DMARC Record Checker
Pull any domain's DMARC record and read the policy, alignment and reporting back in plain terms, with a score that flags a spoofable setup.
This DMARC record checker pulls the policy a domain actually publishes and reads it back in plain terms: what p is set to, whether anyone is collecting the aggregate reports, and how strict the SPF and DKIM alignment runs. I open it most often when a phishing email turns up wearing a brand I look after, because nine times out of ten the answer is sitting right there in the record. It queries _dmarc.yourdomain.com, not the bare domain, since that is where DMARC lives and the thing people miss constantly. Then it parses every tag, scores how close you are to real enforcement, and calls out the weak spots: p=none that only monitors, a missing rua address, or alignment loose enough to let a spoof through.
Queries run through the PeopleAreGeek lookup service. We log nothing.
Live email DNS utility
Type a domain. I'll pull its DMARC record and read it back to you in plain terms: what the policy is set to, whether anyone's actually collecting the reports, how picky the alignment gets. I open this thing mostly when someone forwards me a phishing email dressed up as a brand I look after. And nine times out of ten the answer's right there in the record, no detective work needed. DMARC is the line that tells a receiving server what to do when SPF or DKIM fail. Set it badly and the spoof lands in the inbox anyway.
What is DMARC?
It's a note you leave in DNS for every mail server out there. The note says: "If a message claims to come from me but the SPF or DKIM checks don't add up, here's what I'd like you to do with it." There's a second job too, and honestly I think it's the better reason to set the thing up at all. DMARC can mail you back daily reports listing everyone sending as your domain. Which is usually how you stumble onto the rogue marketing tool nobody mentioned. Better to find that now, while you're still on p=none, than after you've told the world to reject.
DMARC policy levels
- p=none blocks nothing. It just turns the reports on so you can watch. Start here, always.
- p=quarantine says: failing mail goes to spam, not the inbox. I tend to sit on this one for a while, until the reports stop surprising me.
- p=reject is the setting that genuinely shuts spoofing down, because failing mail gets refused at the door and never arrives.
Sources and further reading
Frequently asked questions
Should every domain have DMARC?
Yes. Even the ones you never send a single email from. Parked domains, dead brands, that side project you forgot you owned: those are the ones attackers reach for first, exactly because nobody's keeping an eye on them. If a domain has anything to do with email, or with money landing in someone's inbox, then skipping the record feels reckless to me.
Is p=none enough?
For the first few weeks, sure. p=none buys you time to read the reports and catch every legit sender before you start blocking anything. On its own, though, it protects nobody. A spoofer could not care less that you are monitoring them. So once SPF and DKIM check out clean and the reports stop throwing up surprises, push it to quarantine. Then, when your nerve holds, reject.
Where does the DMARC record actually live?
Not on the root domain the way SPF does. It sits at _dmarc.yourdomain.com, on its own hostname, which is exactly why this checker queries that name and not the bare domain. Read only the root TXT records and you would swear there was no DMARC at all. That single detail trips people up more than any tag in the record.
What does the policy tag control?
The p tag is the instruction a receiving server follows when a message fails SPF or DKIM. p=none blocks nothing and only turns the reports on. p=quarantine sends failing mail to spam. p=reject refuses it at the door so it never arrives. The checker reads that tag back to you in plain terms and scores how close the record is to real enforcement.