DMARC record checker
DMARC ties SPF and DKIM together and tells receivers what to do
with mail that fails authentication. Enter a domain to read its
DMARC record at _dmarc, its policy strength, and its
reporting configuration.
Runs the full report, including this check.
What the DMARC check covers
- Presence: a valid record at
_dmarc.yourdomain. - Policy:
p=none(monitor only),p=quarantine, orp=reject(enforced). - Reporting: whether aggregate (
rua) reports are configured so you can see who sends as your domain.
Why the policy strength matters
A policy of none only monitors; it does not stop
spoofing. Moving to quarantine and then
reject is what actually protects a domain from being
impersonated. scan.mx caps the grade when DMARC is missing, since it
is the piece that makes SPF and DKIM enforceable.
Frequently asked questions
What DMARC policy should I use?
Start at p=none with rua reporting to observe your mail streams without affecting delivery. Once SPF and DKIM cover all legitimate sources, move to p=quarantine and then p=reject to block spoofing.
What is DMARC alignment?
Alignment requires the domain in the From header to match the domain validated by SPF or DKIM. Without alignment, a message can pass SPF or DKIM for a different domain and still spoof yours. DMARC only passes when at least one aligns.