DMARC Record Checker — _dmarc Policy Validation

DMARC records publish as TXT on _dmarc.example.com, not the apex. A common first mistake is pasting DMARC TXT at example.com. Our checker queries _dmarc.host automatically via checkEmailDns.

found true with valid true means v=DMARC1 syntax parsed. found false means receivers lack domain-level policy — spoofing enforcement defaults vary.

p=none monitors without enforcement. p=quarantine asks spam-folder treatment for failures. p=reject requests rejection — strongest when SPF and DKIM are reliable.

details exposes parsed p=, optional sp= for subdomains, pct sampling, and alignment adkim/aspf. valid true with p=none is syntactically fine but security-soft.

rua=mailto: addresses receive aggregate XML reports. Our parser surfaces them in details when present. This checker does not confirm mailboxes accept reports.

ruf forensic reports are increasingly rare. Including ruf in DNS does not harm policy but may yield no traffic.

email-deliverability awards up to 25 points for DMARC — full when found and valid, partial when found but invalid, zero when missing. Combine with SPF record checker and DKIM record checker rows in the same JSON.

good overall rating typically needs strong scores across SPF, DKIM, DMARC, and MX.

Start p=none with rua to observe legitimate sources. Move to p=quarantine when reports show alignment. Escalate to p=reject after confidence. Document each phase in change tickets.

Sudden jumps to reject without working DKIM cause false positives — legitimate mail quarantined while spoofing continues on lookalike domains.

adkim=s and aspf=s demand strict domain alignment. Relaxed defaults allow organizational domain match across subdomains. Strict tags harden policy but break mail when vendors sign with their own domains.

Review rua reports before enabling strict alignment.

Draft policy client-side with DMARC record generator, publish on _dmarc, verify here. Pair with email spoofing test before p=reject to surface permissive SPF gaps.

email-dns-health-check scores all authentication pillars when you need holistic view.

DMARC at _dmarc.apex does not automatically protect all subdomains unless sp= or explicit subdomain policies exist. Marketing on mail.example.com may need its own authentication and possibly _dmarc.mail if used as organizational domain.

Enter the organizational domain from rua reporting context — usually the apex brand domain.

GET /ip-tools/api/extended?action=email-deliverability&domain=example.com returns emailDns.records DMARC row. Automate verification after _dmarc TXT edits in CI.

Export p= and queriedAt for compliance questionnaires.

Published DMARC is public DNS. Query domains you own or administer.

rua addresses in records reveal security contacts — expected for public policy.