DMARC Record Checker
Paste a DMARC TXT record value (v=DMARC1; p=; rua=; …). Tag-by-tag validation against RFC 7489: p= policy (none/quarantine/reject), sp= subdomain policy, adkim/aspf alignment (r/s), pct= percentage, rua= aggregate report URIs, ruf= forensic URIs, ri= report interval, fo= forensic options, rf= forensic format. Weighted 0-100 score with policy-strength + reporting bonus. 100% offline.
What is the DMARC Record Checker?
DMARC Record Checker parses a DMARC TXT record value and validates every tag against RFC 7489. Required: v= (must be DMARC1), p= (policy: none / quarantine / reject). Optional but checked: sp= (subdomain policy, defaults to p=), adkim= and aspf= (DKIM/SPF alignment, r=relaxed default or s=strict), pct= (percentage of failing mail subject to policy, 0-100), rua= (aggregate report URIs, comma-separated, must be mailto: or https:), ruf= (forensic report URIs), ri= (report interval in seconds, default 86400 = 1 day), fo= (forensic options: 0/1/d/s), rf= (forensic format, default afrf). The 0-100 score is weighted: policy strength carries the most weight (p=reject 35, quarantine 25, none 5), reporting is rewarded (rua 15, ruf 5), alignment strictness adds bonuses, pct=100 adds 10 for fully-enforced policies. A score above 90 is excellent, 70-90 is strong, 50-70 moderate, 25-50 weak, below 25 missing.
How to use it
- Look up your DMARC: `dig txt _dmarc.example.com`.
- Paste the value (between quotes optional).
- Read the headline score and policy.
- Use Findings for actionable warnings — `p=none` means monitor-only, no rua= means no insight, etc.
- Inspect the parsed tag detail panel.
Benefits
- Every RFC 7489 tag validated.
- 0-100 score weighted across policy + reporting + alignment.
- Policy strength explicitly explained — none (monitor), quarantine (spam), reject (bounce).
- Subdomain policy (sp=) tracked separately from primary policy.
- rua= and ruf= URI scheme validation (must be mailto: or https:).
- pct= warned when used with non-none policies (only used during rollout).
- Strictness bonus for adkim=s and aspf=s.
- Settings persist in localStorage.
- Runs 100% in your browser — no DNS lookups, no third-party services.
Frequently asked questions
What policy should I start with?
`p=none` is the recommended start — monitor-only. Set up `rua=mailto:...` to receive aggregate reports, watch for failures over 30 days, then move to `p=quarantine` then `p=reject` once your auth is clean.
What's the difference between p=quarantine and p=reject?
quarantine = failing mail goes to spam (low effort for the receiver, recoverable for the sender). reject = bounce at SMTP — failing mail never arrives. reject is the strongest stance once you trust your alignment.
What's pct= for?
Apply the policy to only N% of failing mail. Useful during rollout: `p=quarantine; pct=10` quarantines just 10% of failures, letting you watch the impact before committing.
Should I use adkim=s / aspf=s?
Strict alignment requires exact domain match (no subdomain wiggle room). Use strict if your mail always sends from a specific domain; use relaxed (default) if you send from subdomains too.
Where should rua= reports go?
A monitored mailbox or a DMARC report processing service (some are free, others paid). Reports are XML zipped; processing manually is feasible at low volume.
Why is rua= so important?
Without rua= you have no visibility into what's failing DMARC. With it, you get a daily XML report from each receiver listing every IP that sent mail claiming your domain — invaluable for detecting spoofing.
What's the difference between rua= and ruf=?
rua= = aggregate reports (daily, statistical, sent by all receivers). ruf= = forensic reports (per-message, sent by very few receivers, often disabled due to PII concerns). For most domains rua is enough.
Why no ri= warning at 1 hour?
ri= sets the aggregate report interval but receivers commonly ignore it — Gmail sends daily regardless. Setting it lower doesn't get you faster reports; setting it higher means you might miss daily granularity.
Can I use multiple rua= addresses?
Yes — comma-separated. Most receivers cap at 2 addresses, beyond that they may pick one.
Are my pastes saved?
Yes — the input persists in localStorage under `toollyz:dmarc-input`.
Is anything uploaded?
No. Parsing runs entirely in your browser.
Related tools
See all developer toolsDKIM Record Checker
Paste DKIM TXT — validate tags, RSA key length, allowed hashes + service types.
SPF Record Checker
Parse RFC 7208 SPF records — qualifiers, mechanisms, 10-lookup limit.
Email Header Analyzer
Parse raw email headers — SPF, DKIM, DMARC + hop chain timing.
Email Signature Generator
Table-based HTML with inline styles, rich-paste for Gmail / Outlook.