DMARC Record Analyzer
Analyze a domain's DMARC policy with warnings and a health score.
About this tool
DMARC builds on SPF and DKIM: it tells receivers what to do with messages that fail authentication (p=none, quarantine or reject) and where to send aggregate (rua) and forensic (ruf) reports. This tool fetches _dmarc.yourdomain.com, parses every tag and scores the policy's strength.
A healthy rollout starts at p=none with rua reporting enabled, reviews the reports to find legitimate senders, then moves to p=quarantine and finally p=reject. Staying on p=none forever leaves your domain spoofable.
Frequently asked questions
What is the difference between p=none, quarantine and reject?
p=none only monitors (mail is delivered normally, you receive reports). p=quarantine asks receivers to put failing mail in spam. p=reject asks them to refuse it outright. Reject is the end goal for spoofing protection.
What are rua and ruf reports?
rua is the address that receives daily aggregate XML reports showing which IPs send mail as your domain and how authentication went. ruf requests per-message forensic reports, which few providers send nowadays. At minimum, always configure rua.
What do adkim and aspf mean?
They set alignment strictness. Relaxed (r, the default) accepts subdomain matches between the From domain and the SPF/DKIM domain; strict (s) requires an exact match. Most domains should keep relaxed unless they have a specific reason.