DMARC Lookup
Fetch and parse the DMARC policy for a domain. Explains each tag and flags common weaknesses like monitor-only mode, missing reports, or sub-100 pct.
Look up and parse DMARC
Queries _dmarc. for a TXT record and explains each tag.
About DMARC
DMARC (Domain-based Message Authentication, Reporting and Conformance) sits on top of SPF and DKIM. It tells receiving mail servers:
- How to handle mail that fails authentication (
p=none,quarantine, orreject). - Where to send daily aggregate XML reports (
rua). - How strict to be about alignment between the visible
From:domain and the authenticated domain (adkim,aspf).
A typical production DMARC record looks like:
v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s
Tags explained
| Tag | Meaning |
|---|---|
v | Protocol version. Always DMARC1. |
p | Policy for the organizational domain: none (monitor), quarantine, or reject. |
sp | Policy for subdomains. Falls back to p if omitted. |
pct | Percentage of failing mail the policy applies to. Default 100. |
rua | Aggregate report destinations (mailto: URIs). |
ruf | Forensic (per-message) report destinations. Rarely supported. |
adkim | DKIM alignment: relaxed or strict. Default r. |
aspf | SPF alignment: relaxed or strict. Default r. |
fo | Failure reporting options. |
Things to flag
p=none. No enforcement. Spoofed mail is still delivered; you only get reports. A common stepping stone, not an end state.- No
rua. You’ll never see the reports. Enforcement without monitoring is risky. pct<100. Policy applies to only a percentage of failing mail — useful for ramp-up, but not a steady state.- Multiple DMARC records. Illegal per RFC; validation fails until duplicates are removed.