Domain-based Message Authentication, Reporting and Conformance (DMARC) augments SPF and DKIM by defining how a receiving server should treat mail that fails authentication while giving domain owners aggregate feedback. It links the visible From address with the authenticated envelope and header paths, protecting brands from look-alike phishing attempts.

This tool lets you enter any public-facing domain and immediately retrieves its _dmarc TXT record through a privacy-preserving DNS-over-HTTPS request. A lightweight reactive engine parses each tag, evaluates policy strength, and presents pass / fail checks so you can strengthen enforcement in seconds.

Security teams use the report when onboarding new sending services, rotating infrastructure, or auditing clients’ email posture. *Incomplete policies may cause legitimate mail to land in spam or expose recipients to spoofing attacks.*

Technical Details:

1. Concept Overview

DMARC policies reside in DNS and declare the required alignment between SPF, DKIM and the visible sender. Core tags include v (version), p (policy), pct (sample rate), and rua (aggregate report URI). Recipients combine these directives with local authentication results to decide whether to deliver, quarantine, or reject a message.

2. Lookup & Evaluation Process

Compose FQDN: _dmarc.<domain>.
Query the record via DNS-over-HTTPS.
Concatenate multi-string answers into one TXT payload.
Split on semicolons, building a tag → value map.
Apply compliance rules:
- v = DMARC1
- p ∈ none | quarantine | reject
- pct = 100 or absent
- rua present for feedback

3. Policy Semantics

p Tag	Action	Receiver Behaviour
none	Monitor	No impact on delivery
quarantine	Restrict	Deliver to spam or junk
reject	Block	Refuse message during SMTP

Moving from none to quarantine or reject gradually eliminates spoofed mail but demands complete alignment across every authorised sender.

4. Worked Example

Example lookup for example.com:

_dmarc.example.com TXT = "v=DMARC1;p=reject;pct=100;rua=mailto:d@example.com"

The tool marks every checklist item as pass and advises keeping enforcement at reject to maximise protection.

5. Assumptions & Limitations

TXT record must not exceed 255 × 255 bytes; large policies are concatenated.
Only the first DMARC record is evaluated; multiple records break compliance.
DNS-over-HTTPS latency may vary with resolver location.
Tool ignores ruf forensic reports for privacy reasons.

6. Edge Cases & Error Sources

Transient NXDOMAIN when authoritative nameservers fail.
Malformed tags missing = separators.
CNAME indirection that hides the _dmarc label.
Non-ASCII mailbox in rua URI.

7. Scientific Validity & References

Based on RFC 7489 (DMARC) and RFC 8461 (MTA-STS) interoperability notes, plus industry reports by M3AAWG and the Global Cyber Alliance.

8. Privacy & Compliance

No email content or personal data is processed; only public DNS records are queried, aligning with GDPR recital 26 on publicly available information.

Step-by-Step Guide:

Follow these steps to analyse any domain’s DMARC posture.

Enter the target domain in the Domain field.
Click Validate DMARC and wait for the reactive engine to fetch data.
Review the raw record string for obvious typos.
Read individual tag values in the table to confirm intent.
Use the checklist to spot missing reports or weak policies, then update DNS accordingly.

FAQ:

Is my data stored?

No. The tool fetches only public DNS records and keeps nothing after you close the page.

What if no record appears?

The domain lacks a DMARC policy. Publish one at _dmarc.<domain> to start receiving reports and enforcing authentication.

Does it alter DNS?

No changes are made. You must edit your zone file or hosting dashboard to update the record.

Why use DNS-over-HTTPS?

DoH avoids local resolver caching quirks, ensures integrity, and works even on networks that block traditional port 53 queries.

Is p=none safe?

It is a monitoring mode only. Move to quarantine or reject after reviewing aggregate reports to protect recipients.

Glossary:

DMARC: Email-authentication policy published in DNS.
DoH: DNS-over-HTTPS encrypted query transport.
Aggregate Report: Daily summary of authentication results.
Alignment: Match between header and envelope domains.
Policy Tag: p directive defining receiver action.

DMARC Validation Report

Technical Details:

1. Concept Overview

2. Lookup & Evaluation Process

3. Policy Semantics

4. Worked Example

5. Assumptions & Limitations

6. Edge Cases & Error Sources

7. Scientific Validity & References

8. Privacy & Compliance

Step-by-Step Guide:

FAQ:

Glossary:

Embed this tool into your website using the following code:

DMARC Validation Report

Introduction:

Technical Details:

1. Concept Overview

2. Lookup & Evaluation Process

3. Policy Semantics

4. Worked Example

5. Assumptions & Limitations

6. Edge Cases & Error Sources

7. Scientific Validity & References

8. Privacy & Compliance

Step-by-Step Guide:

FAQ:

Glossary:

Embed this tool into your website using the following code: