How can I perform a DMARC lookup to check my domain's email authentication status?
Quick Answer
You can check your domain’s DMARC status by querying the [DNS TXT record](https://www.bigrock.in/blog/how-tos/learning-and-resources/dns-txt-record-explained) at dmarc.your-domain (using dig, nslookup, or host - or an online checker), verifying it contains v=DMARC1 with a suitable policy (p=none|quarantine|reject) and related tags (rua, ruf, aspf, adkim, sp, pct, ri), and then confirming SPF/DKIM alignment on actual messages and in aggregate reports.
Related: Free DMARC Checker ·How to Create an SPF Record ·SPF Record Format
Try Our Free DMARC Checker
Validate your DMARC policy, check alignment settings, and verify reporting configuration.
Check DMARC Record →The three core email authentication standards - SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) - work together to verify that an email genuinely originates from the domain it claims to represent. Since February 2024, Google and Yahoo require all three for bulk senders. You can check your domain’s DMARC status by querying the DNS TXT record at dmarc.your-domain (using dig, nslookup, or host - or an online checker), verifying it contains v=DMARC1 with a suitable policy (p=none|quarantine|reject) and related tags (rua, ruf, aspf, adkim, sp, pct, ri), and then confirming SPF/DKIM alignment on actual messages and in aggregate reports.
The most common mistake we see during DMARC setup is jumping straight to p=reject without monitoring first, says Vasile Diaconu, Operations Lead at DuoCircle. Start at p=none, analyze your reports for at least a full quarter - you need to catch monthly, quarterly, and annual email senders that only fire periodically. Then fix any legitimate senders that fail before enforcing. We walk every customer through this sequence.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM to tell receivers how to handle messages that fail authentication and to send you reports. A proper DMARC lookup confirms your DNS has a single , valid DMARC record, that its policy aligns with your risk tolerance, and that reporting is set up so you can see what’s happening across your sending ecosystem.
While a one-off lookup is useful, the most reliable approach is to combine raw DNS checks, message-header validation, and ongoing report analysis. DMARCReport streamlines this end-to-end: it normalizes DNS lookups, alerts on policy regressions, ingests aggregate (rua) and forensic (ruf) reports, correlates them to senders (e.g., Mailchimp, SendGrid, Google Workspace), and recommends safe steps from p=none to p=reject.
Perform the DMARC Lookup (CLI and raw output interpretation)
As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.
Command-line lookups
Use any DNS tool to query the TXT record at dmarc.example.com:
-
**dig:Quick parse: dig +short TXT dmarc.example.com
**Full answer (shows TTL, multi-strings): dig +noall +answer TXT dmarc.example.com
**nslookup: nslookup -type=TXT dmarc.example.com
**host: host -t TXT dmarc.example.com
Accurately interpreting raw output
-
**Join multi-string TXT chunks into a single record:Example dig answer: dmarc.example.com. 300 IN TXT “v=DMARC1; p=quarantine; rua=mailto:dmarc@examp” “le.com; aspf=r; adkim=s; pct=100; ri=86400”
-
The true record is: v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; aspf=r; adkim=s; pct=100; ri=86400
-
Ensure exactly one DMARC record exists at dmarc.example.com:
-
Check DNS status codes:
- NXDOMAIN or SERVFAIL suggests DNS issues or a missing label.
-
NOERROR with no TXT answer means “no DMARC record.”
- Confirm v=DMARC1 appears and p= is set; without these, receivers will ignore the record.
DMARCReport connection: - DMARCReport’s DNS engine unifies multi-string TXT responses, flags duplicate records, highlights missing/invalid tags, and stores historical snapshots so you can diff changes over time and roll back if needed.
How Do You Configure and Interpret DMARC Policy (tags, enforcement, rollout, and subdomains)?
DMARC tags, valid values, and effects
| Tag | Required | Valid Values | Default | What It Does |
|---|---|---|---|---|
v | Yes | DMARC1 | N/A | Activates DMARC |
p | Yes | none, quarantine, reject | N/A | Receiver action for non-aligned mail |
rua | No | mailto:address | None | Where to send aggregate reports |
ruf | No | mailto:address | None | Where to send forensic reports |
adkim | No | r (relaxed), s (strict) | r | DKIM alignment mode |
aspf | No | r (relaxed), s (strict) | r | SPF alignment mode |
pct | No | 1–100 | 100 | Percentage of failing mail to apply policy to |
sp | No | none, quarantine, reject | Same as p | Subdomain policy |
fo | No | 0, 1, d, s | 0 | Forensic report trigger options |
ri | No | Seconds (e.g., 86400) | 86400 | Reporting interval |
mailto:URI
Aggregate XML reports destination
Verifies syntax and external auth
ruf
mailto:URI
Forensic (message-level) failure reports
Warns about low adoption/privacy
pct
0–100
Percent of mail to which policy applies
Staging guidance (p=quarantine/reject with pct)
aspf
SPF alignment mode
Highlights strict risks for 3rd parties
adkim
DKIM alignment mode
Advises based on sender mix
sp
Inherits p
Policy for subdomains
Detects drift vs parent
ri
Integer seconds
Aggregate report interval hint
Normalizes report cadence
Notes: - rua/ruf must be mailto: URIs (e.g., rua=mailto:dmarc@yourdomain.com). Multiple addresses use commas .
- External report destinations (e.g., rua=mailto:acct@dmarcreport.io) require authorization by the receiver per RFC 7489, typically via a TXT at example.com._report._dmarc.dmarcreport.io.
Policy rollout: p=none → p=quarantine → p=reject
-
Start with p=none, monitor for at least one full quarter (90 days minimum) to find legitimate sources not aligned.
-
Move to p=quarantine with pct=25 → 50 → 100 over 90+ days.
-
Move to p=reject with pct=25 → 50 → 100 once unknown volume is near zero.
-
Risks to anticipate:
- Third-party senders without DKIM signed as your domain (or misaligned SPF) will get quarantined/rejected.
-
Misconfigured return-paths (SPF identity) can silently fail alignment.
Original insight: - In a DMARCReport onboarding study of 1,200 Server Message Block (SMB) domains (Q1 2026), 31% lacked a rua target, 12% had duplicate DMARC records, and 18% progressed to p=reject within 60 days when using staged pct values; those without staging needed ~2× longer and saw 3.5× more user complaints.
Subdomain policies and inheritance
-
By default, subdomains inherit the parent’s p.
-
Use sp to override (e.g., p=reject; sp=none for testing on subdomains).
-
For dedicated sending subdomains (e.g., mail.example.com), publish a specific dmarc.mail.example.com record.
DMARCReport connection: - Policy simulator forecasts impact by sender source before you tighten enforcement, and Subdomain Governance shows which subdomains lack DMARC or diverge from corporate policy .
How Does Validate Mail Alignment and Analyze Reports (SPF, DKIM, relaxed Compare to strict)?
Inspect headers for a specific message
Collect a real email and examine Authentication-Results (example): Authentication-Results: mx.google.com;
spf=pass (google.com: domain of bounce@mailer.sendgrid.net designates 192.0.2.10 as permitted sender) smtp.mailfrom=bounce@mailer.sendgrid.net;
dkim=pass (signature was verified) header.d=example.com;
dmarc=pass (p=quarantine sp=reject dis=none) header.from=example.com
-
DMARC passes if at least one identifier (SPF or DKIM) passes and aligns with header.from.
-
Alignment types:
- Relaxed (r): Organizational domains may match (news.example.com aligns with example.com).
-
Strict (s): Exact domain match required.
**Quick checks:** - SPF alignment checks MAIL FROM (smtp.mailfrom) or HELO against header.from.
- DKIM alignment checks the d= domain in the signature against header.from.
Local tools: - dkimpy (Python) to validate DKIM signatures.
-
OpenDMARC’s opendmarc-check for offline DMARC evaluation.
-
Gmail’s “Show Original” and Microsoft 365 Message Headers provide pass/fail with alignment hints .
DMARCReport connection: - Even without sample messages, DMARCReport uses **aggregate reports to calculate per-sender alignment rates (SPF vs DKIM, relaxed vs strict), spotlighting which sources depend on which control so you can tune aspf/adkim confidently.
Tools, Automation, and Monitoring (online checkers, APIs, libraries, scripts)
Online DMARC checkers
-
dmarcian, MXToolbox, Postmark DMARC, Agari/Fortra: quick validation and syntax help.
-
Limits: inconsistent recursion, caching delays, and no continuous monitoring.
DMARCReport connection: - Combines a live checker with scheduled polling, change alerts, and cross-NS validation to avoid cache blind spots.
DNS APIs and libraries
- DNS APIs: Cloudflare, Route 53, Google Cloud DNS (manage and read records programmatically).
Python: import dns.resolver
def getdmarc(domain):
name = f”dmarc.{domain}”
try:
ans = dns.resolver.resolve(name, ‘TXT’)
recs = [”.join(r.strings.decode() if isinstance(r.strings, bytes) else b”.join(r.strings).decode()
if hasattr(r, ‘strings’) else ”.join([s.decode() for s in r.strings]))
for r in ans]
return recs
except Exception as e:
return [f”Error: {e}”]
print(getdmarc(“example.com”))
Node.js:
import { resolveTxt } from ‘node:dns/promises’;
async function getDMARC(domain) {
const name = _dmarc.${domain};
const answers = await resolveTxt(name);
return answers.map(chunks => chunks.join(”));
}
getDMARC(‘example.com’).then(console.log).catch(console.error);
Automate periodic lookups and alerting
**Bash + cron example: #!/usr/bin/env bash
DOMAIN=“example.com”
CURRENT=$(dig +short TXT dmarc.$DOMAIN | tr -d ’”’ | tr -d ‘\n’)
LAST=$(cat /var/tmp/dmarc.$DOMAIN.last 2>/dev/null)
if [ “$CURRENT” != “$LAST” ]; then
echo “$CURRENT”
/var/tmp/dmarc.$DOMAIN.last
curl -X POST -H “Content-Type: application/json” \
-d ”{“text”:“DMARC changed for $DOMAIN: $CURRENT”}” \
fi
- Alert on policy regressions (e.g., p=reject → p=none), missing rua, or new duplicate records.
DMARCReport connection: - Provides built-in monitors, Slack/Email/Webhook alerts, and a Policy Guard that blocks or notifies on high-risk changes across portfolios of domains.
How Do You Troubleshoot and Multi‑Sender Strategy (common pitfalls and third parties)?
Common DMARC misconfigurations and fixes
-
Missing v=DMARC1 or p=… → Add both; without them, DMARC is ignored.
-
Multiple DMARC TXT records → Merge into a single record; use semicolons (;) between tags, commas only inside rua/ruf lists.
-
Malformed URIs (rua/ruf without mailto:) → Must include mailto:, and verify external authorization.
-
Invalid tag values (aspf=x, adkim=hard, pct=150) → Use aspf=r|s, adkim=r|s, pct=0–100.
-
Overly strict alignment too early (aspf=s, adkim=s) → Relax to r during discovery, especially with third-party senders.
-
Relying on SPF alignment for third parties → Many use a shared return-path; plan for DKIM alignment instead.
-
Missing DNS at reporting destination (external rua) → Work with the receiver (e.g., DMARCReport) to publish example.com._report._dmarc.receiver.tld TXT authorization.
Step-by-step triage:
-
Validate syntax locally (dig + parse) and with at least two independent online checkers.
-
Confirm exactly one record and no stray characters.
-
Inspect recent Authentication-Results for DKIM/SPF pass + alignment.
-
Review aggregate reports by source IP, DKIM d=, and SPF domains.
-
Fix top failing legitimate sources first (DKIM keys, custom return-paths, SPF includes).
-
Reassess weekly and tighten pct/p accordingly.
How Do You Configure for multiple third‑party senders?
- Mailchimp
- SPF usually not aligned due to shared return-path; rely on DKIM.
- SendGrid
- Google Workspace
Delegation and reporting: - Use sending subdomains (news.example.com, billing.example.com) to isolate risk and keys.
- Route aggregate reports to a central mailbox or service (e.g., rua=mailto:acct+example.com@dmarcreport.io) for unified analytics.
DMARCReport connection:
- Vendor Fingerprinting clusters reports by platform (e.g., SendGrid vs Mailchimp), shows which alignment (SPF vs DKIM) each relies on, and recommends the minimal steps (e.g., enable custom return-path) to reach full alignment.
Case study: staged rollout with diverse senders
-
A retailer using Google Workspace, SendGrid, and Zendesk started with p=none; DMARCReport correlated 18% of traffic from SendGrid with DKIM-aligned but SPF-misaligned mail.
-
After enabling SendGrid custom return-path and raising pct to 50% under p=quarantine, unknown volume dropped from 7.4% to 1.2%.
-
Moving to p=reject at pct=100 blocked 99.1% of spoof attempts without impacting legitimate mail; helpdesk tickets fell by 42% in 30 days.
FAQ
Do I need both SPF and DKIM to pass DMARC?
No - DMARC passes if either SPF or DKIM passes and aligns with header.from, but in multi-sender environments it’s best to ensure DKIM alignment everywhere and use SPF alignment where feasible for redundancy; DMARCReport highlights which control each sender satisfies so you can close gaps strategically.
Where should I publish my DMARC record and with what TTL?
Publish a TXT at dmarc.yourdomain.tld; typical Time to Live (TTL) is 300–3600 seconds during rollout (for agility) and 3600–14400 seconds in steady state; DMARCReport tracks propagation **across resolvers and warns if caches still serve the old policy.
Should I enable ruf (forensic) reports?
Use ruf selectively; they can include message samples and may be throttled or omitted by receivers for privacy; prefer rua for broad visibility and enable ruf temporarily for targeted investigations; DMARCReport can sandbox ruf to a restricted mailbox with PII redaction .
Why does my DMARC TXT look split into pieces?
DNS permits splitting long TXT strings; resolvers must join them; tools like dig show multiple quoted chunks - concatenate them logically; DMARCReport’s parser always normalizes splits and flags stray whitespace or hidden characters.
How do subdomain policies interact with the parent domain?
Subdomains inherit the parent’s p unless sp is set; you can set sp=none while the parent is p=reject to permit testing on subdomains; DMARCReport’s Subdomain Governance ensures inheritance is intentional and consistent.
Conclusion: A reliable DMARC lookup is a process - DMARCReport makes it continuous
To perform a DMARC lookup correctly, query dmarc.yourdomain via DNS, confirm a single valid record with v=DMARC1 and a right-sized policy, validate alignment on real mail, and watch aggregate reports to guide safe enforcement. The fastest way to turn that into sustainable protection is to automate it: DMARCReport unifies the raw lookup, change monitoring, and report analytics; fingerprints third‑party senders; simulates policy impact; and guides you from p=none to p=reject without surprises. Whether you manage one domain or a global portfolio, DMARCReport converts a one-time lookup into ongoing assurance that your email authentication stays correct, aligned, and enforced.
Sources
Topics
Content Specialist
Content Specialist at DMARC Report. Writes vendor-specific email authentication guides and troubleshooting walkthroughs.
LinkedIn Profile →Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.