DMARC Checker

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol that builds on SPF and DKIM to give domain owners control over how receivers handle unauthenticated emails. It solves a critical gap in email security: even with SPF and DKIM in place, receivers had no way to know what action to take when authentication fails.

DMARC tells receiving servers exactly what to do with emails that fail authentication checks, and provides a feedback mechanism so domain owners can monitor who is sending email on their behalf.

How DMARC Works

DMARC ties together SPF and DKIM with a concept called alignment:

1. Domain alignment check – DMARC verifies that the domain in the visible "From" header aligns with either the SPF-authenticated domain (Return-Path) or the DKIM-signed domain.

2. Policy lookup – The receiving server fetches the DMARC record from DNS at _dmarc.yourdomain.com to learn how you want failed messages handled.

3. Authentication evaluation – If the email passes SPF or DKIM and the domains align, the message passes DMARC. Otherwise, it fails.

4. Policy enforcement – The receiver applies your specified policy to messages that fail authentication.

Policy Options

DMARC offers three policy levels, allowing you to gradually increase protection:

• none – Monitor mode. Failed emails are delivered normally, but you receive reports. Use this when starting out to understand your email traffic.

• quarantine – Suspicious treatment. Failed emails are typically sent to spam or held for review. This signals to receivers that you're confident in your authentication setup.

• reject – Maximum protection. Failed emails are blocked entirely. Only use this once you're certain all legitimate email sources are properly authenticated.

You can also set a percentage (pct) to apply the policy to only a portion of failing emails, enabling gradual rollout.

Understanding Alignment

Alignment is what makes DMARC effective. It ensures the domain visible to users matches the domain that passed authentication:

• Relaxed alignment (default) – Organizational domains must match. For example, mail.example.com aligns with example.com.

• Strict alignment – Exact domain match required. mail.example.com would not align with example.com.

Relaxed alignment works for most organizations, while strict alignment provides tighter control when you need to prevent subdomain spoofing.

DMARC Reports

One of DMARC's most valuable features is reporting. Domain owners receive two types of reports:

• Aggregate reports (RUA) – Daily XML summaries showing authentication results, sending sources, and policy actions. These help you identify legitimate senders that need authentication and detect unauthorized use of your domain.

• Forensic reports (RUF) – Detailed reports on individual failures containing message headers. Not all receivers send these due to privacy concerns.

Configure report recipients in your DMARC record using the rua and ruf tags.

What MailHealth Checks

Our DMARC checker analyzes your configuration for:

• Record existence – Confirms a DMARC record exists at the correct DNS location
• Policy strength – Evaluates your policy level and recommends appropriate protection
• Alignment settings – Reviews your SPF and DKIM alignment mode configuration
• Reporting setup – Verifies report addresses are configured correctly
• Record syntax – Ensures all tags are valid and properly formatted
• Best practices – Identifies opportunities to strengthen your DMARC posture

A properly configured DMARC record is the final piece of email authentication. Combined with SPF and DKIM, it provides comprehensive protection against email spoofing and phishing attacks while giving you visibility into your domain's email traffic.