Look up a domain's DMARC record and see what its policy actually asks receivers to do.

A DMARC record is easy to publish and easy to misread. This lookup fetches the record at `_dmarc` and decodes policy, percentage, alignment, and reporting so rollout stage is explicit.

How it works

  • The tool queries public DNS over DoH for the TXT record at `_dmarc.yourdomain.com`.
  • The record is parsed into policy (`p`), subdomain policy (`sp`), rollout percentage (`pct`), alignment modes (`adkim`/`aspf`), and report addresses (`rua`/`ruf`).
  • Missing or malformed records are flagged with what receivers do in that case: no policy is applied.

When to use it

  • Before provisioning inboxes on a domain you did not configure yourself.
  • When moving a domain from monitoring (`p=none`) toward enforcement.
  • When aggregate reports stop arriving and you need to confirm the `rua` address.

Common failure cases

  • Looking for DMARC at the root domain instead of the `_dmarc` subdomain.
  • Reading `p=quarantine; pct=5` as enforcement when 95% of failing mail still passes.
  • Publishing a `rua` address on a domain that cannot receive reports for it.

Examples

What good and bad signals look like

Monitoring stage

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Reports are collected but receivers are not asked to quarantine or reject anything yet.

Partial enforcement

v=DMARC1; p=quarantine; pct=25

Only a quarter of failing mail is quarantined — a rollout stage, not full enforcement.

What to do next

  • Generate a corrected record with the DMARC generator if the policy is missing or malformed.
  • Check SPF and DKIM before tightening policy — enforcement without alignment blocks real mail.
  • Re-check after DNS propagation before treating the domain as launch-ready.
Put DMARC in a readiness workflow

Use readiness reports instead of treating a DNS policy as launch approval.

FAQ

What does it mean if a domain has no DMARC record?

Receivers apply no DMARC policy: mail that fails SPF and DKIM alignment is handled by each provider's own heuristics. For cold email domains, publishing at least a monitoring policy is a common baseline.

Is `p=reject` always the right end state?

Not automatically. Enforcement reduces spoofing risk but blocks legitimate mail from any sender that is not yet authenticated and aligned. Most teams tighten policy in stages while reviewing reports.