Free Tool

DMARC policy validator

Verify DMARC DNS records are correctly configured. Check policy enforcement, alignment requirements, and reporting setup.

What It Does

Retrieve and validate your DMARC DNS record. We check policy strictness (none/quarantine/reject), verify reporting email addresses, validate alignment modes, test subdomain policies, and confirm syntax compliance.

See if your DMARC actually protects against spoofing or just monitors silently.

Why It Matters

DMARC is your anti-spoofing shield—but only if configured correctly. Most domains set p=none (monitor only) and never upgrade to enforcement, leaving them vulnerable.

Wrong RUA/RUF addresses mean you never get failure reports. Misaligned SPF/DKIM causes legitimate emails to fail. This validator ensures your DMARC actually protects your domain.

Key Features

DNS _dmarc record lookup
Policy level analysis (none/quarantine/reject)
Alignment mode checking (relaxed vs strict)
Reporting address validation (rua/ruf)
Subdomain policy detection
Percentage rollout checking
Forensic reporting configuration
Policy recommendation engine

How To Use

  1. 1Enter your domain
  2. 2Click "Check DMARC"
  3. 3Verify record exists at _dmarc.yourdomain.com
  4. 4Review policy level (upgrade from "none" when ready)
  5. 5Check alignment requirements (SPF + DKIM)
  6. 6Verify reporting emails are correct
  7. 7Review subdomain handling

Common Issues Detected

  • No DMARC record found
  • Policy set to "none" (monitoring only—no protection)
  • Invalid reporting email addresses
  • Reports being sent to non-existent addresses
  • Overly strict alignment (causing legit mail to fail)
  • Missing subdomain policy
  • Percentage rollout stuck at testing phase
  • Syntax errors breaking record

Best Practices

  • Start with p=none to monitor (2-4 weeks)
  • Analyze DMARC reports to find legit sources
  • Move to p=quarantine at pct=10, gradually increase
  • Eventually enforce p=reject at pct=100
  • Use rua= for aggregate reports (daily digests)
  • Set ruf= for forensic reports (realtime failures)
  • Apply sp= for subdomain protection
  • Use professional DMARC report analyzer