DMARC Record Checker
Pull any domain's DMARC record and read the policy, alignment and reporting back in plain terms, with a score that flags a spoofable setup.
This DMARC record checker pulls the policy a domain actually publishes and reads it back in plain terms: what p is set to, whether anyone is collecting the aggregate reports, and how strict the SPF and DKIM alignment runs. We built it to answer one question fast, can someone spoof this domain right now, which is the first thing we check when a phishing email turns up wearing a brand we look after. We query _dmarc.yourdomain.com, not the bare domain, because that is where DMARC lives and the detail people miss constantly. From there we parse every tag, score how close you are to real enforcement, and call out the weak spots: a p=none that only monitors, a missing rua address, or alignment loose enough to let a spoof through. The lookup runs server side so it sees the same record a real receiver would.
Queries run through the PeopleAreGeek lookup service. We log nothing.
Live email DNS utility
Type a domain. I'll pull its DMARC record and read it back to you in plain terms: what the policy is set to, whether anyone's actually collecting the reports, how picky the alignment gets. I open this thing mostly when someone forwards me a phishing email dressed up as a brand I look after. And nine times out of ten the answer's right there in the record, no detective work needed. DMARC is the line that tells a receiving server what to do when SPF or DKIM fail. Set it badly and the spoof lands in the inbox anyway.
What is DMARC?
It's a note you leave in DNS for every mail server out there. The note says: "If a message claims to come from me but the SPF or DKIM checks don't add up, here's what I'd like you to do with it." There's a second job too, and honestly I think it's the better reason to set the thing up at all. DMARC can mail you back daily reports listing everyone sending as your domain. Which is usually how you stumble onto the rogue marketing tool nobody mentioned. Better to find that now, while you're still on p=none, than after you've told the world to reject.
DMARC policy levels
- p=none blocks nothing. It just turns the reports on so you can watch. Start here, always.
- p=quarantine says: failing mail goes to spam, not the inbox. I tend to sit on this one for a while, until the reports stop surprising me.
- p=reject is the setting that genuinely shuts spoofing down, because failing mail gets refused at the door and never arrives.
Sources and further reading
Frequently asked questions
Should every domain have DMARC?
Yes. Even the ones you never send a single email from. Parked domains, dead brands, that side project you forgot you owned: those are the ones attackers reach for first, exactly because nobody's keeping an eye on them. If a domain has anything to do with email, or with money landing in someone's inbox, then skipping the record feels reckless to me.
Is p=none enough?
For the first few weeks, sure. p=none buys you time to read the reports and catch every legit sender before you start blocking anything. On its own, though, it protects nobody. A spoofer could not care less that you are monitoring them. So once SPF and DKIM check out clean and the reports stop throwing up surprises, push it to quarantine. Then, when your nerve holds, reject.
Where does the DMARC record actually live?
Not on the root domain the way SPF does. It sits at _dmarc.yourdomain.com, on its own hostname, which is exactly why this checker queries that name and not the bare domain. Read only the root TXT records and you would swear there was no DMARC at all. That single detail trips people up more than any tag in the record.
What does the policy tag control?
The p tag is the instruction a receiving server follows when a message fails SPF or DKIM. p=none blocks nothing and only turns the reports on. p=quarantine sends failing mail to spam. p=reject refuses it at the door so it never arrives. The checker reads that tag back to you in plain terms and scores how close the record is to real enforcement.