How to Check, Verify, and Validate Your DMARC Record
Learn how to check, verify, and validate a DMARC record using dig, online checkers, and email headers. Read DMARC tags and fix common errors.
To check a DMARC record, run dig TXT _dmarc.yourdomain.com from the terminal, or paste your domain into a DMARC checker tool. A valid record starts with v=DMARC1 and includes a policy (p=none, p=quarantine, or p=reject) plus optional reporting addresses. If no record returns, your domain has no DMARC policy and is exposed to spoofing.
DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do with messages that fail SPF or DKIM checks. Without a published DMARC record, attackers can spoof your domain and recipients have no way to know which messages are real. This guide covers every method for checking, verifying, and validating a DMARC record - from command-line lookups to online checkers and email header inspection.
What Is a DMARC Record?
A DMARC record is a TXT record published in DNS at the hostname _dmarc.yourdomain.com. It looks like this:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100; aspf=r; adkim=r
Each part of the record is a "tag". The most important tags are:
v=DMARC1- The version. Required, must be the first tag.p=- The policy:none,quarantine, orreject. Required.rua=- Address to send aggregate reports to.ruf=- Address to send forensic (per-failure) reports to.pct=- The percentage of messages the policy applies to. Default is 100.aspf=andadkim=- SPF and DKIM alignment mode (strict or relaxed).
When a receiving server gets an email claiming to be from your domain, it looks up your DMARC record, checks SPF and DKIM, and applies your policy if either fails alignment.
Why You Need to Check Your DMARC Record
A misconfigured DMARC record is worse than no record at all. It can silently send your legitimate emails - including support replies, password resets, and invoices - to spam or get them rejected outright.
Common reasons to check:
- You just published a new DMARC record and want to confirm DNS has propagated.
- Customer support emails are landing in spam or being rejected.
- You are moving DMARC from
p=none(monitor only) top=quarantineorp=rejectand want to confirm the policy is live. - You are auditing a domain you do not own (a vendor, an acquisition target, a partner).
- You want to compare your record against the syntax in RFC 7489.
According to Valimail's 2024 Email Fraud Landscape report, only about 35% of domains with a DMARC record have enforcement enabled (p=quarantine or p=reject). Many domains publish a p=none record, gather no reports, and forget about it. Checking the record is the first step to fixing this.
How to Check a DMARC Record: 4 Methods
Method 1: Use a DMARC Checker Tool (Fastest)
The quickest way to validate a DMARC record is a free online checker. Paste your domain, and the tool fetches the record, validates the syntax, and flags errors.
SupportBee's free DMARC Record Checker returns the full record, breaks down each tag in plain English, and warns about common mistakes like missing reporting addresses or invalid policy values. No login required.
Use a checker tool when you want a human-readable breakdown without parsing DNS output manually.
Method 2: Use dig from the Command Line
On macOS or Linux, dig returns the raw DNS record:
dig TXT _dmarc.yourdomain.com +short
A valid response looks like:
"v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100"
If you get no output, your domain has no DMARC record at _dmarc. If you get multiple records, that is a configuration error - DMARC allows only one record per domain.
To check a subdomain policy (the sp= tag), look up the subdomain directly:
dig TXT _dmarc.subdomain.yourdomain.com +short
Method 3: Use nslookup on Windows
Windows users without WSL can use nslookup:
nslookup -type=TXT _dmarc.yourdomain.com
The output includes the full TXT record alongside any other TXT records on that hostname. Filter visually for the one that starts with v=DMARC1.
Method 4: Inspect an Email Header
If you have a recent email from the domain in question, the receiving server has already done the DMARC check for you. Open the message and view the full headers:
- Gmail: open the message, click the three-dot menu, choose "Show original".
- Outlook: open the message, click File > Properties, copy from "Internet headers".
- Apple Mail: View > Message > All Headers.
Look for a header like:
Authentication-Results: mx.google.com;
dmarc=pass header.from=yourdomain.com
Possible DMARC outcomes are pass, fail, bestguesspass, temperror, and permerror. A fail means the message did not align under your published policy.
How to Read a DMARC Record
Once you have the record, here is how to interpret each tag:
Policy Tags
p=none- Monitor only. Failing messages are still delivered. Useful when first publishing DMARC.p=quarantine- Failing messages go to spam.p=reject- Failing messages are bounced. The strictest setting.
Reporting Tags
rua=- Aggregate reports. Receivers send XML summaries of pass/fail counts (usually daily).ruf=- Forensic reports. Per-message failure samples. Many providers no longer send these for privacy reasons.
If rua is missing, you get no visibility into how your domain is being used. Always include one.
Alignment Tags
aspf=r(relaxed, default) - Subdomains can pass SPF alignment using the parent domain.aspf=s(strict) - The SPF domain must match the From domain exactly.adkim=- Same logic for DKIM.
Coverage Tags
pct=100- Apply the policy to 100% of failing mail. Default.pct=50- Apply the policy to 50% of failing mail. Useful for staged rollouts.sp=- Policy for subdomains. If absent, subdomains inheritp=.
Common DMARC Errors and How to Fix Them
Even valid-looking records can fail in subtle ways. The most common issues:
Multiple DMARC Records
DNS allows multiple TXT records on the same hostname, but DMARC requires exactly one. If your dig output returns two records starting with v=DMARC1, mail servers will reject the policy and treat your domain as having no DMARC.
Fix: Remove the older record from your DNS provider.
Wrong Hostname
The DMARC record must live at _dmarc.yourdomain.com, not at the root of yourdomain.com. A record at the root is invalid.
Fix: Re-create the record at the _dmarc subdomain.
Invalid Policy Value
p= accepts only none, quarantine, or reject. Typos like p=quarintine or p=monitor cause the entire policy to be ignored.
Fix: Use one of the three valid values, in lowercase.
Missing Reporting Address
A DMARC record with no rua= tag is technically valid but useless - you will never see who is sending mail in your name.
Fix: Add rua=mailto:[email protected] and route those reports to a tool that parses them.
SPF or DKIM Misalignment
A dmarc=fail result in headers usually means SPF passed but the From domain does not align, or DKIM is signed by a different domain. Strict alignment (aspf=s, adkim=s) catches more spoofing but rejects more legitimate mail from third-party senders like Mailchimp or Stripe.
Fix: Start with relaxed alignment, then tighten once you have authorized all your senders.
How DMARC Affects Customer Support Email
Customer support teams send a high volume of transactional and reply email - password resets, ticket confirmations, agent replies, knowledge base notifications. If your DMARC record is misconfigured, these messages may silently go to spam, and your customers blame you, not the email auth.
Three things to watch:
-
Make sure your help desk is an authorized sender. If you use a shared inbox or help desk tool to reply to customers, the sending IP must be in your SPF record and ideally signing with DKIM aligned to your domain.
-
Use the same domain everywhere. Mixing
[email protected]and[email protected]can break alignment. Pick one. -
Move from monitor to enforcement gradually. Publish
p=nonefirst, watch aggregate reports for two to four weeks, fix any misaligned senders, then move top=quarantineand finallyp=reject.
SupportBee's customer service software handles agent replies through your own domain with proper SPF and DKIM, so DMARC alignment is straightforward to maintain. See our notes on Office 365 shared mailbox best practices and migrating from Google Workspace to Microsoft 365 for related email setup guidance.
DMARC Check Quick Reference
| Task | Command or Tool |
|---|---|
| Quick visual check | DMARC Checker tool |
| Raw record (macOS/Linux) | dig TXT _dmarc.yourdomain.com +short |
| Raw record (Windows) | nslookup -type=TXT _dmarc.yourdomain.com |
| Verify on a specific email | View message source, search for Authentication-Results |
| Subdomain policy | Look up _dmarc.subdomain.yourdomain.com |
| Aggregate reports parser | Postmark, Valimail, dmarcian, or similar |
Frequently Asked Questions
How long does a DMARC change take to propagate? DNS TTL controls this. Most providers default to one to four hours. Some legacy resolvers cache for up to 24 hours, so plan changes accordingly.
Can I check DMARC for a domain I do not own?
Yes. DMARC records are public DNS data. Any dig or online checker works on any domain.
Why does my domain pass SPF but fail DMARC?
SPF passing on the envelope sender (Return-Path) is not enough. DMARC also requires the SPF domain to align with the From header. Check aspf=r vs aspf=s in your record.
Does DMARC replace SPF and DKIM? No. DMARC sits on top of SPF and DKIM. You need at least one of them passing and aligned for DMARC to pass.
Is p=none good enough?
Only for monitoring. p=none does not block anything - it only collects reports. Once you have visibility, move to p=quarantine or p=reject to actually protect your domain.
Next Steps
Check your domain now with our DMARC Record Checker, then review the tags against this guide. If you find your record is missing reporting addresses, sitting at p=none, or has alignment issues, fix the smallest problem first and re-check. Email authentication compounds - SPF, DKIM, and DMARC together cut spoofing dramatically, but only when all three are configured correctly.