Free Tool

DMARC Record Checker

Enter any domain to instantly check its DMARC policy, reporting configuration, and alignment mode.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that builds on SPF and DKIM. It tells receiving mail servers what to do when an email fails authentication — reject it, quarantine it, or let it through.

A DMARC record is a TXT record published at _dmarc.yourdomain.com. It contains your policy (p=none|quarantine|reject), alignment settings, and optionally a reporting address to receive aggregate DMARC reports.

Without DMARC, anyone can send emails pretending to be from your domain. With a strong DMARC policy (p=reject), you tell the world to trash anything that fails authentication.

DMARC and Email Forwarding

DMARC is the #1 reason forwarded emails land in spam. When you forward an email, SPF breaks (because the forwarding server isn't in the original sender's SPF record). Without ARC sealing, the destination server sees a DMARC failure and quarantines or rejects the message.

ARC-Relay solves this by adding cryptographic ARC (Authenticated Received Chain) seals so Gmail, Outlook, ProtonMail, and Yahoo trust the forwarded email and honor the original DMARC pass.

Fix your forwarding with ARC-Relay

Frequently Asked Questions

What does 'p=none' mean in a DMARC record?
p=none is a monitoring-only policy. It tells receiving servers to deliver emails that fail DMARC checks normally, but send aggregate reports to the rua address. It's a safe starting point, but provides no protection against spoofing. Upgrade to p=quarantine or p=reject once you've verified legitimate email sources in your reports.
How long does it take for a DMARC record to propagate?
DNS changes typically propagate within 24-48 hours, but many providers update within 1-4 hours. You can verify propagation immediately using this tool. Set a low TTL (300 seconds) when first deploying DMARC so you can iterate quickly.
Can I have multiple DMARC records for one domain?
No. RFC 7489 requires exactly one DMARC record per domain. If you publish multiple v=DMARC1 records, receiving servers will treat it as a configuration error and ignore DMARC entirely. Use the sp= tag for subdomain policies or publish separate records at _dmarc.subdomain.example.com.
Why are my forwarded emails failing DMARC?
When email is forwarded, the forwarding server's IP is not in the original sender's SPF record, causing SPF to fail. If DKIM signatures are also broken, DMARC fails entirely. ARC (Authenticated Received Chain) solves this by preserving the original authentication results. ARC-Relay adds ARC seals automatically.
What is the difference between rua and ruf in DMARC?
rua (aggregate reports) sends daily XML summaries showing which IPs sent email for your domain and whether they passed or failed. ruf (forensic reports) sends individual failure reports with message details. Most providers only support rua. Start with rua to identify unauthorized senders before tightening your policy.

More Free Tools

SPF Record Validator
Check your SPF record for errors and lookup limits
Email Header Analyzer
Paste email headers for a human-readable breakdown
DKIM Record Checker
Look up and validate DKIM records by selector
MX Record Lookup
View MX records and identify your email provider