Query the DMARC policy record for a domain and check email authentication configuration
• Domain: enter a bare domain without https:// (e.g. example.com)
• DMARC records are stored at _dmarc.example.com as TXT records
• Works together with SPF and DKIM to prevent email spoofing
A DMARC (Domain-based Message Authentication, Reporting and Conformance) record lookup queries the _dmarc TXT record for a domain and parses the policy tag (p=), subdomain policy (sp=), applied percentage (pct=), and reporting addresses (rua/ruf). It also flags common configuration issues such as a 'none' policy that provides no protection, a missing reporting address, and a partial pct that reduces enforcement.
Common uses include auditing a domain's email authentication posture, confirming that DMARC policy is enforcing rather than just monitoring, diagnosing DMARC alignment failures by cross-checking with SPF and DKIM lookups, and verifying that aggregate reports are configured so you have visibility into authentication failures.
'none' only monitors — failing mail is delivered. 'quarantine' moves failing mail to spam. 'reject' drops failing mail entirely. Start with 'none' and a reporting address to understand your mail flow before moving to 'quarantine' and then 'reject'.
DMARC requires at least one of SPF or DKIM to pass and be aligned with the From domain. Having both provides redundancy and is strongly recommended. Use the SPF and DKIM tools to verify each independently.
Alignment means the domain in the SPF envelope sender or the DKIM d= tag must match the domain in the message From header. Strict alignment requires an exact match; relaxed (the default) allows organizational domain matches.
'rua' is the address for aggregate reports (daily summaries of authentication results). 'ruf' is for forensic reports (individual samples of failed messages). Setting up rua is strongly recommended to gain visibility into your mail flow.