Free DMARC checker

Is your email protected from spoofing?

DMARC tells inboxes what to do with email that pretends to be you. Check any domain and see, in plain English, whether it's actually turned on.

What this check actually looks at

This tool looks up the TXT record at _dmarc.yourdomain.com — the standard location every mailbox provider checks before deciding what to do with mail claiming to be from your domain. If nothing is published there, your domain has no spoofing policy at all, which is the single most common finding on domains that have never been checked.

When a record exists, we read the p= tag (the policy), whether a report address is set, and whether subdomains are covered separately. Each of those maps to a real, practical answer: are you protected, are you watching, and is anything about to catch you off guard.

DMARC doesn't work alone — it enforces alignment with SPF and DKIM. A domain can have a perfect DMARC record and still be exposed if SPF or DKIM underneath it is broken, so it's worth running our SPF checker and DKIM checker on the same domain.

Common questions

What is DMARC?+

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS record that tells email providers what to do with messages that fail to prove they really came from your domain — block them, send them to spam, or let them through and just report on it.

Why does my domain need a DMARC record?+

Without one, anyone can send email that appears to come from your domain — a classic move in phishing and invoice-fraud scams. A DMARC record with a strong policy stops that mail from reaching inboxes, and protects your brand and your customers.

What's the difference between none, quarantine, and reject?+

"none" only monitors and reports — it changes nothing. "quarantine" sends failing mail to spam. "reject" blocks it outright. Most domains should work toward reject, but a sudden jump can break legitimate mail that isn't authenticated yet, so a gradual move (none → quarantine → reject) is safer.

I have a DMARC record but no rua= address. Is that a problem?+

Yes — without an aggregate report address, you have no visibility into who is sending email as your domain, including services you may have forgotten about (old marketing tools, ex-employee accounts, or actual attackers). Adding a rua= address costs nothing and gives you that visibility.

Does DMARC alone stop spoofing?+

DMARC relies on SPF and/or DKIM passing and being aligned with your domain. If neither is set up correctly, DMARC has nothing to enforce. Check your SPF and DKIM records too — this tool only checks the DMARC layer.