DMARC
DMARC Record Checker
Use this tool to check, lookup, and validate your DMARC record.
The tags and their definitions
| TAG | TAG DESCRIPTION |
|---|---|
| v | The version tag. The only allowed value is "DMARC1". If it's incorrect or the tag is missing, the DMARC record will be ignored. |
| p | The DMARC policy. Allowed values are “none”, “quarantine”, or “reject”. The default is “none,” which takes no action against non-authenticated emails. It only helps collect DMARC reports and gain insight into your current email flows and their authentication status. "Quarantine" marks the failed emails as suspicious, while "reject" blocks them. |
| sp | The subdomain policy. The subdomain inherits the domain policy tag explained above, unless specifically defined here. Like the domain policy, the allowed values are "none," "quarantine," or "reject." This option isn't widely used nowadays. |
| pct | The percentage tag. This tag works on domains with "quarantine" or "reject" policy only. It marks the percentage of failed emails a given policy should be applied to. The rest falls under a lower policy. For example, if "pct=70," on a domain with "quarantine" policy, it applies only 70% of the time. The remaining 30% goes under "p=none". Similarly, if "p=reject" and "pct=70," "reject" applies to the 70% of failed emails, and the 30% go into "quarantine." |
| rua | Aggregate report sending destination.It's the "mailto:" URI that ISPs use to send failure reports.The tag is optional. But you need to use it if you wish to receive the reports. |
| ruf | Forensic (Failure) report sending destination. It's the "mailto:" URI that ISPs use to send failure reports.The tag is optional. But you need to use it if you wish to receive the reports. |
| ri | Reporting interval. Marks the frequency of receivied XML reports in seconds. The default is 86400 (once a day). Change the default if you want to adjust the reporting frequency. Regardless of set interval in most cases ISPs may send the reports at different intervals (usually once a day). |
| aspf | The SPF alignment. This tag follows the alignment between the SPF domain (the sender) and the Header From domain. Allowed values are “r” (relaxed) or “s” (strict). “r” is the default, and allows a partial match, while the "s" tag requires the domains to be exactly the same. |
| adkim | The DKIM signature alignment. This tag follows the alignment between the DKIM domain and the parent Header From domain. Allowed values are “r” (relaxed) or “s” (strict). “r” is the default, and allows a partial match, while the "s" tag requires the domains to be the exact same. |
| fo | Forensic reporting options. Allowed values are "0," "1," "d," and "s." "0" is the default value, which generates a forensic report when both SPF and DKIM fail to produce an aligned pass. If either of the protocol outcome is something other than pass, use "1." "d" generates a report when DKIM is invalid, while "s" does the same for SPF. Define the ruf tag to receive forensic reports. |
What is the DMARC record?
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It is implemented as a DNS TXT Record and lets admins receive reports on their outgoing email infrastructure and set policies (p=none, p=quarantine, or p=reject) to tell receiving servers how to handle unauthorized email usage on their domain’s behalf.
Why test your DMARC record?
By performing DMARC Lookup, admins can make sure that their record is published and deployed correctly on their domain. Additionally, admins can verify that there are no underlying errors with the Record syntax, validation, and other key issues.
Why are DMARC reports important?
DMARC Aggregate Reports are one of the key factors to have a successful DMARC enforcement (reaching to p=reject) journey. With them, you will be able to analyze your outgoing email ecosystem, authenticate your legitimate email sources, and proceed with enforcement to let the ISPs (such as Google, Comcast, and Yahoo) block the fraudulent and unauthorized email usage on your domain’s behalf.
What does DMARC compliant mean?
As DMARC is an additional security layer that works upon SPF & DKIM, DMARC Compliance means that your outgoing email server is authenticated and aligned with either SPF or DKIM authentication protocols.
How does DMARC work?
To put it simply, here’s how it works:
- First, admin implements DMARC TXT Record in their DNS provider
- After that, for every email sent from the domain, receiving servers will start to check the domain’s DMARC Record
- Receiving servers will check SPF and DKIM authentication and alignment checks to verify the sender of the domain (if it is actually coming from a legitimate source)
- With both SPF and DKIM results, the receiving server will apply rules based on the admin's stated policy (p= tag). For example, if the domain’s policy is set to Reject (p=reject) and the emails didn’t pass SPF and DKIM results, the receiving server will Reject the message completely.
- Lastly, the receiving server will send DMARC reports to the admin (to an email address(es) specified in DMARC TXT Record’s RUA and RUF addresses). These reports contain all the necessary information that you can read more here.
What does DMARC domain alignment mean?
Domain Alignment is the core concept of DMARC. That is, verifying that the email address in the From header is the actual sender of the message. Practically, this means that the domain SPF check (which is based on Envelope From: or Return-Path address) and the DKIM signing domain (d=example.net) are in alignment with the message From: address. You can read more about DMARC domain alignment here.
How does a DMARC work with subdomains?
By default, DMARC Record or policy implemented on the root domain level will automatically apply on all subdomain(s) levels, unless admins implement explicit DMARC Record on the subdomain(s) level.
Can I Add a DMARC Record Without DKIM?
Technically, you can. But, for DMARC to pass, you need to have either SPF or DKIM authentication & alignment in place.
At EasyDMARC, we always advise our customers to start their DMARC journey with Monitoring mode (p=none). That way, receiving servers will not apply any rules on the unauthenticated email flow on the domain’s behalf. But, it is important that every email source is properly configured and authenticated with SPF and DKIM during the Monitoring stage so that the admins start with their DMARC enforcement journey (heading to p=quarantine or p=reject). This will help them avoid false-positive cases and make sure that they don’t lose or block any legitimate mail flow due to DMARC reject policy.
Want to simplify the implementation and monitoring?
Start Free Trial