or third-party services.

Common problems and fixes

No DMARC record found

The lookup returns nothing at _dmarc.yourdomain.com, so receivers apply no policy and your domain can be freely spoofed. Publish a TXT record at that host starting with v=DMARC1; p=none; rua=mailto:you@yourdomain.com to begin monitoring without risk to delivery.

Stuck on p=none forever

p=none only monitors and never blocks spoofed mail, yet many domains leave it there for years. Use the aggregate reports from your rua= address to confirm your legitimate senders pass, then move to p=quarantine and eventually p=reject for real protection.

Missing or unmonitored rua= address

Without a rua= reporting mailbox you are blind to who is sending as your domain, which makes enforcement unsafe. Add rua=mailto: pointing to an inbox or DMARC report processor you actually read before tightening the policy.

Multiple or malformed DMARC records

Publishing two TXT records at _dmarc, or putting v= anywhere but first, makes the record invalid and receivers ignore it. Keep exactly one record, start it with v=DMARC1, and separate every tag with a semicolon.

DMARC passes for the wrong reason: alignment

SPF or DKIM can pass while the authenticated domain does not match your From domain, so DMARC still fails. Confirm SPF uses your own Return-Path domain or that DKIM signs with a d= that matches your From domain, and check aspf/adkim if you rely on subdomains.

Questions, answered.

What domain do I enter, and where does DMARC live?
Enter your root domain, such as yourdomain.com, exactly as it appears in the From address of your email. The checker queries the TXT record at _dmarc.yourdomain.com, which is the fixed location the DMARC standard requires. You do not type the _dmarc prefix yourself.
Is p=none enough for Google and Yahoo?
Yes, for the February 2024 bulk sender rules a valid record with at least p=none satisfies the DMARC requirement, alongside aligned SPF or DKIM. However p=none does not stop spoofing, so it is a starting point rather than a finish line. Most senders should work toward p=quarantine or p=reject over time.
Does this DMARC checker change anything or store my data?
No. It is a read-only lookup that runs entirely in your browser using DNS-over-HTTPS, so it only reads your public DNS record and never writes to it. There is no signup, nothing is saved, and the same applies to our other free tools on the Unspam homepage.
Do I still need SPF and DKIM if I have DMARC?
Yes. DMARC does not replace SPF and DKIM; it relies on them. A message passes DMARC only when SPF or DKIM passes and the authenticated domain aligns with your From domain. Use our deliverability resources to set up all three together, since they work as one system.
Why does my mail still land in spam if DMARC passes?
DMARC authentication is necessary but not sufficient for inbox placement. Reputation, content, list hygiene, and engagement all still matter. To see how a real message scores beyond authentication, run it through our inbox placement test.

A clean record is step one. See where your email actually lands.