DMARC Policy CheckerValidate Email Authentication Policy

Check DMARC records to validate policy configuration (none/quarantine/reject), verify reporting setup, and assess email authentication strength.

Recent Searches

🔒History stored locally.
No history

DMARC Policy Validation

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM by defining policies for handling authentication failures. DMARC records are published at _dmarc.example.com as TXT records. Without DMARC, attackers can spoof your domain in phishing emails because receiving servers have no instructions on how to handle forged messages.

Why DMARC Matters for Email Security

Email spoofing remains one of the most common attack vectors for phishing and business email compromise. DMARC gives domain owners control over how receiving servers handle unauthenticated mail. Major email providers including Gmail, Yahoo, and Microsoft enforce DMARC policies, making it essential for any domain that sends email.

DMARC also provides visibility through reporting. Aggregate reports reveal which servers are sending email on your behalf, helping you discover unauthorized senders and misconfigured services. Without DMARC, you have no way to monitor domain abuse.

DMARC Policy Levels

p=none: Monitor mode. Recipients log authentication failures but deliver all mail normally. Use this when first implementing DMARC to gather data without risk of blocking legitimate email. This is where every DMARC implementation should start.

p=quarantine: Send emails that fail authentication to spam/junk folders. Provides protection while allowing recipients to retrieve false positives from spam folders. A good intermediate step before full enforcement.

p=reject: Block delivery of emails that fail authentication entirely. Strongest protection but requires confidence in SPF and DKIM configuration to avoid blocking legitimate mail. Google and other providers recommend reaching this level.

You can also use the pct tag to apply your policy to a percentage of messages. For example, p=quarantine; pct=25 quarantines only 25% of failing emails, letting you test enforcement gradually.

DMARC Reporting

rua (Aggregate Reports): Daily XML reports sent to specified email addresses showing authentication statistics. Example: rua=mailto:dmarc@example.com. These reports include sender IPs, message counts, SPF/DKIM results, and alignment outcomes. You can also specify a different reporting URI format with rua=mailto:reports@dmarc.example.com!10m to cap report size at 10 MB.

ruf (Forensic Reports): Individual reports for each authentication failure containing message headers and details. More verbose than aggregate reports and may contain sensitive information. Many organizations disable forensic reports due to privacy concerns and the volume of data they generate.

DMARC Alignment

DMARC requires alignment between the domain in the From header and authenticated domains from SPF or DKIM. Strict alignment (aspf=s or adkim=s) requires exact matches. Relaxed alignment (default) allows subdomain matches.

Example: Email from support@example.com must pass SPF/DKIM for example.com (relaxed) or support.example.com (strict) to align.

SPF alignment checks the envelope From (Return-Path) against the header From domain. DKIM alignment checks the d= domain in the DKIM signature against the header From domain. Both must align independently for DMARC to pass.

Recommended DMARC Implementation Steps

Step 1: Publish SPF and DKIM records for all sending services (marketing platforms, transactional email, corporate email).

Step 2: Publish a DMARC record with p=none and rua= to start collecting reports.

Step 3: Analyze aggregate reports for 2-4 weeks. Identify and fix any legitimate senders that fail authentication.

Step 4: Move to p=quarantine with pct=25 and gradually increase to 100%.

Step 5: Upgrade to p=reject for full protection against domain spoofing.

FAQ

What is a DMARC record?
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that tells receiving mail servers how to handle emails that fail SPF and DKIM authentication. It also specifies where to send authentication reports.
What is the difference between p=none, p=quarantine, and p=reject?
p=none monitors authentication failures without affecting delivery. p=quarantine sends failing emails to spam folders. p=reject blocks failing emails entirely. Start with p=none to collect data, then gradually move to p=quarantine and finally p=reject.
How do DMARC aggregate reports work?
Aggregate reports (rua) are daily XML files sent to the email address specified in your DMARC record. They contain statistics about which IPs sent email using your domain, whether SPF and DKIM passed, and alignment results. Use these reports to identify legitimate senders before tightening your policy.
What is DMARC alignment?
DMARC alignment checks that the domain in the email From header matches the domain authenticated by SPF or DKIM. Relaxed alignment allows subdomain matches (mail.example.com aligns with example.com). Strict alignment requires exact domain matches.
Do I need both SPF and DKIM for DMARC to work?
DMARC requires at least one of SPF or DKIM to pass and align. Using both provides redundancy—if one fails, the other can still authenticate the email. Best practice is to implement SPF, DKIM, and DMARC together for comprehensive email protection.
How long does it take for DMARC to take effect?
DMARC records propagate within minutes to a few hours depending on DNS TTL settings. However, you should monitor aggregate reports for at least 2-4 weeks at p=none before tightening your policy. This ensures all legitimate sending sources are properly authenticated before enforcement begins.