Free email tool
DMARC Checker
Look up your DMARC record, read your enforcement policy of none, quarantine or reject, and see where your reports go.
Try , ,
Checks run in your browser over Google public DNS-over-HTTPS (Cloudflare as fallback). Nothing you enter is sent to Pulsetic.
Email authentication only protects you while the records are right. Pulsetic monitors your domain and certificates around the clock.
What is a DMARC record?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a TXT record published at _dmarc.yourdomain, beginning v=DMARC1. It tells receivers what to do with mail that fails SPF and DKIM, and where to send reports about it. DMARC is what turns SPF and DKIM from advisory into enforced.
It builds on the other two: a message passes DMARC when it passes SPF or DKIM and the matching domain aligns with the visible From address. The policy then decides the fate of anything that fails.
Reading your DMARC policy
The p tag is the policy. p=none only monitors and enforces nothing, p=quarantine sends failing mail to spam, and p=reject blocks it outright. Reject is the goal, but most teams start at none to collect reports, then tighten.
The pct tag applies the policy to a percentage of mail, and rua is the address that receives the aggregate reports (typically sent daily). No rua means you are enforcing blind, with no visibility into what is being sent in your name.
Check it from the terminal
Prefer the command line? This reads the same record the checker validates:
dig _dmarc.example.com TXT +short
# look for the line starting v=DMARC1
Frequently asked questions
-
What is a DMARC record?
A DMARC record is a TXT record at _dmarc.yourdomain, starting v=DMARC1, that tells receivers how to handle mail failing SPF and DKIM and where to send reports. It is what gives those two checks real teeth.
-
What does p=none, quarantine or reject mean?
They are the enforcement levels. none monitors only, quarantine sends failing mail to spam, and reject blocks it. Stronger policies stop more spoofing, so reject is the end goal once your legitimate mail is passing.
-
Where is my DMARC record published?
At the _dmarc subdomain, for example _dmarc.example.com, not on the bare domain. The checker queries that name for you.
-
Why is my DMARC not working even though it exists?
Common causes are a policy left at p=none (which enforces nothing), pct below 100 (only part of your mail is covered), or no rua address so you never see the reports. A record can also fail if SPF and DKIM are not aligned with your From domain.
-
Do I need DMARC if I already have SPF and DKIM?
Yes. SPF and DKIM check a message, but only DMARC tells receivers what to do when those checks fail, and only DMARC sends you reports. Without it, a failing message is handled however each receiver guesses.
-
How does a DMARC checker work?
It queries the TXT record at _dmarc.yourdomain over DNS-over-HTTPS, parses each tag, and grades them: the p policy, the pct coverage and whether a rua reporting address is set. If your exact domain has no record, it walks up to the organizational domain that covers it.
-
What does a DMARC record look like?
A typical record is v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100. v=DMARC1 identifies it, p=reject is the enforcement policy, rua is where aggregate reports are sent, and pct=100 applies the policy to all of your mail.
-
Stop spoofers using your domain
2-minute setup · Cancel any time
-
No credit card needed
ChatGPT
Claude
Cloudflare
GitHub
Shopify
Slack
Stripe
Supabase