How to Check DMARC Records: A Practical Guide for Email Security

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the layer of email security that actually enforces your SPF and DKIM configuration. Without it, a domain that passes SPF and DKIM still has no policy telling receiving servers what to do with messages that fail those checks. Attackers know this.

Here's how to check a domain's DMARC configuration, what each field means, and the common misconfigurations that leave domains exposed.

What a DMARC Record Looks Like

DMARC is published as a DNS TXT record at _dmarc.yourdomain.com. A properly configured record looks like this:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; adkim=s; aspf=s;

Each tag is a policy directive. Let's break them down.

How to Check a DMARC Record

Option 1: DNS Lookup Tool

Use the CyrusX DNS Lookup tool to query TXT records for _dmarc.yourdomain.com. The tool automatically checks for and displays the DMARC record alongside SPF and DKIM results in one lookup.

Option 2: Command Line

dig TXT _dmarc.yourdomain.com +short
# or on Windows:
nslookup -type=TXT _dmarc.yourdomain.com

If you get no result, the domain has no DMARC record published.

Reading the DMARC Record Fields

v=DMARC1

Required. Must be the first tag. Identifies this as a DMARC record.

p= — Policy (the most important tag)

This is the action receiving servers take when a message fails DMARC alignment:

• p=none — Monitor only. No action taken on failing messages. Use this when you're starting out and need visibility before enforcement. Useless for actual protection.
• p=quarantine — Failing messages go to the spam/junk folder. A step toward enforcement — better than none, but still allows some delivery.
• p=reject — Failing messages are rejected outright at the server level. The strongest protection. This is the target for any domain serious about preventing spoofing.

A domain sitting at p=none permanently is still vulnerable to spoofing impersonation. If you're only monitoring, set a calendar reminder to move to p=quarantine within 60 days and p=reject within 90 days once you've validated your mail flows.

rua= — Aggregate Report Destination

Where daily aggregate DMARC reports are sent. These XML reports summarize which sources sent mail on behalf of your domain and whether it passed or failed authentication. Critical for understanding your mail flow before moving to enforcement.

Format: rua=mailto:[email protected]

ruf= — Forensic Report Destination

Where per-message forensic reports are sent. These are redacted samples of failing messages. Useful for investigating spoofing attempts, but many major providers don't send ruf reports due to privacy concerns.

pct= — Percentage

What percentage of failing messages the policy applies to. pct=100 applies the policy to all failing messages. Lower values (like pct=10) apply enforcement to only that percentage — useful during a graduated rollout to quarantine before committing to full enforcement.

adkim= — DKIM Alignment Mode

• r (relaxed, default): The signing domain can be a subdomain of the From domain
• s (strict): The signing domain must exactly match the From domain

aspf= — SPF Alignment Mode

Same relaxed/strict options as adkim, applied to SPF alignment.

sp= — Subdomain Policy

The policy to apply to subdomains. If not specified, the parent domain policy applies. Use sp=reject to explicitly cover subdomains.

Common DMARC Misconfigurations

No DMARC record at all The domain is completely unprotected against spoofing impersonation. Anyone can send email appearing to come from @yourdomain.com and it will be delivered normally. High-value target for phishing campaigns.

Check: No result from a _dmarc.yourdomain.com TXT query.

Stuck at p=none with no plan to move to enforcement The most common long-term failure. p=none was intended as a temporary monitoring phase. Organizations deploy it, forget about it, and their domain stays open to spoofing indefinitely.

Fix: Review aggregate reports for 30–60 days, identify all legitimate mail sources, add missing sources to your SPF record or ensure they sign with DKIM, then move to p=quarantine.

SPF or DKIM not properly configured DMARC enforcement is only meaningful if the underlying authentication passes. A p=reject record with a broken SPF configuration means your own legitimate email gets rejected.

Check: Use a DNS Lookup to verify your SPF record lists all mail senders. Use the Email Header Analyzer to inspect a delivered message and confirm SPF and DKIM pass.

Missing rua= aggregate reports Without aggregate reports, you have no visibility into your mail flow. You're flying blind when you move to enforcement.

Fix: Add a valid rua= address and process the reports — either manually, or through a DMARC reporting service.

Subdomain policy not addressed If you have subdomains that can send mail, make sure each one has an appropriate DMARC policy or is covered by sp= on the parent record.

How to Fix a DMARC Configuration

1. Start with p=none; rua=mailto:[email protected] — get visibility into your actual mail flow
2. Review aggregate reports for 30–60 days. Look for: your mail servers, email service providers (SendGrid, Mailchimp, etc.), and any unexpected sources
3. Ensure all legitimate senders are in your SPF record and/or sign with DKIM
4. Move to p=quarantine; pct=10 — apply enforcement to a small percentage first
5. Increase pct gradually (10 → 25 → 50 → 100) over 2–4 weeks while monitoring reports
6. Move to p=reject; pct=100 — full enforcement, all failing messages rejected

What DMARC Alignment Actually Means

DMARC doesn't just check if SPF and DKIM pass — it checks if they align. The domain in the From: header that the user sees must match the domain used in the underlying authentication:

• SPF alignment: The domain in the SMTP MAIL FROM envelope must match the From header domain
• DKIM alignment: The d= domain in the DKIM signature must match the From header domain

This prevents a spoofing technique where an attacker sets up a domain they control, passes SPF and DKIM for that domain, then sets the visible From address to your domain. Without alignment enforcement, that attack works. With DMARC alignment, it doesn't.

Quick Reference

| Record | Purpose | Check At | |--------|---------|---------| | SPF | Which servers may send for your domain | yourdomain.com TXT | | DKIM | Message integrity & sender authentication | selector._domainkey.yourdomain.com TXT | | DMARC | Policy enforcement + reporting | _dmarc.yourdomain.com TXT |

Use the CyrusX DNS Lookup to check all three in a single query — enter your domain, query TXT records, and scroll through the results for SPF, DMARC, and any visible DKIM selectors.