App StoreApp Store
Google PlayGoogle Play
Temp Mail Logo

Temp Mail safeguards your privacy while keeping your inbox free from spam.

Policy Inspector · Tag Parser · Report URI Check · Free

DMARC Analyzer

Free DMARC record checker and inspector -- instantly look up any domain's DMARC DNS record, analyze every tag, assess policy strength, and get actionable configuration advice.

✓ Full tag-by-tag parsing✓ Policy strength analysis✓ Report URI validation✓ Alignment mode detection✓ No signup
Queries _dmarc.yourdomain.com via Cloudflare DNS-over-HTTPS (Google DoH fallback). Nothing is sent to Best-TempMail servers.
What this tool does

Free DMARC analyzer -- inspect and validate any domain's DMARC record

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS-based email authentication protocol that lets domain owners specify what receiving mail servers should do when an email fails SPF or DKIM checks. Published as a TXT record at _dmarc.yourdomain.com, a DMARC record defines the policy (none, quarantine, or reject), where to send authentication failure reports, and how strictly the sending domain must match the authenticated domain.

DMARC is the capstone of email authentication. SPF authorizes which servers are allowed to send on behalf of your domain. DKIM cryptographically signs messages so recipients can verify they were not altered in transit. DMARC ties these together with alignment requirements -- the domain in the From: header must match the domain authenticated by SPF or DKIM -- and adds a reporting mechanism that shows exactly what is happening to email sent from your domain across the internet.

This analyzer queries your domain's DMARC record in real time using Cloudflare DNS-over-HTTPS and decodes every tag. It assesses your policy strength, checks whether aggregate reports are configured (essential for visibility), identifies partial rollout configurations (pct= below 100%), and evaluates alignment settings. The result includes plain-English guidance for each tag so you can understand exactly what needs to change and why.

What this tool analyzes
v= tag
Version -- must be DMARC1
p= tag
Policy: none (monitor), quarantine (spam), or reject (block)
sp= tag
Subdomain policy override -- can differ from the main domain
pct= tag
Rollout percentage -- what fraction of failures the policy applies to
rua= tag
Aggregate report addresses -- where daily XML reports are sent
ruf= tag
Forensic report addresses -- per-failure message details
adkim= tag
DKIM alignment: relaxed (default) or strict
aspf= tag
SPF alignment: relaxed (default) or strict
fo= tag
Failure reporting options -- which failure types trigger reports
ri= tag
Report interval -- how often to receive aggregate reports
Examples

Real-world DMARC records -- what each configuration means

These examples show the most common DMARC configurations and what the analyzer finds in each one.

Example 1Reject policy -- maximum protection
v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=s; aspf=s
A fully enforced DMARC record. p=reject blocks all unauthenticated email outright. rua= is set for monitoring. Strict alignment (adkim=s, aspf=s) ensures exact domain match is required. This is the gold standard for domains not used for sending email, or mature senders who have reviewed their aggregate reports.
Example 2Quarantine policy with 25% rollout
v=DMARC1; p=quarantine; pct=25; rua=mailto:reports@example.com; ruf=mailto:forensics@example.com
A common configuration during phased policy rollout. p=quarantine sends failures to spam, but pct=25 means only 25% of failing messages are affected. Both aggregate (rua=) and forensic (ruf=) reports are configured. Gradually increase pct to 100 as confidence grows.
Example 3None policy -- monitoring only
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; aspf=r; adkim=r
A monitoring-only configuration. p=none means no action is taken on failures, but aggregate reports are sent to the rua= address. This is the recommended starting point for new DMARC deployments. Analyze the reports for 2-4 weeks before tightening the policy.
Example 4Missing rua= -- no visibility
v=DMARC1; p=reject
A valid reject policy but with no rua= address. Without aggregate reports, you have no visibility into authentication failures or whether legitimate email is being rejected. Always configure rua= to at least one report address.
Example 5Subdomain policy override
v=DMARC1; p=reject; sp=none; rua=mailto:dmarc@example.com
The main domain uses reject but subdomains use none (sp=none). This is useful when the main domain is fully authenticated but some subdomains send email from third-party services that are not yet DKIM-signed. The sp= tag lets you protect the root domain while giving subdomains more flexibility.
FAQ

Frequently asked questions

What is a DMARC record?
A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record is a DNS TXT entry published at _dmarc.yourdomain.com that tells receiving mail servers what to do when a message fails SPF and DKIM authentication checks. It specifies a policy (none, quarantine, or reject), reporting addresses for aggregate and forensic reports, and alignment requirements. Without a DMARC record, receiving servers have no policy guidance and make their own decisions about unauthenticated mail from your domain.
What is the difference between DMARC none, quarantine, and reject?
The p= tag sets the policy. 'none' means monitor only — emails pass regardless of authentication failures, but reports are generated. 'quarantine' means unauthenticated messages are sent to the spam folder. 'reject' means unauthenticated messages are refused outright. Most organizations start with none for monitoring, move to quarantine once they have confidence in their sending sources, then graduate to reject for maximum protection.
How do I look up a DMARC record?
Enter any domain into the analyzer above and click Analyze DMARC. The tool queries the DNS TXT record at _dmarc.yourdomain.com using live DNS over HTTPS lookups via Cloudflare DoH with Google DoH as fallback. Results appear within seconds. You can look up any domain -- your own or a competitor's -- as DMARC records are publicly accessible in DNS. No login or email address is required.
What is DMARC alignment?
Alignment means the domain in the From: header of the email must match the domain authenticated by SPF or DKIM. In relaxed alignment (the default), subdomains are accepted. In strict alignment, the domains must match exactly. The adkim= tag controls DKIM alignment and aspf= controls SPF alignment. If alignment fails on both mechanisms, DMARC fails regardless of whether SPF and DKIM individually pass.
What are DMARC aggregate reports (rua)?
Aggregate reports are XML files sent daily by major mail providers (Gmail, Outlook, Yahoo) to the address specified in rua=. They show how many messages were sent from your domain, which passed or failed SPF and DKIM, which senders were involved, and what policy action was applied. Setting up rua= is essential for understanding your email traffic before tightening your DMARC policy.
What are DMARC forensic reports (ruf)?
Forensic reports (specified in ruf=) contain details of individual authentication failures, including the message headers and sometimes the message body. They are sent in near real-time to the ruf= address when a message fails DMARC evaluation. Because forensic reports may contain sensitive email content, many receiving mail servers no longer send them due to privacy concerns. Aggregate reports (rua=) remain the primary monitoring mechanism for DMARC deployments and are supported by all major mail providers.
What does the pct= tag do in DMARC?
The pct= tag specifies what percentage of non-authenticating messages the policy should be applied to. For example, pct=10 means only 10% of failing messages are quarantined or rejected — the rest pass through as if the policy were 'none'. This allows gradual rollout of stricter policies. Once monitoring confirms no legitimate email is failing, increase pct to 100. Start with pct=10 and double it each week as you confirm authentic senders are passing authentication.
Why does my DMARC record show 'none' policy?
A 'none' policy is common when a domain has just set up DMARC and is in monitoring mode. It means authentication failures are logged in reports but not acted on. To actively protect your domain from spoofing and phishing, you need to progress to 'quarantine' and eventually 'reject' once you have reviewed your aggregate reports and confirmed all legitimate sending sources are properly authenticated.
Does DMARC work without SPF and DKIM?
DMARC depends on SPF and/or DKIM to function. A DMARC pass requires at least one of these mechanisms to pass with proper alignment. If neither SPF nor DKIM is configured, all email from your domain will fail DMARC. Set up SPF to authorize your sending servers and DKIM to cryptographically sign messages before implementing DMARC. SPF authenticates the envelope sender; DKIM authenticates the message content -- DMARC ties both together at the From: header level.
How is this DMARC analyzer different from mxtoolbox or dmarcian?
This tool runs directly in your browser using Cloudflare DNS-over-HTTPS — no server-side processing, no data collection, no signup. It provides plain-English analysis of every DMARC tag with specific actionable advice for each one. For organizations managing DMARC at scale with XML report ingestion and trend analytics, dedicated platforms like dmarcian offer additional features beyond what any free single-lookup tool provides.
Related Email Authentication Tools

Need a disposable address right now?Generate a free, instant throwaway email -- zero signup, zero trace, ready in seconds.

Get Free Temp Mail