DMARC Check
free/v1/security/dmarcRetrieves and validates DMARC (Domain-based Message Authentication, Reporting, and Conformance, RFC 7489) records. Analyzes policy enforcement level (none/quarantine/reject), subdomain policy, SPF and DKIM alignment mode (strict/relaxed), percentage rollout, reporting configuration (aggregate rua and forensic ruf destinations), and external destination verification requirements (RFC 7489 §7.1). Detects multiple DMARC records (invalid per spec) and flags forensic reporting privacy concerns.
What It Does
Queries the _dmarc.<domain> TXT record, validates only one DMARC record exists (multiple records are invalid), parses all DMARC tags (v, p, sp, pct, rua, ruf, adkim, aspf, ri, fo), validates syntax, and evaluates the effective security posture. Identifies policy gaps such as p=none without monitoring, missing aggregate reporting, lax alignment when strict is recommended, subdomain policy inconsistencies, and external report destinations requiring verification records (RFC 7489 §7.1). Warns about forensic report (ruf) privacy implications. Returns a security score, letter grade, and a human-readable policy description.
Why It's Useful
DMARC ties together SPF and DKIM to provide complete email authentication (RFC 7489). It tells receiving servers what to do with emails that fail authentication and provides visibility through aggregate and forensic reports. Full DMARC enforcement (p=reject) is the only way to truly prevent domain spoofing. Google, Yahoo, and Microsoft now require at minimum p=none with rua reporting for domains sending 5,000+ emails/day — with non-compliant emails facing rejection (Gmail November 2025, Outlook May 2025). The upcoming DMARCbis specification will supersede RFC 7489 with stricter reporting rules.
Use Cases
Email Security Maturity Assessment
Evaluate organization's email security maturity by checking DMARC enforcement level. Track progression from p=none (monitoring) → p=quarantine → p=reject (full enforcement).
Benchmark email security posture and plan enforcement progression.
DMARC Enforcement Preparation
Before moving from p=none to p=reject, verify SPF and DKIM alignment is working correctly by checking alignment mode and reviewing aggregate report URIs.
Safely progress toward full DMARC enforcement without blocking legitimate mail.
Reporting Configuration Audit
Verify DMARC aggregate (rua) and forensic (ruf) reports are configured and sent to monitored addresses. Check report interval settings.
Ensure visibility into email authentication failures across the organization.
Subdomain Policy Review
Check if subdomain policy (sp=) is set independently from the main domain policy. Subdomains without their own DMARC record inherit the organizational domain policy.
Prevent subdomain spoofing by ensuring proper policy inheritance.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check DMARC policy forExample: google.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
dmarc.found | boolean | Whether a DMARC record exists |
dmarc.record | string | Raw DMARC record value |
dmarc.policy | string | Main policy: none, quarantine, or reject |
dmarc.subdomain_policy | string | Subdomain policy (sp= tag), defaults to main policy |
dmarc.percentage | number | Percentage of messages the policy applies to (pct= tag, default 100) |
dmarc.alignment.dkim | string | DKIM alignment mode: r (relaxed) or s (strict) |
dmarc.alignment.spf | string | SPF alignment mode: r (relaxed) or s (strict) |
dmarc.reporting.aggregate_uris | array | Aggregate report destinations (rua= tag) |
dmarc.reporting.forensic_uris | array | Forensic report destinations (ruf= tag) |
dmarc.reporting.interval_seconds | number | Report interval in seconds (ri= tag, default 86400) |
dmarc.policy_description | string | Human-readable policy description |
score | number | Security score 0–100 |
grade | string | Letter grade A–F |
recommendations | array | Policy and configuration improvement recommendations |
Code Examples
curl "https://api.edgedns.dev/v1/security/dmarc" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=google.com"const response = await fetch(
'https://api.edgedns.dev/v1/security/dmarc?domain=google.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/security/dmarc',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'google.com'
}
)
data = response.json()
print(data)Read the full DMARC Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.