Skip to content
Quasar Tools Logo

Best DMARC Record Validation Tools

The best DMARC record validation tools compared: how to validate your DMARC record, fix common errors, and move from monitoring to enforcement safely.

DH
Tutorials & How-Tos12 min read2,700 words

A missing or misconfigured DMARC record leaves your domain open to email spoofing — attackers can send phishing emails that appear to come from your address with nothing blocking them. Yet publishing a p=reject policy without validating your SPF and DKIM setup first can block your own legitimate email. This guide covers how to validate your DMARC record correctly, what every tag means, the tools that catch errors before they cause problems, and how to safely progress from monitoring to full enforcement.

3Policy levelsnone, quarantine, reject
1Required tagv=DMARC1 must come first
24–48hDNS propagation timeafter publishing or changing

What is a DMARC record?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is a DNS TXT record published at `_dmarc.yourdomain.com` that tells receiving mail servers what to do when an email claiming to be from your domain fails authentication checks. Without DMARC, anyone can send email that appears to come from your domain — a technique called domain spoofing that is used in phishing and business email compromise attacks.

A DMARC record does two things: it sets a policy (what action to take on failing messages) and it configures reporting (where to send summaries of authentication results). The policy can be `none` (monitor but take no action), `quarantine` (deliver to spam), or `reject` (block the message entirely). The reporting tags specify email addresses that receive daily XML aggregate reports from major mail providers.

The DMARC record structure

DNS TXT record at _dmarc.yourdomain.com
text
# Monitoring-only record (safe starting point)
v=DMARC1; p=none; rua=mailto:[email protected]

# Quarantine with partial enforcement and forensic reports
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r

# Full rejection — use only after confirming all senders pass
v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:[email protected]; adkim=s; aspf=s
  • v=DMARC1: Version tag — mandatory, must be first, exactly as written.
  • p=: Policy applied to the domain — `none`, `quarantine`, or `reject`.
  • sp=: Subdomain policy — overrides p= for subdomains if set.
  • rua=: Aggregate report destination — a mailto: URI (or reporting service URI).
  • ruf=: Forensic report destination — individual failure reports (less common, privacy implications).
  • pct=: Percentage of messages to apply the policy to — useful for gradual rollout (1–100).
  • adkim=: DKIM alignment mode — `r` (relaxed) or `s` (strict).
  • aspf=: SPF alignment mode — `r` (relaxed) or `s` (strict).

Note

DMARC records are always published as TXT records at the exact subdomain `_dmarc.yourdomain.com` — note the leading underscore. Publishing at the wrong location (e.g. `dmarc.yourdomain.com` without the underscore) means receiving mail servers will not find it and will treat your domain as having no DMARC policy.

How DMARC works with SPF and DKIM

DMARC does not authenticate email on its own — it is an orchestration layer that sits on top of SPF and DKIM. When a receiving mail server gets an email claiming to be from your domain, it checks two things: did the message pass SPF or DKIM, and does the authenticated domain align with the From header domain? If at least one of the two passes and aligns, DMARC passes. If neither passes with alignment, the receiving server applies the policy in your DMARC record.

SPF authentication and alignment

SPF (Sender Policy Framework) authorises which mail servers are allowed to send email on behalf of your domain. The check happens against the SMTP envelope sender (the `MAIL FROM` address), not the visible From header. For DMARC alignment, the domain in the `MAIL FROM` must match (or be a subdomain of, in relaxed mode) the From header domain. When you send through a third-party service like Mailchimp or SendGrid, their return-path domain is often `mailchimp.com` — this breaks SPF alignment unless you configure a custom return-path subdomain. Use the SPF Record Validator to check your SPF record for syntax errors and lookup limit violations before relying on it for DMARC alignment.

DKIM authentication and alignment

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. The signature includes a `d=` tag specifying the signing domain. For DMARC alignment, the `d=` domain must match (or be a subdomain of, in relaxed mode) the From header domain. DKIM alignment is more robust for third-party senders because you can configure them to sign with your own domain rather than theirs. The DKIM Record Validator checks that the public key DNS record for a given selector is correctly formatted and accessible.

AuthenticationWhat it checksAlignment targetQuasar Tools checker
SPFWhich servers can send for domainMAIL FROM domain vs From headerSPF Record Validator
DKIMCryptographic message signatured= tag domain vs From headerDKIM Record Validator
DMARCPolicy + alignment orchestrationRequires SPF or DKIM to alignDMARC Record Validator

To pass DMARC authentication, messages must be authenticated by SPF or DKIM, and the authenticating domain must align with the domain in the From header.

Google Email Sender Guidelines 2024

Warning

DMARC requires alignment, not just SPF and DKIM passing. A message can pass SPF and DKIM independently but still fail DMARC if the authenticated domains do not match the From header. This is the most common reason a DMARC record shows as "configured" but enforcement is not working as expected.

How to validate your DMARC record

Validating a DMARC record requires checking three things: that the DNS record exists and is accessible, that the syntax is correct, and that SPF and DKIM are configured to support the alignment DMARC depends on. Each step can be done quickly with the right tools.

1

Look up your current DMARC record

In a terminal, run `dig TXT _dmarc.yourdomain.com` (Linux/macOS) or `nslookup -type=TXT _dmarc.yourdomain.com` (Windows). The output should include a TXT record starting with `v=DMARC1`. If there is no result, no DMARC record has been published. If you see a redirect or an error, check that you queried `_dmarc.yourdomain.com` with the underscore prefix.

2

Validate syntax with the DMARC Record Validator

Copy the raw DMARC record value (everything after the TXT record type in the DNS response) and paste it into the DMARC Record Validator. The tool checks that `v=DMARC1` comes first, that `p=` is present with a valid value, that any `rua=` or `ruf=` URIs are correctly formatted, and that percentage and alignment values are within allowed ranges. Errors are reported with the specific tag that failed.

3

Validate SPF and DKIM independently

Use the SPF Record Validator to check your SPF record for the lookup limit (maximum 10 DNS lookups — exceeding it causes SPF permerror), syntax errors, and missing mechanisms. Use the DKIM Record Validator with your selector and domain to confirm the public key record is correctly published. DMARC is only as strong as the SPF and DKIM records supporting it.

4

Plan your enforcement progression

Use the DMARC Policy Rollout Planner to map out a safe timeline for moving from `p=none` to `p=quarantine` to `p=reject`. The planner accounts for your current authentication pass rates and suggests a pct= percentage progression that minimises the risk of blocking legitimate mail during the transition.

DMARC Record Validator

Validate DMARC DNS records for syntax errors, invalid policy values, and missing required tags — browser-local with tag-level diagnostics.

Open tool

Common DMARC errors and fixes

Most DMARC validation problems fall into predictable categories. Many are simple syntax issues that a validator catches immediately; others are more subtle configuration problems that require understanding alignment to diagnose correctly.

Syntax and tag errors

  • Missing v=DMARC1 as first tag: The version tag must be the first field. If any other tag precedes it, the record is invalid.
  • Missing p= tag: The policy tag is required. A record without p= is malformed and ignored by most mail servers.
  • Invalid p= value: Only `none`, `quarantine`, and `reject` are valid. Any other value (e.g. `monitor`) causes the record to be rejected.
  • Missing semicolons between tags: Tags must be separated by semicolons. A missing separator causes the parser to merge two tags into one invalid tag.
  • Spaces around = signs: `p = none` (with spaces) is invalid in some parsers. Use `p=none` with no spaces.
  • Invalid rua= URI format: The rua= value must be a valid `mailto:` URI. A plain email address without `mailto:` is a syntax error.

Alignment and authentication errors

Alignment errors are harder to diagnose than syntax errors because they require understanding the email headers. The most common scenario: you configured SPF correctly for direct sends from your own mail server, but when email is sent via a third-party marketing platform, the `MAIL FROM` uses the platform's domain — breaking SPF alignment. The fix is either to configure DKIM signing with your own domain on the third-party platform, or to set up a custom return-path subdomain that maps to your domain.

ErrorSymptomCauseFix
No DMARC recorddig returns no TXT recordRecord not publishedCreate TXT at _dmarc.yourdomain.com
Wrong DNS locationRecord ignored by mail servers_dmarc. prefix missingPublish at _dmarc.yourdomain.com
Missing p= tagRecord treated as invalidRequired tag omittedAdd p=none, p=quarantine, or p=reject
SPF alignment failureDMARC fails for 3rd-party sendersMAIL FROM domain mismatchConfigure custom return-path subdomain
DKIM alignment failureDMARC fails despite valid DKIMd= domain mismatchConfigure DKIM signing with your domain
SPF lookup limit exceededSPF permerror, DMARC failsMore than 10 DNS lookupsUse SPF Flatten Checker to consolidate
pct= out of rangeValidator reports errorValue not between 1 and 100Set pct= to a valid integer 1–100

Tip

If your SPF record is approaching the 10 DNS lookup limit — common for organisations using multiple email services — use the [SPF Flatten Checker](/tools/data/validators/spf-flatten-checker) to identify which mechanisms are contributing the most lookups and which can be consolidated or replaced with direct IP ranges.

Moving from none to enforcement

The most common mistake in DMARC deployment is setting `p=reject` before confirming that all legitimate email streams are correctly authenticating. Emails from forgotten sending services — transactional email platforms, CRM tools, ticketing systems, partner integrations — will be silently blocked, and the sender may not notice until they receive complaint reports or users report missing emails.

The three-phase rollout

A safe DMARC rollout follows three phases. In Phase 1 (weeks 1–4), publish `p=none` with a `rua=` reporting address and review aggregate reports to identify all sending sources and their pass rates. In Phase 2 (weeks 5–10), move to `p=quarantine; pct=10` and gradually increase `pct=` as reports confirm pass rates improve — starting with 10% means only 10% of failing messages are quarantined, limiting blast radius. In Phase 3 (week 11+), move to `p=reject` once all legitimate senders consistently pass and your aggregate reports show minimal or no authentication failures from legitimate sources.

What to look for in aggregate reports

Aggregate reports show every source that sent email claiming to be from your domain. Look for your own mail servers, your email service providers, and any authorised third-party senders — all should show high pass rates for both SPF and DKIM. Any source with significant volume and low pass rates needs investigation: either it is a legitimate sender that needs its authentication fixed, or it is an unauthorised sender that enforcement should block. The DMARC Policy Rollout Planner guides you through interpreting these signals and choosing appropriate timing for each phase transition.


Warning

Google and Yahoo implemented bulk sender requirements in 2024 requiring domains sending more than 5,000 messages per day to Gmail and Yahoo Mail to have DMARC at `p=none` or above, with SPF and DKIM both configured. While `p=none` satisfies the requirement, reaching `p=reject` provides actual protection — enforcement at `none` does not block spoofed messages, only monitors them.

DMARC reporting and monitoring

DMARC reporting is the feedback loop that makes enforcement safe. Without aggregate reports, you are flying blind — you cannot know which sources are passing or failing authentication, or whether a recent sending infrastructure change broke something. Setting up reporting correctly is as important as setting up the policy itself.

Aggregate reports (rua=)

The `rua=` tag specifies a `mailto:` URI that receives daily XML aggregate reports from every major mail provider (Google, Microsoft, Yahoo, etc.) that handles email from your domain. Each report is a compressed XML file showing message counts, source IPs, SPF/DKIM/DMARC results, and policy disposition. The receiving address must be on the same domain as the DMARC record, or a cross-domain URI with a permission record published at the third-party domain. Most organisations use a dedicated DMARC reporting service rather than a direct inbox because raw XML reports require parsing tools to be useful.

Forensic reports (ruf=)

The `ruf=` tag configures forensic (failure) reports — individual copies of messages that fail DMARC. These contain more detail than aggregate reports but have privacy implications: they may include email headers, and some providers have stopped sending them due to GDPR considerations. Most DMARC practitioners use only `rua=` for aggregate data and omit `ruf=` unless forensic analysis of specific failure cases is needed.

Third-party DMARC reporting services

  • Google Postmaster Tools: Free dashboard showing your domain's reputation and email authentication pass rates from Gmail's perspective.
  • Postmark DMARC: Free aggregate report parser with a visual dashboard — good for getting started without a paid service.
  • Dmarcian: Comprehensive paid platform with per-source analysis, authentication issue alerts, and rollout guidance.
  • Valimail: Enterprise-grade DMARC platform with automated enforcement recommendations based on report analysis.
  • EasyDMARC: Mid-market DMARC monitoring and management platform with actionable insights per sending source.

DMARC best practices

Following these practices ensures your DMARC deployment provides real protection without disrupting legitimate email, and that your configuration stays correct as your sending infrastructure evolves.

Always validate the full email authentication stack

A DMARC record is only as effective as the SPF and DKIM records supporting it. Validate all three together: use the DMARC Record Validator for the policy record, the SPF Record Validator to check mechanism syntax and the 10-lookup limit, and the DKIM Record Validator to confirm your public key is correctly published for each selector in use. Re-validate all three after any email infrastructure change — new sending service, domain migration, or SSL certificate renewal can all affect DKIM key publication.

Use relaxed alignment during transition

The default alignment mode for both SPF and DKIM is relaxed (`adkim=r; aspf=r`), which allows subdomains to satisfy alignment for the parent domain. This is the right setting during a rollout because many legitimate senders use subdomains of your domain for authentication. Only switch to strict alignment (`adkim=s; aspf=s`) if you have a specific security requirement and have confirmed all senders use exact domain matching — strict alignment with a single misconfigured sender breaks DMARC for every message that sender transmits.

  • Start with p=none, never p=reject: Build confidence in your authentication pass rates before applying enforcement.
  • Set up rua= before anything else: You cannot make informed policy decisions without aggregate report data.
  • Check the DKIM selector-planning helper: Use the DKIM Selector Planning Helper when rotating DKIM keys to avoid overlap errors.
  • Use pct= for gradual enforcement: Start at pct=10 when moving to quarantine or reject — this limits impact if something is misconfigured.
  • Re-validate after every email platform change: Adding a new marketing tool, CRM, or ticketing system typically requires updating SPF and configuring DKIM.
  • Monitor DNS propagation: After publishing or changing a DMARC record, use the DNS Propagation ETA Estimator to know when the change will be visible globally.

DMARC Policy Rollout Planner

Plan your DMARC enforcement progression from none to quarantine to reject with a step-by-step timeline based on your authentication data.

Open tool

Key takeaways

  • DMARC sits on top of SPF and DKIM — it sets the policy for failing messages and requires at least one of SPF or DKIM to align with the From header domain.
  • Validate the full stack: use the DMARC Record Validator, SPF Record Validator, and DKIM Record Validator together.
  • The most common errors are missing `p=` tag, invalid policy values, wrong DNS location (missing `_dmarc.` prefix), and SPF/DKIM alignment failures for third-party senders.
  • Never jump straight to `p=reject` — start with `p=none`, analyse aggregate reports for 2–4 weeks, then progress to quarantine and reject gradually using `pct=`.
  • Google and Yahoo 2024 bulk sender requirements mandate DMARC at `p=none` or above for senders exceeding 5,000 daily messages — but only `p=reject` actually blocks spoofed email.
  • Set up `rua=` aggregate reporting from day one — you cannot make safe enforcement decisions without data on which sources are passing and failing authentication.
  • Use the DMARC Policy Rollout Planner to map a safe, step-by-step path from monitoring to full enforcement.

Frequently Asked Questions

The Quasar Tools DMARC Record Validator checks your DMARC DNS record for syntax errors, invalid policy values, and missing required tags entirely in your browser. For a comprehensive check, pair it with the SPF Record Validator and DKIM Record Validator — DMARC only provides protection when at least one of SPF or DKIM is correctly configured and aligned with your From domain. For ongoing monitoring, use a DMARC reporting service like Postmark, Dmarcian, or Google Postmaster Tools to receive and parse aggregate reports.

A minimal valid DMARC record looks like: `v=DMARC1; p=none; rua=mailto:[email protected]`. The v=DMARC1 tag is mandatory and must come first. The p= tag sets the policy: none (monitor only), quarantine (send to spam), or reject (block). The rua= tag specifies where aggregate reports are sent. A production-ready record typically also includes sp= (subdomain policy), pct= (percentage of messages to apply policy to), and adkim=/aspf= alignment mode tags.

These are the three DMARC enforcement levels. p=none takes no action on failing messages — you receive reports but email delivery is unaffected, making it ideal for initial monitoring. p=quarantine instructs receiving mail servers to treat failing messages with suspicion — typically delivered to the spam folder. p=reject instructs receiving mail servers to outright block messages that fail DMARC checks, which is the strongest protection against email spoofing and phishing from your domain.

Alignment means the domain in the From header matches the domain authenticated by SPF or DKIM. For SPF alignment, the SMTP envelope MAIL FROM domain must match the From header domain. For DKIM alignment, the d= tag in the DKIM signature must match the From header domain. DMARC requires at least one alignment check to pass — if neither SPF nor DKIM aligns with the From domain, the message fails DMARC regardless of whether SPF and DKIM themselves pass at their own level.

A missing DMARC record means you have not published one yet. Create a TXT record in your DNS at the subdomain _dmarc.yourdomain.com. Start with a monitoring policy: `v=DMARC1; p=none; rua=mailto:[email protected]`. Once you have confirmed legitimate mail is passing authentication through aggregate reports, progress to quarantine then reject. Validate the new record with the DMARC Record Validator after DNS propagation (typically 15–60 minutes).

Aggregate reports (rua=) are XML files sent daily by receiving mail servers showing how many messages claimed to be from your domain, which IPs sent them, and whether they passed SPF/DKIM/DMARC. Raw XML is difficult to read — use a DMARC reporting service to parse and visualise the data. Review reports weekly during initial deployment to identify legitimate mail streams failing authentication before you enforce a stricter policy that would block them.

No. Jumping straight to p=reject without monitoring first is risky. If any legitimate mail stream is not correctly authenticating — a third-party sender, a marketing platform, or a forwarding service — p=reject will silently block those messages. The safe approach: start with p=none for 2–4 weeks while analysing aggregate reports, then move to p=quarantine at pct=10 and gradually increase the percentage, then finally move to p=reject once all legitimate sending sources are confirmed passing authentication.

DMARC with p=reject stops exact-domain spoofing — emails that forge the From address as @yourdomain.com. It does not stop lookalike domain attacks where attackers register similar-looking domains, or display-name spoofing where the sender name appears legitimate but the actual email address is different. DMARC is a foundational control, not a complete anti-phishing solution. Pair it with SPF, DKIM, BIMI brand indicators, and user security training for broader protection.

ShareXLinkedIn

Related articles