MedhaCloud
Full Scan
MX Lookup
SPF
DMARC
DKIM
BIMI
SPF Generator
DMARC Generator
DKIM Generator

DMARC Checker

Run full email scan

About DMARC Checker

This tool looks up the _dmarc TXT record for your domain, parses every tag (v, p, sp, pct, rua, ruf, adkim, aspf), and validates policy + alignment configuration. It checks whether SPF and DKIM align with the From: domain — the actual requirement for DMARC to pass — and surfaces missing rua / ruf reporting addresses.

How the DMARC check works

Policy, alignment, reports — all parsed

01

Fetch _dmarc TXT record

Live DoH query for the TXT record at _dmarc.yourdomain.com. We surface every tag: v, p, sp, pct, rua, ruf, adkim, aspf.

02

Parse policy + alignment

Detects p=none (no protection), missing rua, soft alignment (adkim=r / aspf=r), wildcard percentages, and incompatible subdomain policies.

03

Cross-check against SPF + DKIM

DMARC only works if SPF or DKIM ALIGNS. We check the From: domain matches Return-Path (SPF) or d= tag (DKIM), and flag misalignment.

Common DMARC errors this catches

Why DMARC fails in production

No DMARC record at all

Receiving servers have no policy to enforce. Spammers can spoof your domain freely. This is the most common state for SMB domains — even ones using Microsoft 365 or Google Workspace.

Stuck at p=none forever

Monitoring mode is a starting point, not a final state. Domains that stay at p=none for years gain zero protection. Move to p=quarantine within 60 days of deploying DMARC.

Missing rua= reporting address

Without rua, you receive no aggregate reports — you cannot see which senders are failing alignment. Always set rua=mailto:[email protected].

Soft alignment (adkim=r / aspf=r)

Relaxed alignment lets subdomains pass DMARC even when the From: domain does not match. Set adkim=s and aspf=s for strict alignment if you do not use subdomain mailers.

Marketing platforms failing alignment

Mailchimp, HubSpot, Salesforce, Klaviyo often send "on behalf of" your domain — DKIM passes but with their d=, breaking DMARC alignment. Fix: configure DKIM with your own domain in their vendor settings.

pct=10 stuck at "rollout"

Many domains start at p=quarantine; pct=10 and never advance. The policy is only enforced on 10% of failing mail — 90% of spoofing still gets through. Increase pct stepwise.

FAQ

DMARC checker — common questions

What is a DMARC record?+
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS TXT record at _dmarc.yourdomain.com that tells receiving mail servers what to do with email that fails SPF or DKIM authentication. It also requests aggregated reports of authentication failures so you can detect spoofing attempts.
What does p=none mean in DMARC?+
p=none is monitoring mode — receivers send you reports but do NOT block failing mail. It is the right starting policy: deploy p=none, watch reports for 2-4 weeks, identify legitimate senders that fail authentication, fix them, then upgrade to p=quarantine. Staying at p=none long-term provides zero spoofing protection.
What is the difference between p=quarantine and p=reject?+
p=quarantine routes failing mail to spam/junk — recipients still see it but get a warning. p=reject tells receivers to bounce failing mail entirely. Reject is the strongest setting. Move gradually: p=none → p=quarantine (pct=10) → pct=50 → pct=100 → p=reject. Each step lets you catch and fix false positives.
Why is DMARC alignment failing even though SPF and DKIM pass?+
DMARC requires alignment — the From: domain must match the SPF Return-Path or DKIM d= domain. Pass-but-misaligned is the most common DMARC failure for marketing platforms, mail relays, and ticketing tools that send "on behalf of" you using their own domain in the envelope. Fix: configure DKIM signing with your domain, not the vendor's.
What is rua and ruf in a DMARC record?+
rua= specifies where aggregate reports are sent — XML reports of pass/fail counts, used to monitor authentication. ruf= specifies forensic (failure-sample) reports. Always set rua to a mailbox you own (rua=mailto:[email protected]). Without rua, you are flying blind — never seeing the spoofing attempts being made against your domain.

Single-protocol tools

Need just one protocol?

SPF Checker
Validate Sender Policy Framework
DKIM Checker
Inspect DKIM signing keys
MX Lookup
Check MX records + priority
Full email security scan
All 7 checks in one report

Beyond Free Tools

Enterprise Cloud & IT Services

From Microsoft 365 migrations to fully managed infrastructure — we handle every layer of your IT stack.

Migration Tools We Use

Enterprise-grade tooling for every platform

  • BitTitan MigrationWizCloud-to-cloud email & data
  • Microsoft Exchange HybridOn-prem to Exchange Online
  • ShareGate DesktoolSharePoint & OneDrive
  • Microsoft Mover.ioGoogle Drive to OneDrive
  • Entra ID ConnectAD sync & hybrid identity
  • PowerShell & EWS APIAutomation & bulk ops
M365 Migration Services

Our Services

More Services

Contact Us