Skip to content
Kordu Tools Kordu Tools

DMARC Checker

Look up and analyse the DMARC record for any domain — policy, alignment, reporting, and configuration warnings.

Last updated 08 Apr 2026

Check the DMARC (Domain-based Message Authentication, Reporting & Conformance) record for any domain. See the enforcement policy (none, quarantine, reject), DKIM/SPF alignment settings, percentage coverage, aggregate and forensic report destinations, and configuration warnings. All lookups run via Cloudflare DNS-over-HTTPS.
Loading rating…

How to use

  1. 1

    Enter a domain

    Type the domain you want to check — for example, gmail.com or yourdomain.com.

  2. 2

    Click Check DMARC

    Click the button or press Enter. The tool queries the TXT record at _dmarc.domain via Cloudflare DNS-over-HTTPS.

  3. 3

    Review the policy

    See the enforcement policy (none, quarantine, or reject), alignment modes, and percentage of mail covered.

  4. 4

    Check report destinations

    Verify that aggregate (rua) and forensic (ruf) report URIs are configured so you receive DMARC reports.

Frequently asked questions

What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM. It lets domain owners publish a policy telling receiving servers what to do with messages that fail authentication — monitor, quarantine, or reject.
What do the DMARC policies mean?
The three policies are: 'none' (monitor only, take no action), 'quarantine' (send failing messages to spam), and 'reject' (block failing messages entirely). Most domains start at 'none' and gradually move to 'reject' as they gain confidence in their SPF/DKIM setup.
What is DMARC alignment?
Alignment checks whether the domain in the From header matches the domains used in SPF and DKIM. 'Relaxed' alignment allows subdomains to match (mail.example.com matches example.com). 'Strict' alignment requires an exact domain match.
What are rua and ruf in a DMARC record?
rua (reporting URI for aggregate reports) receives daily XML summaries of DMARC results. ruf (reporting URI for forensic reports) receives individual failure reports. Both are typically mailto: URIs pointing to an email address.
Why is my DMARC policy set to 'none'?
A 'none' policy means the domain is in monitoring mode — DMARC reports are generated but no enforcement action is taken on failing emails. This is common during initial deployment while you verify that legitimate email passes SPF and DKIM.
What does the percentage (pct) tag do?
The pct tag specifies what percentage of failing messages are subject to the DMARC policy. For example, pct=25 means only 25% of failing messages are quarantined or rejected — the rest are treated as 'none'. This allows gradual rollout of stricter policies.
How does DMARC relate to SPF and DKIM?
DMARC requires at least one of SPF or DKIM to pass with alignment. It doesn't replace them — it adds a policy layer on top. A message passes DMARC if it passes SPF with SPF alignment OR passes DKIM with DKIM alignment.
Is this lookup private?
The only external request is a DNS-over-HTTPS query to Cloudflare. No data is stored or shared by this tool.

Verify that a domain has a properly configured DMARC record. DMARC

ties SPF and DKIM together into a unified email authentication policy,

telling receiving mail servers what to do when a message fails both

SPF and DKIM checks — monitor it, quarantine it, or reject it outright.

This tool queries the TXT record at `_dmarc.domain` and parses every

DMARC tag: policy (p=), subdomain policy (sp=), percentage (pct=),

alignment modes (adkim= / aspf=), aggregate report URI (rua=),

forensic report URI (ruf=), and failure reporting options (fo=).

Clear warnings highlight common misconfigurations: policy set to

"none" (monitoring only, no enforcement), missing report URIs,

partial percentage coverage, and multiple conflicting records.

Who is this for: email administrators hardening domain authentication,

marketers improving deliverability, security teams auditing spoofing

protection, and developers integrating email infrastructure.

Related tools

SPF Record Checker

Look up and validate SPF records — parse mechanisms, detect misconfigurations, and check email authentication.

DKIM Checker

Look up and validate DKIM records for any domain — public key, key type, and selector auto-detection.

MX Lookup

Look up MX records for any domain — mail server priority, IP addresses, and email provider detection.

DNS Lookup

Query all DNS record types for any domain — A, AAAA, MX, TXT, CNAME, NS, SOA, CAA — via Cloudflare DoH.

Learn more

SPF, DKIM, and DMARC Explained: Stop Emails Going to Spam

How SPF, DKIM, and DMARC work together to stop email spoofing and spam folders. Google now rejects 75% of unauthenticated email from bulk senders.

DNS Record Types Explained: A, AAAA, CNAME, MX, TXT

Every DNS record type explained with real dig examples. Covers A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, and CAA records used across 350M+ domains.