Email authentication
DMARC Analyzer
Inspect a domain DMARC record, policy, alignment, reports and common configuration warnings.
How to use this tool
- Enter the apex sending domain you want to audit, such as example.com, without a protocol, path, or mailbox prefix. DN01 normalizes the name, rejects restricted or malformed hostnames, and uses the registrable domain as the lookup target. If you manage mail for a subdomain that sends independently, run a separate check on that subdomain because DMARC policy is published on the organizational domain that appears in the visible From header.
- DN01 performs a live DNS TXT lookup at `_dmarc.<domain>` with a five-second resolver timeout and records how long the query took. The backend selects the first TXT string that starts with `v=DMARC1`, splits semicolon-separated tags, and maps `p`, `sp`, `pct`, `rua`, `ruf`, `adkim`, and `aspf` into structured fields. A missing record or resolver failure is returned as a diagnostic result, not as an HTTP error, so you always get a readable report card.
- Review the parsed policy (`none`, `quarantine`, or `reject`), subdomain policy, percentage (`pct`), aggregate report URI (`rua`), forensic report URI (`ruf`), DKIM and SPF alignment modes, the tag list, and the raw TXT string exactly as resolvers see it. Pay attention to the `found` and `valid` flags: a record can be present but invalid when required tags are missing, policies are unknown, `pct` is out of range, or duplicate tag names appear.
- Use the errors, warnings, and recommendations panel to decide your next DNS change. DN01 warns on monitoring-only `p=none`, partial enforcement when `pct` is below 100, missing `rua`, and relaxed alignment defaults. When the report looks incomplete, open DKIM Validator and DNS Checker on the same domain to confirm whether SPF and DKIM can actually align with the From domain before you move to `quarantine` or `reject`.
What the result shows
The result is split into the signals that matter for this specific check.
| Field | Purpose | Example |
|---|---|---|
| Domain | Normalized registrable domain submitted to the analyzer. | example.com |
| Query name | Exact TXT owner name queried by the resolver. | _dmarc.example.com |
| Found | Whether a TXT value starting with v=DMARC1 was returned. | true |
| Valid | Whether the record parsed without blocking syntax or policy errors. | false |
| p= | Organizational policy applied to mail that fails DMARC. | quarantine |
| sp= | Policy for subdomains when different from p=. | reject |
| pct= | Percentage of failing messages the policy applies to. | 100 |
| rua= | Comma-separated aggregate report destinations. | mailto:[email protected] |
| ruf= | Comma-separated forensic report destinations when published. | mailto:[email protected] |
| adkim= / aspf= | Strict (s) or relaxed (r) alignment for DKIM and SPF. | adkim=r; aspf=s |
| Raw record | Unmodified TXT string returned from DNS. | v=DMARC1; p=none; rua=mailto:[email protected] |
| Errors / Warnings / Recommendations | Actionable diagnostics generated from tag values. | missing rua; move toward quarantine after reviewing reports |
When this check helps
You are preparing a production cutover from monitoring to enforcement and need to know whether the published record can survive receiver scrutiny. Marketing still sends through a CRM, product mail uses a transactional provider, and finance runs an on-prem relay. Before you raise `p` from `none` to `quarantine`, DN01 shows whether the TXT at `_dmarc.example.com` is syntactically valid, whether duplicate tags would invalidate the record, and whether `pct` already limits enforcement. That single DNS publication is what billions of inboxes evaluate; a typo in `p=` or a second stray DMARC TXT can silently weaken protection across every channel.
Deliverability tickets often blame DMARC even when SPF passes in isolation. A message can publish a valid SPF record and still fail DMARC when the envelope From, header From, and DKIM signing domain do not align under the published `aspf` and `adkim` modes. DN01 surfaces alignment defaults: when tags are omitted, the analyzer assumes relaxed alignment (`r`) and warns you that receivers may accept broader domain matches than you expect. Pair the DMARC result with DKIM Validator to see whether selectors sign the organizational domain and with DNS Checker to confirm SPF includes are not over-broad.
Security and fraud teams use DMARC as an anti-spoofing control for executive domains, partner portals, and look-alike brands. If `_dmarc` is missing entirely, DN01 returns a clear diagnostic—`no DMARC record found at _dmarc.<domain>`—and recommends publishing `v=DMARC1` with a starting policy. That missing state is not treated as a tool failure; it is the exact condition receivers see when phishing can reuse your domain without a published rejection policy. Document the finding, publish monitoring with `rua`, then schedule enforcement after aggregate reports prove legitimate sources pass.
Managed service providers run DMARC reviews across dozens of customer zones during onboarding or renewal. Manual `dig` lookups do not scale when you must compare `sp` against `p`, verify report mailboxes, and spot invalid `pct` strings across a portfolio. DN01 returns a consistent JSON-shaped report with duration, tag inventory, and human recommendations so operators can paste results into change tickets. The SEO result page for a domain also gives stakeholders a stable link that describes current publication without exposing internal DNS tooling.
Subdomain-heavy architectures—`news.example.com`, `billing.example.com`, `eu.example.com`—depend on `sp=` when child zones send mail with their own SPF and DKIM setup. If `sp` is absent, receivers fall back to `p` for subdomains, which surprises teams that thought a child zone was isolated. DN01 shows both values side by side and flags invalid subdomain policies the same way it flags bad organizational policies. When `sp=reject` is stricter than `p=quarantine`, you can see that asymmetry immediately instead of discovering it from bounced campaigns.
Compliance and vendor questionnaires increasingly ask for evidence of email authentication maturity, not just checkbox answers. Auditors want to know whether aggregate reporting is configured (`rua`), whether enforcement is partial (`pct` less than 100), and whether the record is valid today—not last quarter. DN01 answers those questions from live DNS, stores the raw TXT for screenshot evidence, and separates hard errors (duplicate tags, invalid policy names) from warnings (monitoring mode, relaxed alignment). That distinction helps you explain what must be fixed before enforcement versus what is a deliberate staging posture.
Incident response after a spoofing wave often starts with “is our DMARC wrong or missing?” rather than with mailbox samples. When multiple TXT strings at `_dmarc` include more than one `v=DMARC1` fragment, receivers may treat the configuration as invalid and ignore enforcement. DN01 selects the first matching record for parsing but still reports duplicate tag errors inside a single string, helping you distinguish split-brain DNS from harmless historical TXT. Re-check after TTL once authoritative nameservers agree, then validate signing paths with DKIM Validator before returning to `reject`.
What to review when results look wrong
If DN01 reports no DMARC record, query `_dmarc.yourdomain.tld` specifically—not the apex TXT used for SPF. Many teams accidentally publish SPF at the root and assume DMARC inherits it. Confirm the record at every authoritative nameserver if you recently migrated DNS providers; stale NS delegations are a common reason one resolver sees `v=DMARC1` while another returns NXDOMAIN. DN01’s missing-record response is intentional diagnostics, not a failed API call, so treat it as a publication task.
When `valid` is false despite `found` true, read the errors array before changing policy. Duplicate `p=` tags, unknown policy tokens, non-integer `pct`, or `pct` outside 0–100 all invalidate the record for strict parsers. Remove duplicate tags in the DNS panel, keep a single semicolon-separated TXT, and avoid splitting DMARC across multiple TXT strings unless your provider concatenates them correctly. After edits, wait for TTL and rerun the analyzer to confirm `valid` flipped to true.
Warnings about `p=none`, missing `rua`, or relaxed alignment do not always mean mail is failing today—they describe exposure. `p=none` monitors authentication outcomes without telling receivers to quarantine or reject failures. Missing `rua` means you will not receive aggregate XML reports that show which sources pass or fail DMARC. If warnings mention relaxed alignment, decide whether you need `adkim=s` or `aspf=s` for stricter domain matching before moving to `reject`.
If live DNS disagrees with what your DNS vendor dashboard shows, compare the raw record field against `dig +short TXT _dmarc.domain`. Caching resolvers, regional anycast differences, and partial zone imports can make dashboards lie. DN01 queries through the platform resolver at request time; paste the raw TXT into change control if you need proof of the externally visible value.
When legitimate mail fails after tightening policy, DMARC may be correct while SPF or DKIM paths are not. Use DNS Checker to review SPF includes and flattening limits, then DKIM Validator to confirm active selectors sign the From domain with keys that are not expired. Partial enforcement via `pct=50` can also make failures look random; DN01 warns when pct is below 100 so you can correlate with sample message headers.
How to interpret the result
DMARC sits on top of SPF and DKIM. SPF validates the envelope path; DKIM validates a cryptographic signature; DMARC asks whether either result aligns with the domain visible in the From header and what to do if both fail. DN01 does not send mail or evaluate individual messages—it inspects only the DNS policy that tells receivers how to treat misaligned traffic. That is why pairing this tool with DKIM Validator and DNS Checker completes the story: publication, signing, and alignment are three separate checks.
The `p=` tag is mandatory. Policies must be `none`, `quarantine`, or `reject`; any other value is flagged as invalid. `none` is appropriate for initial monitoring but DN01 warns that it does not instruct receivers to block failing mail. `quarantine` typically sends failures to spam folders, while `reject` asks receivers to drop messages outright. Your escalation path should follow evidence from `rua` reports, not calendar deadlines alone.
The `pct` tag limits what fraction of failing messages the policy applies to. Values below 100 mean enforcement is deliberately partial—useful for staged rollouts but confusing during troubleshooting because some failures still deliver. DN01 parses `pct` as an integer and errors when the value is not numeric or exceeds the 0–100 range. Full enforcement for production brands usually ends at `pct=100` once reports are clean.
Aggregate reports go to `rua` URIs, usually `mailto:` addresses that must be registered with your report processor. DN01 lists every comma-separated destination and warns when `rua` is absent, because without reports you are enforcing blind. Forensic `ruf` reports are optional and privacy-sensitive; many organizations omit `ruf` even when `rua` is present. The analyzer surfaces both when published.
Alignment tags `adkim` and `aspf` control whether strict (`s`) or relaxed (`r`) domain matching is required. When omitted, DN01 defaults both to relaxed and warns that receivers may accept organizational domain and subdomain combinations you did not intend. Strict modes are common before `reject` because they reduce the chance that a look-alike subdomain passes while the header From shows the apex brand.
Validity in DN01 means the record is free of blocking parse errors at inspection time. A monitoring record with `p=none` and missing `rua` can still be marked found with warnings—useful signal for risk reviews. Treat `valid=false` as a stop-ship DNS defect until fixed, because some receivers ignore malformed policies entirely.
Recommended workflow
- Run DMARC Analyzer on the apex domain that appears in customer-facing From addresses.
- If errors appear, fix TXT syntax, remove duplicate tags, and ensure only one DMARC publication exists at `_dmarc`.
- Open DKIM Validator for active selectors and DNS Checker for SPF includes that must align with the From domain.
- Publish or update `rua`, collect aggregate reports, then raise policy from `none` toward `quarantine` and `reject` with `pct=100`.
- Re-run DN01 after DNS TTL expires and attach the result page to change tickets or compliance evidence.
Tool vs manual checks
Command-line `dig TXT _dmarc.example.com` shows raw strings quickly but leaves policy interpretation to the operator. You must manually remember that duplicate `p=` tags invalidate the record, that `sp` overrides subdomain behavior, and that missing `rua` blocks reporting. DN01 encodes those rules and returns recommendations in the same pass, which is faster for handoffs between DNS and mail teams.
DNS Checker on DN01 displays all TXT records for a zone, which helps when SPF, DKIM, and verification tokens live alongside DMARC. It does not score DMARC policy risk or highlight partial `pct` enforcement. Use DNS Checker when you need full zone context; use DMARC Analyzer when the question is specifically authentication policy at `_dmarc`.
Mailbox aggregate XML reports show historical sending sources and failure rates, but they arrive daily or weekly and reflect past traffic. They do not prove what DNS publishes right now after an emergency change. DN01 answers the live publication question in seconds, while reports remain essential for deciding whether to tighten `p`.
Vendor-hosted DMARC consoles provide dashboards and report parsing, yet external auditors and DNS operators still need a neutral lookup of the TXT consumers see on the open internet. DN01 is independent of any report mailbox and works even when `rua` is missing—exactly the scenario where you need confirmation that monitoring was never configured.
Online TXT validators sometimes check generic SPF syntax but not DMARC-specific tag rules. DN01 is built around the Go parser used by the production API, so the SEO page and API share the same validation logic for `p`, `sp`, `pct`, duplicates, and alignment defaults.
Spreadsheet inventories of customer DMARC posture go stale the moment a registrar update or CDN DNS edit lands. A shareable DN01 result URL gives support and delivery teams a current snapshot with query name, raw record, and timing metadata without shell access.
Why use DN01
- Live `_dmarc.<domain>` TXT lookup with normalized domain input and resolver timing.
- Parses p, sp, pct, rua, ruf, adkim, and aspf with duplicate-tag and policy validation.
- Surfaces errors, warnings, and recommendations; missing records return diagnostics, not HTTP failures.
- Designed to pair with DKIM Validator and DNS Checker for full SPF/DKIM/DMARC alignment reviews.
FAQ
DMARC analyzer FAQ
TXT records at _dmarc, policies, alignment tags, aggregate reporting addresses, and rollout guidance.
What is a DMARC DNS record?
DMARC is published as a TXT record at _dmarc.example.com. It tells receivers how to handle mail that fails SPF or DKIM alignment and where to send aggregate (rua) or forensic (ruf) reports.
What do p=none, quarantine, and reject mean?
p=none monitors only — failures are reported but not blocked. quarantine sends failing mail to spam. reject tells receivers to drop unauthenticated messages. Most domains start at none, review rua reports, then tighten policy.
How does DN01 find and validate my DMARC record?
It queries _dmarc.yourdomain.com via live DNS, parses v=DMARC1 tags, validates syntax, and flags common mistakes such as invalid pct values or malformed rua addresses.
How does DMARC relate to SPF and DKIM?
SPF and DKIM prove individual authentication mechanisms. DMARC defines whether those results align with the From domain and what to do when they do not. Confirm SPF and DKIM TXT records in the DNS Checker and validate selectors with the DKIM validator.
What are rua and ruf tags?
rua lists addresses for daily aggregate XML reports summarizing pass/fail volumes. ruf requests forensic samples of individual failures. Use a dedicated mailbox or report parser — rua is essential for safe policy tightening.
Is DMARC enough to stop spoofing?
DMARC at p=reject with aligned SPF and DKIM blocks most direct domain spoofing, but lookalike domains and compromised accounts still need monitoring. Treat this analyzer as DNS configuration validation, not inbox security alone.
Tool switcher
Continue with another check
Pick the next step in your domain or security workflow.
- DKIM ValidatorDKIM selector lookup and record validationOpen
- DNS CheckerAll major record types in one passOpen
- DIGOne record type, resolver-style answerOpen
- Domain IP LookupA and AAAA IP addresses for a domainOpen
- Domain Age CheckerCreation date, age, registrar and expiryOpen
- WHOISRegistrar, expiry and domain statusOpen
- HTTP Header CheckerResponse headers, redirects and cachingOpen
- HTTP/2 TesterHTTP/2 support, ALPN and TLS negotiationOpen
- SSL Certificate CheckerCertificate chain, SAN and TLS versionOpen
- Blacklist CheckerDNSBL reputation for IP and domainOpen
- Punycode ConverterUnicode ↔ Punycode for IDN domainsOpen
- URL SplitterBreak a URL into parts and query paramsOpen
- Base64 CodecEncode and decode Base64 textOpen
- Password GeneratorStrong random passwords for ops workOpen
- Password Strength CheckerEntropy, crack time and password suggestionsOpen
- Passphrase GeneratorMemorable random word phrases for safer sharing testsOpen
- BIN CheckerCard brand, bank and country from BIN/IINOpen
- IP CalculatorSubnet math for IPv4 and IPv6 CIDROpen
- Browser Update CheckerBrowser version, update status and Client HintsOpen
Related articles
Practical guides for common DMARC Analyzer tasks — DNS records, troubleshooting steps, and links to our free tools.
dmarc policy, p=reject, email authentication
DMARC Policy Explained: none, quarantine, reject
Understand p=, sp=, pct=, and how policy changes affect spoofed mail before you move from monitoring to enforcement.
Read article →dmarc alignment, spf dkim dmarc, email deliverability
DMARC Alignment with SPF and DKIM
Why valid SPF or DKIM can still fail DMARC when envelope, header From, and signing domains do not align.
Read article →dmarc record tags, dmarc syntax, v=DMARC1
DMARC Record Tags and Syntax Operators Should Know
Decode v=DMARC1, p=, sp=, pct=, rua, ruf, fo, aspf, adkim, and common formatting mistakes in TXT records.
Read article →dmarc rua, dmarc ruf, aggregate reports
DMARC Aggregate and Forensic Reports: rua and ruf
How to publish rua and ruf mailto targets, what reports contain, and why forensic reports are often disabled.
Read article →dmarc sp tag, subdomain dmarc policy, sp=reject
DMARC Subdomain Policy sp= for Marketing and Product Hosts
When sp= matters for mail.example.com, how it inherits from p=, and why separate subdomain senders need explicit alignment.
Read article →dmarc reject migration, dmarc enforcement, dmarc rollout
Moving DMARC from p=none to quarantine or reject Safely
A staged rollout using reports, pct= sampling, and alignment fixes before full spoofing protection.
Read article →