Free DMARC Analyzer & Policy Generator

Check your DMARC record, analyze your email authentication policy, and build a new DMARC policy with our step-by-step wizard.

DMARC Policy Validator

Analyze your DMARC policy, check alignment settings, and verify reporting configuration

Enter your root domain (DMARC is checked at _dmarc.example.com)

DMARC Record Wizard

Build a DMARC record step-by-step with our guided wizard

1
DomainEnter your domain information
2
PolicyChoose your DMARC policy
3
AlignmentConfigure alignment modes
4
ReportingSet up report recipients
5
RolloutPlan gradual deployment
6
GenerateGet your DMARC record

Enter Your Domain

This is the domain you want to protect with DMARC. The DMARC record will be created at _dmarc.yourdomain.com

Enter your root domain (without www or subdomains)

What is DMARC (Domain-based Message Authentication, Reporting & Conformance)?

Overview

DMARC is an email authentication protocol that builds on SPF and DKIM to prevent email spoofing and phishing attacks. It allows domain owners to specify what should happen when an email fails SPF or DKIM checks, and provides detailed reporting on email authentication results.

How DMARC Works

  1. Email Received: A receiving mail server gets an email claiming to be from your domain
  2. SPF/DKIM Check: The server checks if the email passes SPF and/or DKIM authentication
  3. DMARC Lookup: The server retrieves your DMARC policy from DNS at _dmarc.yourdomain.com
  4. Alignment Check: DMARC verifies that the domain in the From: header aligns with the domains in SPF/DKIM
  5. Policy Application: Based on your policy (none/quarantine/reject), the server takes action on failed messages
  6. Reporting: The receiving server sends aggregate reports back to addresses specified in your DMARC record

DMARC Policy Modes

PolicyAction on FailureUse Case
p=noneMonitor only, no actionInitial setup, gathering data
p=quarantineSend to spam/junk folderIntermediate protection
p=rejectBlock delivery completelyMaximum protection (recommended)

Understanding DMARC Alignment

DMARC alignment ensures that the domain in the email's From: header matches the domain authenticated by SPF or DKIM. There are two alignment modes:

  • Relaxed (r): Subdomains are allowed to match. For example, mail.example.com aligns with example.com. This is the default and recommended for most organizations.
  • Strict (s): Only exact domain matches are allowed. mail.example.com would NOT align with example.com. Use this for maximum security when you have full control over all sending sources.

DMARC Reporting

DMARC provides two types of reports that help you monitor your email authentication:

Aggregate Reports (rua=)

Daily XML reports summarizing all authentication results. These reports show which IP addresses are sending email as your domain, whether they're passing SPF/DKIM/DMARC, and what actions were taken. Essential for monitoring and troubleshooting.

Forensic Reports (ruf=)

Real-time reports of individual authentication failures. These include copies of the failed messages for detailed analysis. Note: Most receivers don't send forensic reports due to privacy concerns. Aggregate reports are more commonly used.

Gradual DMARC Rollout Strategy

Implementing DMARC requires a careful, phased approach to avoid blocking legitimate email. Here's the recommended rollout strategy:

Phase 1 (Weeks 1-4):

Start with p=none to monitor email authentication without affecting delivery. Review aggregate reports to identify all legitimate sending sources.

Phase 2 (Weeks 5-8):

Upgrade to p=quarantine; pct=10 to start taking action on 10% of failures. Gradually increase the percentage while monitoring reports.

Phase 3 (Weeks 9-12):

Move to full quarantine p=quarantine; pct=100, then finally to p=reject for maximum protection. Ensure all legitimate sources are authenticated first.

Common DMARC Issues

  • No DMARC Record: Without DMARC, you have no control over how receivers handle spoofed emails from your domain
  • Policy Too Weak: p=none provides visibility but no protection against spoofing
  • Missing SPF/DKIM: DMARC requires at least one of SPF or DKIM to pass with alignment
  • Alignment Failures: From: header domain doesn't match SPF or DKIM authenticated domains
  • Subdomain Gaps: No subdomain policy (sp=) leaves subdomains vulnerable
  • No Reporting: Missing rua= means you won't receive aggregate reports to monitor authentication
  • Too Aggressive Rollout: Jumping directly to p=reject can block legitimate email if sources aren't properly authenticated

DMARC Best Practices

  • Always start with p=none and monitor reports for at least 2-4 weeks
  • Set up aggregate reporting (rua=) to receive daily authentication summaries
  • Use the pct= tag for gradual rollout (e.g., pct=25 applies policy to 25% of messages)
  • Configure a subdomain policy (sp=) to protect subdomains from spoofing
  • Use relaxed alignment (aspf=r, adkim=r) unless you have specific security requirements
  • Ensure all legitimate sending sources have SPF and DKIM properly configured
  • Work towards p=reject as your end goal for maximum protection
  • Regularly review DMARC reports to identify authentication issues
  • Document all authorized email sending sources and their authentication methods
  • Consider using a DMARC reporting service to parse and analyze aggregate reports

DMARC Record Example

v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; aspf=r; adkim=r

Breakdown:

  • v=DMARC1 - DMARC version
  • p=reject - Reject emails that fail DMARC
  • sp=reject - Also reject for subdomains
  • pct=100 - Apply policy to 100% of messages
  • rua=mailto:dmarc@example.com - Send aggregate reports here
  • ruf=mailto:forensics@example.com - Send forensic reports here
  • aspf=r - Relaxed SPF alignment
  • adkim=r - Relaxed DKIM alignment