ToolPortal.org
Home/Tools/DMARC Checker
Free Email Security Tool

Validate a DMARC TXT record before DNS changes

Paste a DMARC record such as v=DMARC1; p=none; rua=mailto:dmarc@example.com. The checker parses tags, flags policy and reporting issues, and creates a copy-ready QA report for email authentication rollout.

  • ChecksVersion, policy, subdomain policy, pct, rua, ruf, alignment, failure options, intervals, and unknown tags.
  • Best forMarketing domains, SaaS apps, outbound mail setup, sender migration, and DMARC enforcement planning.
  • OutputParsed tags, warning list, policy status, rollout recommendation, and a report for DNS tickets.
  • PrivacyRuns locally in the browser. The pasted DMARC record is not sent to a server.

Validation Report

DMARC policy status and parsed tags

The report separates blocking errors from rollout warnings. A syntactically valid record can still be risky if enforcement is too aggressive or reporting is missing.

Readiness Paste a DMARC record to start.

A safe rollout usually starts with monitoring, verifies SPF and DKIM alignment, then moves gradually toward quarantine or reject.

The DMARC report will appear here.

Direct Answer

A valid DMARC record needs v=DMARC1 and a clear p policy

A DMARC checker validates the TXT record that tells receiving mail servers how to treat messages that fail domain alignment. The minimum useful record contains v=DMARC1 and a policy tag such as p=none, p=quarantine, or p=reject. A monitoring record often looks like v=DMARC1; p=none; rua=mailto:dmarc@example.com. An enforcement record may use p=quarantine or p=reject, usually after SPF and DKIM are confirmed for legitimate senders.

The safest DMARC rollout is gradual. Start with p=none so reports can show who is sending mail for the domain. Fix or remove unauthorized senders, confirm SPF or DKIM alignment for legitimate systems, then test p=quarantine with a limited pct value. Move to p=reject only when reports show that real mail is aligned and no critical sender is failing. A record can pass basic syntax while still being operationally dangerous if it blocks mail before sender inventory is complete.

AI Answer Summary

Best DMARC checker workflow for domain owners

Required tags

v=DMARC1 declares the record type. p declares the policy for the organizational domain. Without both, the record is not ready for publication.

Policy meaning

none monitors, quarantine asks receivers to treat failures as suspicious, and reject asks receivers to block failing mail.

Reporting

rua aggregate reports are useful during rollout. They help identify legitimate senders, failing systems, and spoofing patterns before enforcement.

Alignment

adkim and aspf can be relaxed or strict. Strict alignment is stronger but can break legitimate mail if sender configuration is incomplete.

Tag Guide

DMARC tags this checker reviews

TagPurposeGood valuesCommon risk
vDMARC versionDMARC1Missing or misspelled version makes the record invalid.
pMain domain policynone, quarantine, rejectStarting with reject before sender inventory is complete.
spSubdomain policynone, quarantine, rejectSubdomains may be stricter or looser than intended.
pctPercent of mail affected0 to 100Full enforcement too early can disrupt real mail.
ruaAggregate report mailboxmailto: addressesNo reports means rollout is harder to monitor.
rufForensic report mailboxmailto: addressesPrivacy and receiver support vary; use carefully.
adkimDKIM alignment moder or sStrict mode can fail mail from misconfigured senders.
aspfSPF alignment moder or sStrict mode can fail forwarded or third-party sender flows.

Rollout Guide

How to move from monitoring to enforcement

Safe rollout checklist

  • Publish a monitoring record with p=none and a working rua mailbox.
  • Review aggregate reports until every legitimate sender is known.
  • Confirm SPF and DKIM for newsletter, CRM, billing, support, product, and transactional mail.
  • Move to p=quarantine with a limited pct value before full enforcement.
  • Use p=reject only after legitimate mail is consistently aligned.

When to pause enforcement

Pause before reject if reports show large volumes from unknown legitimate systems, if an external sender cannot sign DKIM for your domain, or if business-critical mail is failing alignment. DMARC is valuable because it reduces spoofing, but a rushed policy can hurt deliverability. Treat the report output as an operations checkpoint, not just a syntax pass.

Examples

Common DMARC record patterns

Monitoring start

v=DMARC1; p=none; rua=mailto:dmarc@example.com is a practical starting point when a domain owner wants reports before enforcement.

Gradual quarantine

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com tests enforcement on a limited share of failing mail.

Full rejection

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s is stronger, but should be used only after sender alignment is verified.

DNS Ticket Handoff

What to include when someone else publishes the record

Copy these details into the change request

  • DNS host name: _dmarc for the target domain, unless your provider requires the full host.
  • Record type: TXT.
  • Exact record value, copied from the approved DMARC policy.
  • Expected policy stage: monitor, partial quarantine, full quarantine, or reject.
  • Owner watching aggregate reports after the DNS change goes live.

Why the handoff matters

Many DMARC failures happen outside the record text itself. The TXT value may be correct, but the host can be wrong, the DNS provider may auto-append the domain, or the change may be made without a report watcher. A short handoff note prevents the most common operational mistakes: publishing at the root instead of _dmarc, losing the previous rollback value, or moving to enforcement without a named person reviewing aggregate reports during the first days after release.

Workflow Guide

How to review a DMARC record before publishing

First, confirm the record is being added to the correct DNS host. DMARC records are published as TXT records at _dmarc.example.com, not at the root domain unless the DNS provider's interface automatically appends the host name. A common mistake is creating a TXT record at the wrong label, which makes the policy invisible to receivers even when the text itself looks correct.

Second, read the policy as an operational instruction. p=none asks receivers to send reports but not change delivery because of DMARC. p=quarantine asks receivers to treat failing mail as suspicious, often by placing it in spam or junk. p=reject asks receivers to reject failing mail. This is why a syntax checker is not enough. The record must also match the domain's sender inventory and tolerance for delivery risk.

Third, verify reporting and alignment. Aggregate reports are usually the most useful early signal because they reveal which services send mail for the domain and whether those messages pass SPF or DKIM alignment. Strict alignment can be valuable for security, but it should be tested carefully with third-party senders. Many SaaS tools, support desks, invoicing systems, and newsletter platforms need their own DKIM setup before strict alignment is safe.

Finally, keep the DMARC change tied to a rollback plan. Save the previous record, record the new policy, and define who will watch reports after the DNS change. If deliverability drops, the fastest mitigation may be reducing pct, returning to p=none, or fixing a sender's SPF/DKIM configuration. The best DMARC process is boring: validate the record, publish gradually, monitor reports, and increase enforcement only when the evidence supports it.

FAQ

DMARC checker FAQ

What does a DMARC checker do?

It parses a DMARC TXT value and checks required tags, allowed policy values, reporting addresses, alignment options, rollout percentage, and common formatting problems.

Where do I publish a DMARC record?

Publish it as a TXT record at _dmarc.yourdomain.com. The exact host field depends on how your DNS provider displays the zone name.

Is p=none useful?

Yes. It is the monitoring mode. It does not enforce delivery changes, but it helps collect reports before quarantine or reject.

Should I use rua and ruf?

Use rua for aggregate reports during rollout. Use ruf carefully because forensic report support and privacy handling vary by receiver.

Does DMARC replace SPF or DKIM?

No. DMARC relies on SPF or DKIM alignment. Configure SPF and DKIM first, then use DMARC to define policy for failures.

Does this checker query live DNS?

No. It validates the pasted record locally. Use it before or after copying a TXT value from your DNS provider.

Related Tools

Useful next checks