How to Check a DMARC Record
A practical guide to checking a DMARC record, understanding the main tags, and spotting common DMARC issues before enforcement causes problems.
Tools For This Topic
Check the DMARC hostname, not the root domain
DMARC is not published at the root domain like SPF. A DMARC policy is usually stored as a TXT record at _dmarc.example.com rather than example.com.
If you only check the root domain's TXT records, you can easily miss a perfectly valid DMARC record.
Confirm that the record starts with v=DMARC1
A valid DMARC policy starts with v=DMARC1 and is followed by semicolon-separated tags. If that prefix is missing, the TXT record is not a valid DMARC policy even if it contains familiar-looking values.
You should also confirm that there is only one effective DMARC record for the hostname being checked.
Read the most important DMARC tags first
- p shows the requested policy such as none, quarantine, or reject
- rua lists aggregate reporting destinations
- ruf lists forensic reporting destinations when used
- adkim controls DKIM alignment mode
- aspf controls SPF alignment mode
- pct shows what percentage of mail the policy should apply to
For a quick check, p, rua, adkim, and aspf usually tell you most of what you need to know about the domain's DMARC posture.
Understand what the policy mode means
- p=none means monitoring without enforcement
- p=quarantine asks receivers to treat failing mail as suspicious
- p=reject asks receivers to reject failing mail
A stricter policy is not automatically better if legitimate senders are still failing SPF and DKIM alignment. The goal is to match the policy to the domain's actual sending environment.
Check whether reporting is set up usefully
Many domains publish DMARC but never really use it because the aggregate reports are missing, misdirected, or not monitored. Checking the rua destinations is part of checking whether the policy is operationally useful, not just technically valid.
If third-party report addresses are used, they also need the right authorisation in place.
Look for common DMARC problems
- No DMARC record exists at all
- The record is published at the wrong hostname
- The record uses invalid syntax or unsupported tags
- The policy is stricter than the real sending environment can support
- Reporting addresses are missing or not being monitored
A practical DMARC checking workflow
- Query _dmarc.yourdomain for TXT records
- Confirm there is one valid record starting with v=DMARC1
- Review p, rua, adkim, aspf, and pct
- Check whether SPF and DKIM are likely to align for your real senders
- Use report data and header evidence before moving to stricter enforcement
Use These DNS Pro Tools
If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.
Related Tools
Related Articles
How to Check a DKIM Record
A practical guide to checking a DKIM record, finding the right selector, validating the TXT record, and spotting common DKIM setup problems.
How to Check an SPF Record
A practical guide to checking an SPF record, including where to look, how to read includes and qualifiers, and how to spot common SPF problems.
How to Fix DMARC Failures
A practical guide to fixing DMARC failures, including SPF and DKIM alignment issues, missing records, third-party senders, and enforcement problems.