Free DMARC Record Checker

Instantly look up and validate any domain's DMARC record. See your policy, reporting addresses, alignment settings, and get actionable recommendations.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record published at _dmarc.yourdomain.com. It tells receiving mail servers what to do with messages that fail SPF or DKIM authentication: deliver them anyway, send them to spam, or reject them outright.

DMARC does not check email on its own. It builds on top of SPF and DKIM, adding a policy layer and an alignment requirement. For DMARC to pass, the authenticated domain from either SPF or DKIM must match the domain in the message's From header. A message can pass SPF and DKIM individually and still fail DMARC if alignment is wrong.

The reporting side is the part most senders ignore. When you add an rua= address, you receive daily aggregate reports from participating mail providers showing which IPs sent mail claiming to be from your domain and whether those messages passed authentication. These reports are the fastest way to find misconfigured sending services or spoofing attempts before they damage your domain reputation.

Common DMARC failures and what they mean

p=none does not protect you. A policy of p=none tells receiving servers to take no action on failing messages. Mail gets delivered whether it passes authentication or not. This mode is useful for monitoring before you enforce a stricter policy, but it does nothing to stop spoofing while it is active.

Alignment failures are the most common cause of DMARC failure. DMARC requires that the domain in either the SPF MAIL FROM (envelope-from) or the DKIM d= tag matches the domain in the message's From header. If you send through a third-party platform that uses their own domain for the envelope-from and does not sign with your domain in DKIM, DMARC will fail even if SPF and DKIM individually pass.

Three common SPF and DKIM failure scenarios:

SPF passes, DKIM fails: Your envelope-from domain aligns with your From domain, but the DKIM signature is missing or signed with a third-party domain. Common with ESPs that have not configured DKIM signing for your domain.
DKIM passes, SPF fails: The DKIM signature uses your domain, but the envelope-from is a third-party address. This is the default for Amazon SES without a custom MAIL FROM configured.
Both fail: Either the sender is not in your DNS records at all, or there is a DNS misconfiguration on your end.

Relaxed vs. strict alignment. DMARC defaults to relaxed alignment for both DKIM and SPF. In relaxed mode, subdomains are allowed to match: if your From domain is company.com and your DKIM signs with mail.company.com, it passes. In strict mode, the domains must match exactly. Leave alignment at the default relaxed unless you have a specific reason to tighten it.

How to fix DMARC issues on Amazon SES

Amazon SES has two default behaviors that cause DMARC alignment failures. Both are fixable with configuration changes in the SES console and your DNS.

Problem 1: SPF alignment fails by default. When SES sends a message, the envelope-from defaults to a subdomain of amazonses.com, something like 0123456789abcdef.us-east-1.amazonses.com. This does not align with your From domain. SPF may pass for amazonses.com, but DMARC requires the SPF-authenticated domain to align with your domain, so DMARC fails.

Fix: Set up a custom MAIL FROM domain. In the SES console, go to Verified Identities, select your domain, and configure the MAIL FROM domain to a subdomain you control, such as bounce.yourdomain.com. SES provides two DNS records to publish: an MX record and an SPF TXT record (v=spf1 include:amazonses.com ~all). Once those are live and SES confirms the status as verified, SPF will align.

Problem 2: DKIM alignment fails without Easy DKIM. By default, SES signs outgoing messages using amazonses.com as the DKIM signing domain. That does not align with your From domain. You need Easy DKIM or BYODKIM so that SES signs with your own domain.

Fix: In the SES console, go to Verified Identities, select your domain, and open the DKIM section. Enable Easy DKIM and choose RSA-2048. SES generates three CNAME records. Publish them in your DNS. Once SES shows the DKIM status as verified, outgoing messages will be signed with your domain and DKIM alignment will pass.

Recommended sequence:

Verify your sending domain in SES.
Enable Easy DKIM and publish the three CNAME records SES provides.
Configure a custom MAIL FROM domain and publish the required MX and SPF records.
Add a DMARC record: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
After one to two weeks of aggregate reports, confirm all legitimate SES mail is passing. Move to p=quarantine, then p=reject.

Use the DMARC checker above to confirm your record is publishing correctly after DNS changes go live, which typically takes 24 to 48 hours.

How to read your DMARC record

A DMARC record is a semicolon-separated list of tag-value pairs. The tags that matter most for most senders:

v=DMARC1

Required. Must be the first tag. Identifies the record as a valid DMARC policy. If this tag is missing or malformed, receivers ignore the entire record.

p=

Required. The enforcement policy for your domain. none means monitor only, no action taken on failing messages. quarantine sends failing messages to the spam folder. reject blocks failing messages from delivery. Start with none until you confirm all legitimate mail passes, then move to quarantine, then reject.

rua=

The address where mail providers send daily aggregate XML reports. These cover all mail claiming to be from your domain. Without rua=, you have no visibility into authentication failures. Multiple addresses are allowed, separated by commas: rua=mailto:dmarc@yourdomain.com,mailto:dmarc@thirdparty.com.

ruf=

The address for forensic failure reports, sent per failing message rather than as daily summaries. Support varies: many large providers do not send them. Useful for diagnosing specific failures but not a substitute for aggregate reports.

pct=

The percentage of failing messages the policy applies to. Defaults to 100 when not set. Setting pct=20 during a rollout means 20% of failing messages get quarantined or rejected while the rest are delivered. Increase gradually as you gain confidence.

sp=

Subdomain policy. If not set, subdomains inherit the root policy. Set sp=reject to enforce the strictest policy on subdomains regardless of the root domain setting.

adkim= / aspf=

Alignment mode for DKIM and SPF respectively. r (relaxed, the default) allows subdomain matches. s (strict) requires an exact domain match. Most senders should leave these at the default relaxed mode unless they have a specific reason to enforce strict alignment.

Frequently Asked Questions

Your emails deserve the inbox

EmailQo helps you monitor deliverability, fix authentication issues, and make sure your messages actually reach your recipients.

Start your free trial