Back to blog

How to Check a DMARC Record (and What the Policy Means)

DMARC tells receivers what to do when SPF and DKIM fail. Here is how to read your DMARC policy, the difference between none, quarantine, and reject, and how to check it.

MA
MailCull · Field notes
June 19, 2026 · 2 min read
deliverability
On this page · 3 sections

DMARC is the record that ties SPF and DKIM together and tells receiving servers what to do when they fail. As of 2024, Google and Yahoo require it for bulk senders, so a missing or misconfigured DMARC record is no longer a minor issue.

What DMARC does

DMARC (Domain-based Message Authentication, Reporting and Conformance) sits at a fixed DNS location:

_dmarc.acme.com

It does two things. First, it sets a policy: if a message claiming to be from your domain fails both SPF and DKIM alignment, what should the receiver do? Second, it asks receivers to send you reports about who is sending mail as your domain, which is how you catch spoofing.

A record looks like this:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100
  • p= is the policy. This is the part that matters most.
  • rua= is where aggregate reports are sent.
  • pct= is the percentage of failing mail the policy applies to.

What the policy means

  • p=none is monitor only. Failing mail is still delivered, but you get reports. This is the right place to start, and the wrong place to stay. Many domains publish none and forget, which gives spoofers a free pass.
  • p=quarantine sends failing mail to spam. A reasonable enforcement step once your legitimate senders are passing.
  • p=reject tells receivers to drop failing mail outright. This is full protection, and the goal, but only after you have confirmed every legitimate sending source is authenticated.

Moving straight to p=reject before SPF and DKIM are solid will block your own newsletters and transactional mail. Start at none, read the reports, fix the gaps, then tighten.

How to check it

You can query dig _dmarc.acme.com TXT +short and parse the tags yourself, but it is easy to miss a missing rua or a policy still stuck on none.

The free DMARC checker fetches the record, tells you the policy in plain English, and flags the common gaps (no record, policy at none, missing reporting address). It shows you the raw record so you can confirm what receivers see, and it does not save the domain you check.

DMARC only works if SPF and DKIM are healthy underneath it. Check those with the SPF checker and the DKIM checker, or read the full SPF, DKIM, and DMARC setup guide.

Try it

Start with 500 free validation credits. No credit card.

Both Free and Pro run the same scan engine — full SMTP probe, MX lookup, typo, disposable, domain checks, and the evidence chain on every verdict. The difference is the monthly credit pool (Free=500, Pro=100,000) plus Pro's API and MCP access.

Start verifying free Upload a CSV →
← Previous

How to Check a DKIM Record (and Why It Fails)
Next →

How to Clean Your Email List in Klaviyo
Found a mistake? Email [email protected]. Tags · deliverability · dns · dmarc · authentication