--- title: "How to Check a DMARC Record Using Command Line (dig & nslookup) | DMARC Report" description: "Step-by-step guide to checking DMARC records from the command line using dig on Linux/macOS and nslookup on Windows. Includes output interpretation and troubleshooting." image: "https://dmarcreport.com/og/blog/how-to-check-dmarc-record-command-line-dig-nslookup.png" canonical: "https://dmarcreport.com/blog/how-to-check-dmarc-record-command-line-dig-nslookup/" --- Quick Answer To check a DMARC record from the command line, use dig on Linux or macOS by running dig TXT \_dmarc.example.com, or use nslookup on Windows by running nslookup -type=TXT \_dmarc.example.com. Both commands query DNS for the TXT record published at the \_dmarc subdomain of any domain. Related: [Free DMARC Checker](/tools/dmarc-checker/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fhow-to-check-dmarc-record-command-line-dig-nslookup%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20to%20Check%20a%20DMARC%20Record%20Using%20Command%20Line%20%28dig%20%26%20nslookup%29&url=undefined%2Fblog%2Fhow-to-check-dmarc-record-command-line-dig-nslookup%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fhow-to-check-dmarc-record-command-line-dig-nslookup%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fhow-to-check-dmarc-record-command-line-dig-nslookup%2F&title=How%20to%20Check%20a%20DMARC%20Record%20Using%20Command%20Line%20%28dig%20%26%20nslookup%29 "Share on Reddit") [ ](mailto:?subject=How%20to%20Check%20a%20DMARC%20Record%20Using%20Command%20Line%20%28dig%20%26%20nslookup%29&body=Check out this article: undefined%2Fblog%2Fhow-to-check-dmarc-record-command-line-dig-nslookup%2F "Share via Email") ![How to Check a DMARC Record Using Command Line (dig & nslookup)](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-record-6071.jpg) ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) Checking a DMARC record from the command line is one of the fastest ways to verify that your domain’s email authentication is configured correctly. Unlike web-based lookup tools, command-line utilities like `dig` and `nslookup` query DNS directly without any intermediary, giving you raw results that reflect the current state of your domain’s DNS infrastructure. This is especially useful during initial DMARC deployment, after DNS changes, or when troubleshooting delivery issues where you need to confirm that the record a receiving mail server sees matches what you intended to publish. Every system administrator and email security professional should be comfortable running these commands because they are available on virtually every operating system without installing additional software. ## The Exact Commands The two primary tools are `dig`, which is standard on Linux and macOS, and `nslookup`, which is available on all platforms but is the default DNS utility on Windows. Both query the same DNS infrastructure and return the same underlying data, but their output formats differ. A DMARC record is always published as a TXT record at the `_dmarc` subdomain of your domain. So for `example.com`, the DMARC record lives at `_dmarc.example.com`. This naming convention is defined in RFC 7489 and is universal across all DMARC implementations regardless of your DNS hosting provider. ## How Do You Check DMARC with dig on Linux and macOS? Open your terminal and run the following command, replacing `example.com` with your actual domain: ``` dig TXT _dmarc.example.com +short ``` The `+short` flag strips the verbose DNS metadata and returns only the record value. A typical successful response looks like this: ``` "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensics@example.com; adkim=s; aspf=s; pct=100" ``` If you want the full DNS response including the authority section, TTL values, and query metadata, omit the `+short` flag: ``` dig TXT _dmarc.example.com ``` This produces output that includes the ANSWER SECTION with the TXT record, the query time in milliseconds, the DNS server that responded, and the message size. The TTL value tells you how long the record is cached, which is important when you have recently made changes and are waiting for propagation. If the command returns no answer or `NXDOMAIN`, it means no DMARC record exists at that subdomain, and you need to create one. ## How Do You Check DMARC with nslookup on Windows? On Windows, open Command Prompt or PowerShell and run: ``` nslookup -type=TXT _dmarc.example.com ``` The output will include the DNS server used for the query followed by the non-authoritative answer containing your DMARC record: ``` Server: resolver1.example-dns.com Address: 192.0.2.1 Non-authoritative answer: _dmarc.example.com text = "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100" ``` The “non-authoritative answer” label simply means the response came from a caching resolver rather than the domain’s authoritative nameserver. This is normal and expected for most queries. If you see “DNS request timed out” or no text record in the response, verify that your domain actually has a DMARC record published and that your local DNS resolver is functioning properly. ## Reading the Output Regardless of which tool you use, the important part is the TXT record value itself. Here is what each tag means in the context of your DMARC policy. The `v=DMARC1` tag is mandatory and identifies the record as a DMARC policy. The `p` tag defines the policy applied to messages that fail authentication: `none` means monitor only, `quarantine` sends failures to spam, and `reject` blocks them entirely. The `rua` tag specifies where aggregate reports are sent, and `ruf` specifies the forensic report destination. The `adkim` and `aspf` tags control alignment strictness for DKIM and SPF respectively, where `s` means strict and `r` means relaxed. The `pct` tag controls what percentage of failing messages the policy applies to, and it defaults to 100 if omitted. ## Is There a PowerShell Alternative? PowerShell provides the `Resolve-DnsName` cmdlet, which offers more structured output than `nslookup` and is easier to incorporate into scripts: ``` Resolve-DnsName -Name "_dmarc.example.com" -Type TXT | Select-Object -ExpandProperty Strings ``` This returns just the record string without the surrounding DNS metadata. You can pipe this into further PowerShell processing to extract individual tag values, compare against expected configurations, or generate reports across multiple domains. For administrators managing Windows environments, this is often the most practical approach because the output integrates naturally with other PowerShell-based management scripts and can be exported to CSV or fed into monitoring dashboards. ## Should You Use CLI or a Web Tool? Command-line tools and web-based checkers like [DMARC Report’s free checker](/tools/dmarc-checker/) serve complementary purposes. The CLI gives you raw, unfiltered DNS data and works in environments without browser access, such as SSH sessions on remote servers. It is also scriptable, meaning you can check hundreds of domains in a loop with a simple bash script. Web tools add value by parsing the record, validating syntax against the RFC specification, highlighting misconfigurations, and presenting results in a human-friendly format. According to Cisco’s 2024 Email Security Threat Report, organizations that combine automated monitoring with manual verification catch configuration drift 74% faster than those relying on periodic manual checks alone. The best practice is to use CLI tools for quick verification and scripted monitoring, and web tools for deeper analysis and onboarding new domains. ## Troubleshooting Common Issues ### Why does dig return an empty answer? An empty answer means no TXT record exists at `_dmarc.yourdomain.com`. Double-check that you published the record at the correct subdomain. A common mistake is creating the record at `_dmarc.yourdomain.com` inside a zone for `yourdomain.com`, resulting in an effective hostname of `_dmarc.yourdomain.com.yourdomain.com`. In most DNS interfaces, you should enter only `_dmarc` as the hostname since the zone suffix is appended automatically. ### Why do I see a different record than what I just published? DNS caching is the usual cause. Your previous record or the absence of a record may be cached by your local resolver for the duration of the TTL. You can bypass your local cache by querying a public resolver directly: ``` dig TXT _dmarc.example.com @8.8.8.8 +short ``` This sends the query to Google’s public DNS resolver, which may have a fresher cache than your ISP’s resolver. ### Why does my record show but emails still fail DMARC? A valid DMARC record in DNS does not guarantee that all your email passes authentication. DMARC requires that either SPF or DKIM passes and aligns with the `From` header domain. Check your SPF and DKIM configurations separately and review your DMARC aggregate reports to identify which sending sources are failing alignment. ## FAQ ### Can I check DMARC records for any domain? Yes. DMARC records are public DNS records, so you can query any domain’s DMARC configuration using `dig` or `nslookup` without any special permissions or authentication. ### How long does DNS propagation take for a new DMARC record? DNS propagation typically completes within 24 to 48 hours, though many resolvers pick up changes within minutes. The TTL of your DNS zone controls how long old records are cached before resolvers fetch the updated version. ### What if my domain has no DMARC record at all? Without a DMARC record, receiving servers have no policy to apply to messages failing SPF or DKIM checks. This leaves your domain vulnerable to spoofing. Start by publishing a `p=none` record with a `rua` tag so you can collect aggregate reports and understand your email ecosystem before moving toward enforcement. ## Topics [ DMARC ](/tags/dmarc/)[ dmarc record ](/tags/dmarc-record/)[ dns record ](/tags/dns-record/)[ email security ](/tags/email-security/)[ command line ](/tags/command-line/)[ dig ](/tags/dig/)[ nslookup ](/tags/nslookup/) ![Adam Lundrigan](https://media.mailhop.org/dmarcreport/images/authors/adam-lundrigan.jpg) [ Adam Lundrigan ](/authors/adam-lundrigan/) CTO CTO of DuoCircle. Leads engineering for DMARC Report and DuoCircle's email security product portfolio. [LinkedIn Profile →](https://www.linkedin.com/in/adamlundrigan/) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Intermediate 6m How to Generate a DMARC Record for Subdomains: sp= Tag Guide Apr 13, 2026 ](/blog/generate-dmarc-record-subdomains-sp-tag-guide/)[ Intermediate 5m How to Add a DMARC Record in Cloudflare: Step-by-Step DNS Guide Apr 11, 2026 ](/blog/how-to-add-dmarc-record-cloudflare-dns-setup-guide/)[ Foundational 14m Add TXT Record on Namecheap (SPF, DKIM & DMARC) - 2026 Mar 5, 2025 ](/blog/add-txt-record-on-namecheap-a-complete-dns-guide/)[ Foundational 12m Adding SPF Records To Your Domain For Outlook Email Authentication Sep 25, 2025 ](/blog/adding-spf-records-to-your-domain-for-outlook-email-authentication/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"How to Check a DMARC Record Using Command Line (dig & nslookup)","description":"Step-by-step guide to checking DMARC records from the command line using dig on Linux/macOS and nslookup on Windows. Includes output interpretation and troubleshooting.","url":"https://dmarcreport.com/blog/how-to-check-dmarc-record-command-line-dig-nslookup/","datePublished":"2026-04-09T12:00:00.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-04-09T12:00:00.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/adam-lundrigan/#person","name":"Adam Lundrigan","url":"https://dmarcreport.com/authors/adam-lundrigan/","jobTitle":"CTO","description":"Adam Lundrigan is the Chief Technology Officer of DuoCircle, where he leads engineering across DMARC Report, AutoSPF, and the company's email security portfolio. His technical focus includes DMARC report processing infrastructure, DNS monitoring systems, and the SPF evaluation logic that powers DuoCircle's authentication tools.","image":"https://media.mailhop.org/dmarcreport/images/authors/adam-lundrigan.jpg","knowsAbout":["DMARC Report Processing","DNS Architecture","Email Authentication","SaaS Engineering","DNS Monitoring","Infrastructure Automation"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/adamlundrigan/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/how-to-check-dmarc-record-command-line-dig-nslookup/"},"articleSection":"intermediate","keywords":"DMARC, dmarc record, dns record, email security, command line, dig, nslookup","wordCount":1100,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-record-6071.jpg","caption":"How to Check a DMARC Record Using Command Line (dig & nslookup)","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Why does dig return an empty answer?","acceptedAnswer":{"@type":"Answer","text":"An empty answer means no TXT record exists at `_dmarc.yourdomain.com`. Double-check that you published the record at the correct subdomain. A common mistake is creating the record at `_dmarc.yourdomain.com` inside a zone for `yourdomain.com`, resulting in an effective hostname of `_dmarc.yourdoma..."}},{"@type":"Question","name":"Why do I see a different record than what I just published?","acceptedAnswer":{"@type":"Answer","text":"DNS caching is the usual cause. Your previous record or the absence of a record may be cached by your local resolver for the duration of the TTL. You can bypass your local cache by querying a public resolver directly:"}},{"@type":"Question","name":"Why does my record show but emails still fail DMARC?","acceptedAnswer":{"@type":"Answer","text":"A valid DMARC record in DNS does not guarantee that all your email passes authentication. DMARC requires that either SPF or DKIM passes and aligns with the `From` header domain. Check your SPF and DKIM configurations separately and review your DMARC aggregate reports to identify which sending sou..."}},{"@type":"Question","name":"Can I check DMARC records for any domain?","acceptedAnswer":{"@type":"Answer","text":"Yes. DMARC records are public DNS records, so you can query any domain's DMARC configuration using `dig` or `nslookup` without any special permissions or authentication."}},{"@type":"Question","name":"How long does DNS propagation take for a new DMARC record?","acceptedAnswer":{"@type":"Answer","text":"DNS propagation typically completes within 24 to 48 hours, though many resolvers pick up changes within minutes. The TTL of your DNS zone controls how long old records are cached before resolvers fetch the updated version."}},{"@type":"Question","name":"What if my domain has no DMARC record at all?","acceptedAnswer":{"@type":"Answer","text":"Without a DMARC record, receiving servers have no policy to apply to messages failing SPF or DKIM checks. This leaves your domain vulnerable to spoofing. Start by publishing a `p=none` record with a `rua` tag so you can collect aggregate reports and understand your email ecosystem before moving t..."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://dmarcreport.com/intermediate/"},{"@type":"ListItem","position":4,"name":"How to Check a DMARC Record Using Command Line (dig & nslookup)","item":"https://dmarcreport.com/blog/how-to-check-dmarc-record-command-line-dig-nslookup/"}]} ```