{{ error }}
{{ record }}
TagValue
{{ key }} {{ val }}
DMARC Checks
{{ c.label }}
Categories: DNS , Email , Networking , Security
Export to PDF Fullscreen

Domain‑based Message Authentication, Reporting and Conformance (DMARC) helps receiving mail servers decide what to do with messages that claim to come from your domain. It works alongside SPF and DKIM to protect recipients from spoofed emails, reduce phishing risk, and provide feedback loops that highlight configuration problems and support deliverability monitoring.

You use this validator to fetch the TXT record located at _dmarc.<domain> over an encrypted DNS‑over‑HTTPS channel, parse its semicolon‑separated tags, and receive an instant checklist that flags policy gaps. A dual‑column table shows each recommended control, while visual pass indicators help you prioritise fixes during live incidents and post‑deployment audits.

Run the check before every DNS change, export the results for auditors, and share the link with vendors to confirm alignment, but remember that receiving servers may cache outdated records and delay policy enforcement by several hours, which means you should schedule a second validation once the advertised Time To Live expires to verify that corrections propagate globally.

Technical Details:

The single‑page interface binds form controls to application state through a lightweight reactive engine. When you press Validate DMARC, the client queries a public DNS‑over‑HTTPS resolver, measures latency, and analyses the returned TXT payload locally. No credentials are involved; only the domain name travels across the network.

Real‑time Validation

The tool issues an HTTPS GET request, times the response, and updates the result card without reloading the page.

Tag Breakdown

Each semicolon‑delimited tag is split into a key–value pair and displayed in an accessible table for quick scanning.

Compliance Checklist

Six pass/fail rules cover version, policy strength, sampling, and reporting; coloured glyphs highlight gaps that require action.

Shareable URLs

Query parameters encode the domain so you can bookmark or send results without exporting sensitive data.

Accessible Output

Tables include scope headers, icons carry hidden labels, and interactive controls meet keyboard‑only navigation guidelines.

Calculations & Scoring:

The checker converts parsed tags into Boolean evaluations and assigns one point per passing rule. A perfect score is 6/6.

RulePass CriteriaExample
Versionv = DMARC1v=DMARC1
Policy Strengthp is quarantine or rejectp=reject
Samplingpct absent or 100pct=100
Reporting URIrua presentrua=mailto:dmarc@domain.com
Record PresentTXT exists at _dmarc.domainRecord found
SyntaxNo unrecognised tagsAll tags valid

Data Privacy: only the queried domain is transmitted; results are computed entirely in‑browser.

Step‑by‑Step Guide:

Follow these steps to validate a DMARC record.

  1. Enter your base domain in the Domain field (placeholder shows example.com).
  2. Click Validate DMARC; a spinner badge busy appears during lookup.
  3. Review the raw record in the blue answer‑cell card once the request completes.
  4. Inspect each tag in the striped table; copy values as needed.
  5. Scroll to the DMARC Checks table and note any fail icons.
  6. Adjust DNS as required, wait for the TTL, then repeat the test to confirm compliance.

FAQ:

Quick answers to common questions help you troubleshoot without leaving the page.

Is my data stored?

No. The app processes everything in your browser and retains nothing after refresh.

Why do I see “No DMARC record found”?

The domain lacks a TXT record at the required sub‑domain, or DNS propagation is incomplete.

Which resolvers are queried?

The tool contacts a public DNS‑over‑HTTPS endpoint that honours DNSSEC and supports CORS.

Can I test sub‑domains?

Yes. Enter the sub‑domain exactly; the tool prepends _dmarc. automatically.

Do I need API keys?

No authentication is required; HTTPS ensures integrity and confidentiality.

Troubleshooting:

Resolve typical issues quickly using the guidance below.

  • Lookup fails — Check local firewall rules blocking DNS‑over‑HTTPS traffic.
  • Spinner never stops — Ensure the resolver endpoint is reachable over HTTPS.
  • Record shows outdated values — Lower the domain’s TTL before making changes.
  • Non‑ASCII characters in tags — Remove whitespace and confirm UTF‑8 encoding.
  • “Policy restricts” fails unexpectedly — Verify there is no trailing comment after the p tag.

Advanced Tips:

Optimise workflows with these expert techniques.

  • Bookmark a prefilled URL to monitor multiple client domains quickly.
  • Add the validator to a CI job and alert on score changes.
  • Compare live output against your documented policy using a diff viewer.
  • Automate a second check after propagation by reading the TTL value programmatically.
  • Embed the pass/fail SVGs in status dashboards for instant visibility.

Glossary:

Key terms used throughout the validator.

DMARC
Policy that instructs receivers how to handle unauthenticated mail.
SPF
DNS record listing authorised sending hosts.
DKIM
Cryptographic signature added to each outgoing message.
TTL
Time a DNS answer may be cached before re‑query.
DNS‑over‑HTTPS
Protocol that wraps DNS queries inside standard HTTPS requests for privacy.

No credential data is collected. Domain names are transmitted to a third‑party DNS‑over‑HTTPS resolver solely for lookups; results remain client‑side.

Embed this tool into your website using the following code: