Domain-based Message Authentication (DMARC) Report

Tag	Value	Copy
{{ key }}

Check	Status	Copy
{{ c.label }}	Pass Fail

Email authentication policy records describe how a domain asks receivers to treat messages that pass or fail identity checks. They help reduce spoofing and build trust with recipients.

Enter a domain and run a quick lookup so you can read the policy tags and see a simple score. The result highlights reporting addresses and enforcement stance in one place.

For a practical example, a configuration that rejects failures and uses strict alignment on both identifiers will rate highly and signals a preference for strong protection.

Treat the score as a snapshot of configuration rather than deliverability, and recheck after edits propagate. Use consistent input and repeat checks so cache windows do not mislead.

Technical Details:

Domain‑based Message Authentication, Reporting, and Conformance (DMARC) policies are published as DNS TXT records under _dmarc.<domain>. The policy defines an enforcement action for authentication failures, alignment modes for identifiers, reporting endpoints for aggregated and failure data, and related options.

This tool queries the policy record, parses tag–value pairs, and evaluates a set of compliance checks. The score expresses the fraction of checks that pass, converted to a percentage, so higher values indicate closer adherence to a strict protection posture.

Results focus on policy presence and intent. A policy passes the enforcement check only when p=quarantine or p=reject. Partial rollout via pct passes only when the tag is absent or set to 100. Strict alignment requires adkim=s and aspf=s. Subdomain coverage is recognized when sp is present. Failure options (fo) and aggregate reporting (rua) are expected; failure reporting (ruf) is treated as optional and does not block the score.

Comparisons are most meaningful for the same domain over time. Scores can vary during DNS propagation; use the displayed time to resolve and time‑to‑live to judge freshness.

\begin{array}{lcl} S & = & round (\frac{P}{N} \cdot 100) \end{array}

Symbols and units used in formulas and outputs
Symbol	Meaning	Unit/Datatype	Source
S	Compliance score	%	Derived
P	Number of passing checks	integer	Derived
N	Total checks evaluated	integer	Derived
T	Record time‑to‑live	s	DNS answer
Δt	Lookup time	ms	Measured

Worked example. Record: v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com; adkim=s; aspf=s; sp=reject; fo=1.

\begin{array}{l} P & = & 11 \\ N & = & 11 \\ S & = & round (\frac{11}{11} \times 100) = 100 % \end{array}

Interpretation: all checks pass, indicating a fully strict, reject‑based policy with reporting configured.

Validation rules and error messages
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Domain	string	2 labels	253 chars	`^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$` per label; letters, digits, hyphens	Please enter a valid domain (e.g., example.com).	example.com

I/O and networking behavior
Input	Accepted Families	Output	Encoding/Precision	Rounding
Domain name	ASCII labels; punycode form allowed	Tags, checks, score, TTL, lookup time	Percent integers; times in ms; TTL in s	Score rounded to nearest integer

Networking & storage. A single DNS‑over‑HTTPS request is issued from the browser to a public resolver endpoint with header Accept: application/dns-json. No cookies or local storage are used.

Security considerations. Domain input is constrained to common label syntax. Report URIs are linkified only for mailto:, http:, and https:; other schemes are shown as plain text. JSON rendering is read‑only.

Assumptions & limitations

One policy record is expected; multiple TXT records may confuse interpretation.
Heads‑up Subdomain policy passes only when sp is explicitly set.
Partial rollout via pct below 100 is treated as non‑compliant.
Alignment requires strict modes; relaxed values do not pass the checks.
ruf is optional and does not reduce the score.
URI parsing recognizes only mailto, http, and https.
Results depend on resolver answers and TTL; caches can delay updates.
Internationalized domains must be entered in punycode form.

Edge cases & error sources

Leading/trailing spaces in input.
Uppercase labels pass pattern but may differ from canonical casing.
Single‑label hostnames are rejected.
Labels longer than 63 characters.
Records split across multiple strings with unusual quoting.
Missing v tag or wrong version token.
Network errors or blocked DNS‑over‑HTTPS endpoint.
Stale caches masking recent DNS changes.
Mixed or unsupported URI schemes in rua/ruf.
Score inflation if non‑policy checks were added without rebalancing.

Privacy & compliance. Requests are performed by your browser against a public DNS resolver; the site does not store input or results.

Step‑by‑Step Guide:

Policy assessment reads a domain’s record and summarizes enforcement and reporting.

Enter the domain you want to check.
Select Validate DMARC to run a DNS query.
Review the summary score and key tags.
Scan individual checks to see which expectations pass.
Open the JSON view to capture a structured snapshot.
Use TTL to decide when to recheck after policy edits.

Example. Checking example.com returns a policy with p=reject, adkim=s, aspf=s, and a score near 100%.

You now have a concise readout of protection settings for quick remediation.

FAQ:

Is my data stored?

No. The check happens in your browser and the DNS request goes to a public resolver. Nothing is kept by the site.

Network access is required to fetch DNS answers.

How accurate is the score?

It mirrors the defined checks. Scores can shift while DNS changes propagate; use TTL as a freshness cue.

Higher values indicate stricter enforcement per these checks.

Which units are used?

Score is a percent, lookup time is in milliseconds, and TTL is in seconds.

Numbers are rounded to whole units for readability.

Can I use it offline?

No. A live DNS response is required to read the policy record.

Recheck after edits to confirm propagation.

How do I find my policy record?

Publish and query the TXT record at the _dmarc subdomain of your domain.

Ensure only one policy record is active.

What does a borderline result mean?

It usually means some expectations failed, such as partial rollout or relaxed alignment. Tighten settings to raise the score.

Focus on enforcement, alignment, and reporting.

Is there any cost or license notice?

No pricing or license terms are surfaced here. Use the results as a configuration aid.

Policies remain under your domain’s control.

Troubleshooting:

No record found. Verify the TXT exists at the _dmarc name and wait for propagation.
Invalid domain. Use a hostname with at least two labels, letters, digits, and hyphens only.
Slow lookups. Try again; network latency can vary. Watch the lookup time indicator.
Score lower than expected. Ensure p is quarantine or reject and pct is 100.
Subdomains not covered. Add an explicit sp tag for consistent behavior.
Reports missing. Confirm rua contains valid mailto addresses.
Alignment failing. Set adkim=s and aspf=s for strict alignment.

If the resolver endpoint is blocked by a firewall, the lookup will fail. Try another network.

Advanced Tips:

Tip Use the score to track policy hardening over time after each change window.

Tip Keep rua mailboxes monitored so alignment drift is noticed early.

Tip Prefer a single policy record to avoid ambiguous DNS answers.

Tip Raise enforcement gradually only if your reports confirm readiness, then return to full coverage.

Tip Treat pct below 100 as temporary; aim for full application once sources are aligned.

Tip Document intended values for p, sp, adkim, aspf, and fo to keep teams aligned.

Glossary:

DMARC: Domain‑based Message Authentication, Reporting, and Conformance policy.
p: Policy action for failures: none, quarantine, or reject.
sp: Policy applied to subdomains of the organizational domain.
adkim / aspf: Alignment modes for DKIM and SPF identifiers; s means strict.
rua / ruf: Aggregate and failure report URIs, commonly using mailto:.
pct: Percentage of messages to which the policy applies.
fo: Failure reporting options that control when failure reports are generated.
TTL: Time‑to‑live in seconds; controls caching of the DNS record.