How to Check a DMARC Record Using Command Line (dig & nslookup)

Checking a DMARC record from the command line is one of the fastest ways to verify that your domain’s email authentication is configured correctly. Unlike web-based lookup tools, command-line utilities like dig and nslookup query DNS directly without any intermediary, giving you raw results that reflect the current state of your domain’s DNS infrastructure. This is especially useful during initial DMARC deployment, after DNS changes, or when troubleshooting delivery issues where you need to confirm that the record a receiving mail server sees matches what you intended to publish. Every system administrator and email security professional should be comfortable running these commands because they are available on virtually every operating system without installing additional software.

The Exact Commands

The two primary tools are dig, which is standard on Linux and macOS, and nslookup, which is available on all platforms but is the default DNS utility on Windows. Both query the same DNS infrastructure and return the same underlying data, but their output formats differ. A DMARC record is always published as a TXT record at the _dmarc subdomain of your domain. So for example.com, the DMARC record lives at _dmarc.example.com. This naming convention is defined in RFC 7489 and is universal across all DMARC implementations regardless of your DNS hosting provider.

How Do You Check DMARC with dig on Linux and macOS?

Open your terminal and run the following command, replacing example.com with your actual domain:

dig TXT _dmarc.example.com +short

The +short flag strips the verbose DNS metadata and returns only the record value. A typical successful response looks like this:

"v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensics@example.com; adkim=s; aspf=s; pct=100"

If you want the full DNS response including the authority section, TTL values, and query metadata, omit the +short flag:

dig TXT _dmarc.example.com

This produces output that includes the ANSWER SECTION with the TXT record, the query time in milliseconds, the DNS server that responded, and the message size. The TTL value tells you how long the record is cached, which is important when you have recently made changes and are waiting for propagation. If the command returns no answer or NXDOMAIN, it means no DMARC record exists at that subdomain, and you need to create one.

How Do You Check DMARC with nslookup on Windows?

On Windows, open Command Prompt or PowerShell and run:

nslookup -type=TXT _dmarc.example.com

The output will include the DNS server used for the query followed by the non-authoritative answer containing your DMARC record:

Server:  resolver1.example-dns.com
Address:  192.0.2.1

Non-authoritative answer:
_dmarc.example.com    text = "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"

The “non-authoritative answer” label simply means the response came from a caching resolver rather than the domain’s authoritative nameserver. This is normal and expected for most queries. If you see “DNS request timed out” or no text record in the response, verify that your domain actually has a DMARC record published and that your local DNS resolver is functioning properly.

Reading the Output

Regardless of which tool you use, the important part is the TXT record value itself. Here is what each tag means in the context of your DMARC policy. The v=DMARC1 tag is mandatory and identifies the record as a DMARC policy. The p tag defines the policy applied to messages that fail authentication: none means monitor only, quarantine sends failures to spam, and reject blocks them entirely. The rua tag specifies where aggregate reports are sent, and ruf specifies the forensic report destination. The adkim and aspf tags control alignment strictness for DKIM and SPF respectively, where s means strict and r means relaxed. The pct tag controls what percentage of failing messages the policy applies to, and it defaults to 100 if omitted.

Is There a PowerShell Alternative?

PowerShell provides the Resolve-DnsName cmdlet, which offers more structured output than nslookup and is easier to incorporate into scripts:

Resolve-DnsName -Name "_dmarc.example.com" -Type TXT | Select-Object -ExpandProperty Strings

This returns just the record string without the surrounding DNS metadata. You can pipe this into further PowerShell processing to extract individual tag values, compare against expected configurations, or generate reports across multiple domains. For administrators managing Windows environments, this is often the most practical approach because the output integrates naturally with other PowerShell-based management scripts and can be exported to CSV or fed into monitoring dashboards.

Should You Use CLI or a Web Tool?

Command-line tools and web-based checkers like DMARC Report’s free checker serve complementary purposes. The CLI gives you raw, unfiltered DNS data and works in environments without browser access, such as SSH sessions on remote servers. It is also scriptable, meaning you can check hundreds of domains in a loop with a simple bash script. Web tools add value by parsing the record, validating syntax against the RFC specification, highlighting misconfigurations, and presenting results in a human-friendly format. According to Cisco’s 2024 Email Security Threat Report, organizations that combine automated monitoring with manual verification catch configuration drift 74% faster than those relying on periodic manual checks alone. The best practice is to use CLI tools for quick verification and scripted monitoring, and web tools for deeper analysis and onboarding new domains.

Troubleshooting Common Issues

Why does dig return an empty answer?

An empty answer means no TXT record exists at _dmarc.yourdomain.com. Double-check that you published the record at the correct subdomain. A common mistake is creating the record at _dmarc.yourdomain.com inside a zone for yourdomain.com, resulting in an effective hostname of _dmarc.yourdomain.com.yourdomain.com. In most DNS interfaces, you should enter only _dmarc as the hostname since the zone suffix is appended automatically.

Why do I see a different record than what I just published?

DNS caching is the usual cause. Your previous record or the absence of a record may be cached by your local resolver for the duration of the TTL. You can bypass your local cache by querying a public resolver directly:

dig TXT _dmarc.example.com @8.8.8.8 +short

This sends the query to Google’s public DNS resolver, which may have a fresher cache than your ISP’s resolver.

Why does my record show but emails still fail DMARC?

A valid DMARC record in DNS does not guarantee that all your email passes authentication. DMARC requires that either SPF or DKIM passes and aligns with the From header domain. Check your SPF and DKIM configurations separately and review your DMARC aggregate reports to identify which sending sources are failing alignment.

FAQ

Can I check DMARC records for any domain?

Yes. DMARC records are public DNS records, so you can query any domain’s DMARC configuration using dig or nslookup without any special permissions or authentication.

How long does DNS propagation take for a new DMARC record?

DNS propagation typically completes within 24 to 48 hours, though many resolvers pick up changes within minutes. The TTL of your DNS zone controls how long old records are cached before resolvers fetch the updated version.

What if my domain has no DMARC record at all?

Without a DMARC record, receiving servers have no policy to apply to messages failing SPF or DKIM checks. This leaves your domain vulnerable to spoofing. Start by publishing a p=none record with a rua tag so you can collect aggregate reports and understand your email ecosystem before moving toward enforcement.