trace·warrior
  • Tools
  • Monitoring
  • Pricing
  • Resources
  • About
Sign inGet started
trace·warrior

Network diagnostics for IT professionals. Built for speed, accuracy, and the long tail of the Friday afternoon outage.

ALL SYSTEMS NOMINAL
Tools
  • DNS Lookup
  • Ping Test
  • Port Checker
  • WHOIS
  • See all
Product
  • Monitors
  • Pricing
  • How-to guides
  • Compare
Resources
  • Blog
  • API docs
  • Tool index
  • Contact
Company
  • About
  • Privacy
  • Terms
  • Cookie policy
© 2026 Trace Warrior · made for engineers, by engineersnetwork forensics, quietly
/
/
tools/dns & domain/dmarc-checker
DNS & Domain

DMARC Checker

Free DMARC record checker. Fetches a domain's DMARC policy with organizational-domain fallback, exactly like receiving mail servers, and explains every tag in plain language. Grades the policy (none, quarantine, reject), flags partial pct rollouts, weaker subdomain policies, missing aggregate reports, and duplicate tags, and verifies external report destinations' authorization records, the silent failure that makes reports vanish. Runs from our London probe. Google and Yahoo now require DMARC from bulk senders.

What DMARC does and how the policy is read

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receivers what to do when a message fails both. It is a single TXT record at _dmarc.example.com starting with v=DMARC1, and its core is the p= tag: none (monitor only), quarantine (send to spam), or reject (block outright). DMARC also requires alignment: the visible From domain must match the domain that passed SPF or DKIM, which is what actually stops look-alike spoofing. If a domain has no DMARC record, receivers fall back to the organizational domain, and this checker follows that same lookup.

The tags people misread, and reports that vanish

A policy of p=reject looks strong but can be undercut by a pct tag that applies it to only a fraction of mail, or a weaker sp subdomain policy that leaves subdomains open to spoofing. The other frequent trap is aggregate reporting: the rua address only receives reports if the destination domain publishes an authorization record naming yours. Miss that and reports silently never arrive. This checker grades the policy, flags partial rollouts and weak subdomain policies, and verifies external report authorization, the failure that makes DMARC data disappear without any error.

Enforcement is no longer optional for bulk senders. Google and Yahoo now require a DMARC record from high-volume senders, so a domain still on p=none is exposed both to spoofing and to filtering by those providers.

Frequently asked questions

What is a DMARC record?

DMARC is a DNS TXT record at _dmarc.yourdomain that builds on SPF and DKIM. It tells receiving servers how to handle mail that fails authentication and where to send reports about it.

What is the difference between p=none, quarantine, and reject?

The p tag sets the policy. none monitors without acting, quarantine tells receivers to route failing mail to spam, and reject tells them to block it. Most domains start at none to gather reports, then tighten to quarantine and reject.

What is DMARC alignment?

Alignment requires the From domain a recipient sees to match the domain that passed SPF or DKIM. Without alignment, a message can pass SPF or DKIM for an unrelated domain and still be spoofing yours, which alignment prevents.

Why am I not receiving DMARC reports?

If your rua address is on a different domain than the one being reported on, that domain must publish an authorization record confirming it accepts your reports. Missing that record makes aggregate reports silently fail to arrive.

Related tools

  • SPF Checker →
  • DKIM Checker →
  • MX Lookup →
  • Deliverability Test →