Free tool
DMARC Checker.
Check your domain's DMARC record and policy in seconds. See whether you are on p=none, quarantine or reject, along with SPF and DKIM, and get plain-English findings you can act on.
Instant results
No waiting, no signup
Policy explained
none, quarantine or reject
SPF and DKIM too
DMARC needs both to work
Microsoft 365 aware
Checks M365 DKIM selectors
What it does
What a DMARC record actually does.
DMARC (Domain-based Message Authentication, Reporting and Conformance) sits on top of SPF and DKIM. When a mail server receives an email claiming to be from your domain, it checks SPF and DKIM, then reads your DMARC record to decide what to do if those checks fail. Without a DMARC record, there is no instruction, so a forged email from your domain lands in the inbox with nothing to stop it.
It does two jobs. The policy tells receiving servers to monitor, quarantine or reject email that fails, which is what stops your domain being used to impersonate you. The reporting tells those servers to send you a daily summary of every source sending as your domain, which is how you find spoofing and misconfigured systems. For a business, the reporting alone is often worth turning DMARC on for.
The policies
none, quarantine, reject.
Your DMARC record carries one of three policies. The checker above shows which one your domain is on. The goal for any domain that sends email is p=reject, reached carefully so no legitimate email is lost on the way.
Monitor only
Takes no action on failing email, so spoofed messages still arrive. Its value is the reporting: it shows you every source sending as your domain so you can confirm your legitimate email before enforcing. A sensible starting point, but not a place to stay.
Send to spam
Delivers failing email to the recipient's spam or junk folder rather than the inbox. A reasonable middle step once your reports confirm that all legitimate email passes, on the way to full enforcement.
Block outright
Rejects failing email before it is delivered. This is the strongest setting and the one that actually stops your domain being used in phishing and invoice fraud. It is the goal for any domain that sends email.
Why it matters
Domain spoofing and invoice fraud
Most business email fraud starts with a message that looks like it came from a trusted domain: yours, a supplier's or a client's. Without DMARC at enforcement, those messages reach inboxes with no warning, which is what makes business email compromise and invoice redirection so effective.
A DMARC record at p=reject means an attacker can no longer send email as your domain and have it delivered. It does not fix every email risk, but it closes the specific gap that impersonation scams rely on, and the reporting shows you the attempts as they happen.
How to set it up
The order that works
- 1. SPF first. Publish an SPF record listing every server allowed to send as your domain, including Microsoft 365 if you use it.
- 2. Then DKIM. Turn on DKIM signing (two selectors for Microsoft 365) so receiving servers can verify your email has not been altered.
- 3. DMARC at p=none. Add a DMARC record with a rua reporting address and collect data until you are sure all legitimate email passes.
- 4. Step up. Move to p=quarantine, then p=reject, once the reports are clean. Rushing to reject before that risks blocking your own email.
Want the full picture including SPF and DKIM depth? Use the email security checker, which walks through all three protocols.
Common questions
DMARC, answered.
Want SPF, DKIM and DMARC configured properly rather than just checked? Book a Microsoft 365 security review. No obligation.
Book a review →What is a DMARC record?
A DMARC record is a DNS TXT record at _dmarc.yourdomain that tells receiving mail servers what to do when an email claiming to be from your domain fails SPF or DKIM checks. It also asks those servers to send you reports on who is sending email as your domain. Without it, a spoofed email from your domain reaches inboxes with nothing to stop it.
What do p=none, p=quarantine and p=reject mean?
These are the three DMARC policy levels. p=none monitors only and takes no action, so failing email still arrives. p=quarantine sends failing email to the spam folder. p=reject blocks it outright and is the strongest setting. Most organisations start at p=none to collect reporting data, confirm their legitimate email all passes, then step up to quarantine and finally reject.
How do I check my DMARC record?
Enter your domain in the checker above. It looks up your DMARC record, shows your current policy, and checks SPF and DKIM at the same time, because DMARC only works properly when those two are in place. You get a plain-English result rather than raw DNS output, so you can see exactly what is missing.
Do I need SPF and DKIM for DMARC to work?
Yes. DMARC relies on SPF and DKIM to decide whether an email is legitimate. A DMARC record with no SPF and no DKIM behind it provides very little protection, because there is nothing for the policy to enforce. The usual order is SPF first, then DKIM, then a DMARC record starting at p=none.
What is a DMARC report (rua and ruf)?
DMARC reporting tags tell receiving servers where to send data about email using your domain. The rua tag receives aggregate reports, a daily summary of every source sending as you, and the ruf tag receives failure reports on individual messages. Aggregate reporting is the useful one: it shows spoofing attempts and misconfigured systems before they cause deliverability problems.
Is this DMARC checker free?
Yes, the checker is free and needs no signup. If you want SPF, DKIM and DMARC configured and tested for your domain rather than just checked, IronSights does that as part of a Microsoft 365 security review. There is no obligation to go further after using the tool.