/ developer & network toolbox
← all tools

$ dmarc

server-side

DMARC Checker

Resolve and parse the _dmarc policy, with warnings for p=none, missing rua and partial pct.

dmarc — invoker.tools

About the DMARC Checker

This DMARC checker resolves the _dmarc TXT record for a domain and parses its policy tags — p (policy), sp (subdomain policy), rua and ruf (reporting addresses), pct and the alignment modes. It highlights common weak spots: a p=none policy that only monitors without enforcing, a missing rua address that means you receive no aggregate reports, and a pct value below 100 that applies the policy to only part of your mail.

The lookup runs server-side against public resolvers. Use it to verify your DMARC deployment, to understand how strict a domain's policy is, or to plan the move from monitoring (p=none) toward enforcement (p=quarantine or p=reject). DMARC builds on SPF and DKIM to tell receivers what to do with mail that fails authentication.

How to use it

  1. Enter the domain whose DMARC policy you want to check.
  2. Submit to resolve and parse the _dmarc TXT record.
  3. Read the policy tag (p) to see whether mail is monitored or enforced.
  4. Check that a rua address is present so you receive aggregate reports.
  5. Confirm pct is 100 so the policy applies to all of your mail.

Examples

  • v=DMARC1; p=none; rua=mailto:dmarc@example.com -> valid but monitor-only; flagged because it does not enforce.
  • v=DMARC1; p=reject; rua=mailto:reports@example.com; pct=100 -> a full enforcement policy with reporting enabled.
  • A policy with p=quarantine; pct=50 -> flagged because only half of failing mail is quarantined.

Frequently asked questions

What is a DMARC record?

DMARC is a _dmarc TXT record that tells receiving mail servers how to handle messages failing SPF and DKIM, and where to send reports. It protects your domain from spoofing.

What does p=none mean?

p=none is monitor-only: it requests reports but does not ask receivers to block failing mail. It is a safe starting point but offers no spoofing protection until you move to quarantine or reject.

Why does a missing rua address matter?

The rua tag is where aggregate DMARC reports are sent. Without it you get no visibility into who is sending as your domain, making it hard to tune toward enforcement.

What does the pct tag do?

pct sets the percentage of mail the policy applies to. A value below 100 means some failing messages escape the policy, so full protection requires pct=100.

What is the difference between DMARC and SPF?

SPF authorizes sending servers, while DMARC ties SPF and DKIM results together with alignment and tells receivers what to do on failure plus where to report. They work together.

Is this lookup safe and private?

Yes. The DMARC lookup runs on our server against public resolvers and only reads your domain's published TXT record, which is already public DNS data.

More email / dns tools

SPF CheckerMX LookupDKIM CheckerEmail Header Analyzer