DMARC checker
Check the DMARC policy for any domain
Enter a domain or email address to read its DMARC record at _dmarc, see whether the policy actually enforces (quarantine or reject), and catch gaps like monitor-only mode or missing aggregate reporting.
Check DMARC record
This reads public DNS records. It does not confirm that an individual mailbox exists or can receive mail.
Verify a whole list, not just DNS
DNS records tell you whether a domain is configured for mail. Verifly checks each address for deliverability, disposable domains, role accounts, and catch-all behavior.
Verify a whole list with 100 free creditsWhat is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM. It tells receivers what to do with mail that fails authentication and where to send reports about it.
The policy tag p= can be none (monitor only), quarantine, or reject. Only the last two actively block spoofed mail.
Why monitor-only is not enough
Many domains publish p=none and never move past it. That gives you reports but no protection: attackers can still spoof your domain and reach inboxes.
This checker tells you whether a domain is enforcing, what percentage of mail the policy covers, and whether reporting is even set up.
Reading a DMARC record tag by tag
A DMARC record is a single TXT record at _dmarc.yourdomain starting with v=DMARC1. The tags that decide protection are p= (policy: none, quarantine, or reject), sp= (subdomain policy), and pct= (the percentage of failing mail the policy applies to).
Reporting tags matter too: rua= names the address that receives aggregate reports, and ruf= receives forensic reports. Without an rua, you get enforcement but no visibility into who is sending as your domain.
Alignment: why DMARC needs SPF and DKIM
DMARC does not authenticate mail by itself. It checks that a message passing SPF or DKIM also aligns: the domain those mechanisms validate must match the visible From domain. A message can pass SPF for a bulk sender's domain yet still fail DMARC because that domain does not align with your From address.
This is why fixing DMARC failures almost always means fixing alignment upstream. Confirm your SPF and DKIM records first, then let DMARC tie them to your domain.
Rolling out enforcement safely
The common mistake is jumping straight to p=reject and silently blocking legitimate mail from a forgotten sender. The safe path is staged: start at p=none to collect reports, identify every legitimate source, bring them into alignment, then move to quarantine, and finally reject, optionally ramping pct along the way.
Only quarantine and reject actually stop spoofing; p=none is monitor-only. Publishing a clean, enforcing DMARC record also protects your own sending reputation, which directly affects whether your verified mail lands in the inbox.
Frequently asked questions
What does p=none mean in a DMARC record?
p=none is monitor-only mode. Receivers still send you reports about mail that fails authentication, but they take no action on it, so spoofed messages using your domain can still reach inboxes. It is a starting point for data collection, not real protection.
Is publishing a DMARC record enough to stop spoofing?
Only if the policy enforces. A record with p=quarantine or p=reject tells receivers to filter or block failing mail. A record stuck at p=none gives you visibility but no blocking. You also need aligned SPF or DKIM for legitimate mail to pass.
What is DMARC alignment?
Alignment means the domain validated by SPF or DKIM matches the domain in the visible From address. DMARC requires at least one of them to pass and align. A message can pass raw SPF or DKIM for another domain and still fail DMARC if it does not align with your From domain.
Why should I set an rua reporting address?
The rua tag tells receivers where to send aggregate reports. Without it you enforce blindly and never see which senders, legitimate or not, are using your domain. Those reports are how you find forgotten senders before you tighten the policy.
How do I move to p=reject without breaking mail?
Roll out in stages. Start at p=none and read the reports, identify and align every legitimate sending source, move to p=quarantine and watch for problems, then finish at p=reject. Ramping the pct value lets you apply the policy to a growing share of mail gradually.
Does DMARC affect my email deliverability?
Yes, positively. A correctly enforcing DMARC record signals to mailbox providers that your domain is well managed and harder to spoof, which supports inbox placement for your legitimate mail, including messages you send to verified addresses.
Embed this dmarc checker on your site
Drop this snippet into any page to add a live, self-contained checker. It links back to Verifly, costs nothing, and needs no API key.
<iframe src="https://verifly.email/tools/embed/dmarc-checker" width="100%" height="680" style="border:0;border-radius:12px;max-width:760px" title="DMARC Checker by Verifly" loading="lazy"></iframe> <p style="font:13px sans-serif"> Free <a href="https://verifly.email/tools/dmarc-checker">DMARC Checker</a> by <a href="https://verifly.email">Verifly email verification</a> </p>
Related tools
Verify a whole list, not one address at a time
Create a free Verifly account for 100 credits, then verify in bulk over CSV, the REST API, or the hosted MCP server for AI agents.
Start with 100 free credits