Free DMARC checker tool: How to use the DMARC record checker

Use Valimail's free DMARC checker to test your email security. Find issues, get non-technical explanations, and protect your domain in seconds.
free DMARC record checker

Check your DMARC record in seconds—no technical expertise is required.

Check your
domain now

Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.

You’re not fully protected, learn more here.

Check your
domain now

Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.

You’re not fully protected, learn more here.

Check your
domain now

Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.

You’re not fully protected, learn more here.

View Full Report

Your Domain

Not protected AGAINST IMPERSONATION ATTACKS

DMARC NOT AT ENFORCEMENT

exampledomain1.com

Authentication Status for January 10, 2025

DMARC at Enforcement

SPF Record Configured

BIMI Ready

exampledomain1.com

Authentication Status for January 10, 2025

DMARC at Enforcement

SPF Record Configured

BIMI Ready

DMARC checker tool

Is your domain vulnerable to email spoofing? Well, if you haven’t set up DMARC, the answer is almost definitely yes. Email authentication seems way more complicated than it needs to be. DMARC records look like someone randomly smashed their keyboard, and those XML reports you’re supposed to get might as well be written in a foreign language.

We get it, and that’s precisely why we built this DMARC checker tool. In seconds, it tells you if your domain has a DMARC record, whether it’s correctly configured, and (most importantly) if it’s protecting you from email impersonation.

Below, we’ll show you exactly how to use our DMARC checker, what the results actually mean for your security, and the specific steps to fix the most common issues.

What our DMARC checker tool actually tells you

When you run a domain through our DMARC checker, you’ll get more than just a “pass” or “fail” result. You’ll receive a complete breakdown of your DMARC status. 

Unlike other DMARC checkers that just regurgitate technical details, ours translates the findings into plain English. Instead of cryptic messages about syntax or alignment, you get practical assessments like “Not protected against impersonation attacks” or “DMARC is not configured.”

Better yet, we explain what each finding means for your security and deliverability. No need to Google obscure DNS terminology or decode DMARC specifications—the tool does the interpretation for you.

Once you’ve reviewed your results, you can download a PDF report or email it to yourself (or your IT team) for later reference. And if the results show problems, don’t worry—the next sections will walk you through exactly how to fix the most common issues.

Here’s what those results actually mean:

Authentication status

The first thing you’ll see is an overall status: either “Protected” or “Not Protected” against impersonation attacks. This cuts through all the technical details and tells you what you really want to know: is your domain secure or not?

your domain not protected - from valimail's dmarc checker

DMARC status

Here’s where you’ll find the specifics about your DMARC implementation:

  • DMARC at enforcement: This is what you want to see. It means your domain has a DMARC policy set to either quarantine or reject suspicious emails.
  • DMARC not at enforcement: This warning appears when either you have no DMARC record at all or your policy is set to p=none, which only monitors without taking action. The tool will tell you exactly what’s missing.
  • DMARC record display: If you have a DMARC record, the tool shows you the actual record it found. This is helpful for verifying what’s published in your DNS.

SPF status

Since SPF is another important part of email authentication, the tool checks this too:

  • SPF record configured: Good news! Your SPF record exists and meets best practices.
  • SPF record misconfigured: This means there’s a problem with your SPF record. The tool identifies specific issues like too many lookups (exceeding the 10 lookup limit) or overly permissive settings.
  • Current SPF record: Just like with DMARC, the tool shows you the actual SPF record it found in your DNS.

Additional checks

The DMARC checker tool also looks for:

  • Lookup limit issues: SPF has a 10-lookup limit, and the tool tells you if you’re exceeding it.
  • Overly permissive settings: The tool flags potentially dangerous configurations.
  • BIMI readiness: For brands wanting to display their logo in email clients.
  • Subdomain protection: Checking if your subdomains are also protected.

How to use the DMARC record checker

Using our DMARC record checker is simple, but knowing what to do with the results? Well, that’ll take a bit more know-how. Here’s the step-by-step process to get the most out of the tool:

1. Run your first DMARC check

  1. Enter your domain name in the search box (just the domain, like “yourdomain.com”—no need for http:// or www)
  2. Click the “Check DMARC” button
  3. Wait a few seconds while our tool queries DNS records and analyzes the results

That’s it for the basics. The tool works instantly, pulling live data from DNS to give you the most up-to-date picture of your email authentication status.

2. Analyze your results

Once the check is complete, take a moment to understand what you’re looking at:

  • If you see “Protected” – Great! Your domain has proper email authentication. But don’t skip the details section, as there might still be opportunities to strengthen your configuration.
  • If you see “Not Protected” – Your domain is vulnerable to email spoofing. Look at the specific criteria that failed to understand what needs fixing.

3. Check these next

  • Review your current DMARC record (if you have one): The tool displays your actual record exactly as it appears in DNS. Check for typos or syntax errors that might be causing problems.
  • Look at your SPF status: Even with DMARC in place, a misconfigured SPF record can undermine your security. Pay attention to lookup limits. Exceeding 10 lookups is a common issue that leads to authentication failures.
  • Check for subdomains: Your main domain might be protected, but what about subdomains? Attackers often target subdomains if they’re not explicitly covered by your DMARC policy.

4. Take action

Depending on what you find, here’s what to do next:

If you have no DMARC record: Create one! The simplest starting point is:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

This at least puts you in monitoring mode, which is the safest way to begin.

reject or quarantine email

If you’re in monitoring mode (p=none): Review your reports for a few weeks to guarantee legitimate email isn’t failing authentication. Then gradually move to enforcement with quarantine or reject policies.

If you have SPF issues: Fix your SPF record to stay under the 10-lookup limit. Consider using an SPF service if you have many email services sending on your behalf.

If the checker identified syntax errors: These need immediate attention. Even small typos can invalidate your entire record.

Tips for using the DMARC checker

  1. Check multiple domains: If your organization manages several domains, run the check on each one. Email security is only as strong as your weakest domain.
  2. Schedule regular checks: Email configurations change over time. Make it a habit to check your domains quarterly or after any significant email service changes.
  3. Save your results: Use the “Download Report as PDF” option to keep a record of your current status. This is useful for compliance documentation or tracking progress over time.
  4. Share with stakeholders: The “Send via Email” feature makes it easy to share results with your team or executives who need to understand your email security posture.

Most common DMARC problems (and how to fix them)

Even the most tech-savvy organizations run into DMARC issues. Don’t worry. You’re not alone. Here are the problems we see most often and simple ways to fix them:

No DMARC record found

What it means: Your domain has zero DMARC protection. Anyone can send emails pretending to be you, and receiving servers have no instructions on what to do about it.

How to fix it: Create a basic DMARC record in your DNS settings:

  1. Log into your DNS provider (GoDaddy, Cloudflare, AWS, etc.)
  2. Create a new TXT record with the host/name “_dmarc”
  3. Set the value to: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
  4. Save changes (they may take 24-48 hours to fully propagate)

This creates a monitoring-only policy that won’t affect your email delivery but will start gathering data about who’s using your domain to send email.

DMARC in monitoring mode only (p=none)

What it means: You’ve taken the first step with DMARC, but you’re only watching problems happen without preventing them.

How to fix it: After you’ve monitored for 2-4 weeks and confirmed legitimate email is passing authentication:

  1. Start with a percentage tag: p=quarantine; pct=10
  2. Gradually increase the percentage: p=quarantine; pct=25 → pct=50 → pct=100
  3. Finally move to reject: p=reject; pct=100

This gradual approach minimizes the risk of blocking legitimate email during your transition to enforcement.

Syntax errors in your DMARC record

What it means: Your DMARC record has typos or formatting issues that make it invalid. Common errors include missing semicolons, incorrect tag names, or quotation marks in the wrong places.

How to fix it: Check for these frequent mistakes:

  • Make sure all tags are separated by semicolons
  • Don’t include quotes in your TXT record value (your DNS provider adds these automatically)
  • Verify all tag names are lowercase (v=DMARC1, not V=DMARC1)
  • Double-check the record begins with “v=DMARC1”

When in doubt, use our DMARC checker again after making changes to verify your syntax is correct.

Missing or incorrect reporting addresses

What it means: Without proper reporting addresses in your DMARC record, you won’t receive aggregate (rua) or forensic (ruf) reports about emails using your domain.

How to fix it: Add or correct the reporting tags:

  1. For aggregate reports: rua=mailto:dmarc-reports@yourdomain.com
  2. For forensic failure reports: ruf=mailto:dmarc-forensic@yourdomain.com

Consider using dedicated mailboxes for these reports rather than personal email addresses. The aggregate reports especially can get quite large and numerous.

Too many DNS lookups in your SPF record

What it means: SPF has a 10 DNS lookup limit, but many organizations exceed this without realizing it. When you go over the limit, some receiving servers will fail SPF checks, even for legitimate email.

How to fix it:

  1. Audit your SPF record to count the lookups (each “include:” typically adds at least one)
  2. Consolidate services where possible
  3. Consider using an SPF flattening service to compress multiple lookups into one

In Valimail’s case, we solve this with a single include statement that dynamically handles all your authorized services without breaking the lookup limit.

Not protecting subdomains

What it means: Your main domain might be protected, but attackers can still spoof your subdomains (like marketing.yourdomain.com) if they’re not explicitly covered by your DMARC policy.

How to fix it: Add the subdomain policy tag to your record:

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-reports@yourdomain.com

The “sp=reject” tells receiving servers to apply the same strict policy to all your subdomains.

Email authentication alignment issues

What it means: Even with SPF and DKIM in place, emails can fail DMARC if there’s an alignment issue, like when the “From” header domain doesn’t match the domains authenticated by SPF or DKIM.

How to fix it: Check your alignment settings:

  1. For relaxed alignment (recommended for most): adkim=r; aspf=r
  2. For strict alignment (more secure but may cause more failures): adkim=s; aspf=s
Proper and improper DMARC alignment

Relaxed alignment allows subdomains to match, while strict requires exact domain matches.

Frequently asked questions

Q: How often should I check my DMARC record?

A: Run a check at least quarterly, after making any changes to your email services, and whenever your organization undergoes mergers or acquisitions. Email configurations drift over time, so regular checks help catch issues before they affect deliverability.

Q: Will the DMARC checker show me if someone is spoofing my domain?

A: No, the checker only verifies your DMARC configuration. To see actual spoofing attempts, you need to implement DMARC with proper reporting addresses and analyze the reports you receive. Our full DMARC monitoring service handles this analysis for you.

Q: My domain passed the check, but we’re still having deliverability issues. Why?

A: The checker confirms your DMARC record exists and is valid, but email deliverability depends on tons of other factors: sender reputation, content filtering, and recipient server policies.

Q: Can I check multiple domains at once?

A: Our free checker tool handles one domain at a time. If you need to check multiple domains regularly, consider our DMARC monitoring service which can track unlimited domains through a single dashboard.

Q: Does the DMARC checker work for international domains and IDNs?

A: Yes, our checker works with standard domains, international domains, and Internationalized Domain Names (IDNs). For IDNs, we automatically convert to punycode for proper DNS lookups.

Q: I made changes to my DMARC record, but the checker still shows the old record. What’s happening?

A: DNS changes typically take anywhere from minutes to 48 hours to propagate globally. If you’ve recently updated your record, try checking again later. Our tool always pulls live DNS data, so once propagation is complete, you’ll see your new record.

Q: What’s the difference between this checker and a full DMARC monitoring service?

A: The checker gives you a point-in-time snapshot of your DMARC configuration. A full monitoring service continuously tracks your authentication, analyzes incoming DMARC reports, identifies legitimate vs. suspicious senders, and helps maintain proper enforcement.

Secure your email in seconds

Email authentication might seem complicated, but checking your DMARC status doesn’t have to be. Our free DMARC checker gives you an instant snapshot of your domain’s protection level and identifies exactly what needs fixing.

Still, knowing there’s a problem is just the first step. The real work comes in implementing and maintaining a proper DMARC setup, and this becomes super tricky if you’re managing multiple domains or working with numerous third-party senders. Plus:

  • DMARC reports aren’t exactly light-reading
  • DNS changes are easy to get wrong
  • SPF has technical limitations that frustrate even experienced IT teams
  • Third-party services constantly change their sending infrastructure

Don’t want to do this alone (or manually)? Lucky for you, there’s Valimail.

Valimail’s automated DMARC solution handles all the technical work for you. Our platform continuously monitors your email authentication, automatically identifies all your legitimate senders, and maintains your DMARC at enforcement without the constant manual adjustments that drive most IT teams crazy.

Take thirty seconds to check your domain with our free DMARC checker. If you discover issues (or just want to hand this whole email authentication thing off to experts), we’re here to help.

Get started for free
with Monitor

Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.

Explore all Valimail
has to offer

Go one step further than visibility…Take action! Reach DMARC enforcement faster. Stay compliant with evolving sender requirements. All while protecting your brand.