What tools check DMARC records?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've set up a DMARC record and now you want to know if it's actually doing what you think it's doing. Good instinct. A misconfigured DMARC policy can affect every email your domain sends, so it's worth double-checking before you tighten your policy from p=none to p=reject.
Here are the tools worth knowing.
Web-based tools (easiest starting point)
- dmarcian DMARC Inspector gives you a clear breakdown of your policy, alignment settings, and report addresses. It also flags common mistakes in plain language, which makes it easier to act on what you find.
- MXToolbox DMARC Lookup checks your syntax and policy quickly. It's a solid first stop if you just want a pass/fail read.
- RME's free DMARC Parser parses your DMARC record and shows exactly what each tag means in human terms. Great if you're reading a record for the first time and want to understand it, not just validate it.
Command line (for those who prefer it)
If you'd rather stay in the terminal, a quick dig query does the job.
dig TXT _dmarc.yourdomain.com
Replace yourdomain.com with your actual domain. You should see a TXT record starting with v=DMARC1. If nothing comes back, your record either doesn't exist or it's published in the wrong place.
What to actually look at
Tools are only as useful as what you know to check. When you run your lookup, keep an eye on these things.
- The record lives at _dmarc.yourdomain.com, not at the root domain
- The syntax is correct (every tag has a valid value, no typos)
- Your policy (p=) is intentional. p=none means monitor only. p=quarantine or p=reject means action is being taken on failures
- Your report addresses (rua= and ruf=) are valid and actually set up to receive reports
- Your alignment settings match how your domain actually sends mail
So one thing worth knowing: checking that a record exists is step one, not the finish line. If you're preparing to move to enforcement, it's worth reviewing your DMARC aggregate reports too, so you know which sources are passing and which aren't before you flip the policy. Running p=reject without that context can block legitimate mail.
If something looks off and you're not sure what to do next, our SOS hotline is free. No pitch, just help.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.