Validate and analyse the DMARC policy of any domain. Check enforcement level, reporting addresses, alignment modes and more.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM to tell receiving mail servers what to do when an email fails authentication β and to send reports back to the domain owner about who is sending mail on their behalf.
Sender Policy Framework β a TXT record listing which IP addresses are authorised to send email for your domain. Receiving servers reject or flag mail from unlisted IPs.
DomainKeys Identified Mail β adds a cryptographic signature to outgoing emails. Receiving servers verify the signature against a public key in DNS.
DMARC policy can be none (monitor), quarantine (send to spam), or reject (block). Start with none and tighten once you have clean reports.
DMARC generates aggregate (rua) and forensic (ruf) reports showing every server that sent email claiming to be your domain, and whether it passed or failed.
Without DMARC, anyone can forge your domain in the From: header of an email β a technique used in phishing and business email compromise (BEC) attacks. A p=reject policy blocks unauthenticated emails from being delivered, protecting your brand and your recipients.
Yes. Since 2024 both Google and Yahoo require a DMARC record for bulk senders. Microsoft 365 routing benefits significantly from authenticated outbound mail.
The pct tag applies the policy to only that percentage of failing messages. Start at pct=5 when moving from quarantine to reject to catch problems gradually.