DMARC Check: a beginner's guide
Analyze DMARC policy, alignment, and reporting
DMARC: the rulebook that ties SPF and DKIM together
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer on top of SPF and DKIM. SPF proves that a sending server was authorized; DKIM proves that the message itself was not modified in transit; DMARC takes the results of those two checks and tells receiving mail servers what to actually do when one of them fails. Reject the message? Quarantine it to spam? Just record it for later analysis? DMARC also turns on a continuous reporting feed: every day, mailbox providers like Google, Microsoft, and Yahoo will send you XML reports listing every server in the world that tried to send email as your domain, along with whether each one passed or failed authentication. DMARC is what lets you actually see and control the email-impersonation problem, instead of just hoping it doesn't happen.
You should care because DMARC is the only one of the three standards that turns email authentication from a passive defense into an active one. Without DMARC, even a successful SPF or DKIM check doesn't prevent anything — it just provides a signal that receivers may or may not act on. With DMARC at `p=reject`, an impostor message that fails authentication is refused by the receiving server, and a copy of the failure ends up in your DMARC reports so you can investigate. As of February 2024, Gmail and Yahoo require DMARC on any domain sending more than 5,000 emails per day. Microsoft followed shortly after. DMARC has gone from "nice to have" to "non-negotiable" in less than two years.
The five things every DMARC check looks at:
Does a DMARC record exist? It lives at the special subdomain `_dmarc.example.com` and starts with `v=DMARC1;`.
What is the policy (`p=`)? Three options: `p=none` (just monitor), `p=quarantine` (route failing mail to spam), `p=reject` (refuse failing mail). Most domains start at `none` and tighten over weeks.
Is there a reporting address (`rua=`)? Without a reporting address, you have no visibility into who is actually sending mail as your domain.
Is the subdomain policy set (`sp=`)? Without `sp=`, your subdomains inherit the same policy as the root — which may or may not be what you want.
Are alignment modes set? The `adkim=` and `aspf=` tags control how strictly the From: domain has to match the authenticated domain. Default `r` (relaxed) is almost always correct.
Three questions a DMARC check answers:
Is my domain protected against impersonation today, or am I still in monitor-only mode?
Who is actually sending email as my domain right now, including legitimate senders I forgot about?
After the recent mailbox-provider enforcement changes, am I in compliance?
The cost of skipping DMARC is leaving the door open to brand impersonation while losing inbox placement at every major mailbox provider. The fix is one DNS record, started in monitor mode, walked up the policy ladder over six to eight weeks. The longer hand-written guide is at How to Check Your DMARC Record. DMARC is defined in RFC 7489.
The DMARC Check endpoint, in plain language
In one sentence: Analyze [DMARC (Domain-based Message Authentication, Reporting and Conformance)](/guides/how-to-check-dmarc-record) policy, alignment, and reporting
Retrieves and validates DMARC (Domain-based Message Authentication, Reporting and Conformance) (Domain-based Message Authentication, Reporting, and Conformance, the official internet standard) records. Analyzes policy enforcement level (none/quarantine/reject), subdomain policy, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) alignment mode (strict/relaxed), percentage rollout, reporting configuration (aggregate rua and forensic ruf destinations), and external destination verification requirements (the official internet standard §7.1). Detects multiple DMARC records (invalid per spec) and flags forensic reporting privacy concerns.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Queries the _dmarc.<domain> TXT record (text record), validates only one DMARC (Domain-based Message Authentication, Reporting and Conformance) record exists (multiple records are invalid), parses all DMARC tags (v, p, sp, pct, rua, ruf, adkim, aspf, ri, fo), validates syntax, and evaluates the effective security posture. Identifies policy gaps such as p=none without monitoring, missing aggregate reporting, lax alignment when strict is recommended, subdomain policy inconsistencies, and external report destinations requiring verification records (the official internet standard §7.1). Warns about forensic report (ruf) privacy implications. Returns a security score, letter grade, and a human-readable policy description.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the DMARC Check tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties together SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide complete email authentication (the official internet standard). It tells receiving servers what to do with emails that fail authentication and provides visibility through aggregate and forensic reports. Full DMARC enforcement (p=reject) is the only way to truly prevent domain spoofing. Google, Yahoo, and Microsoft now require at minimum p=none with rua reporting for domains sending 5,000+ emails/day — with non-compliant emails facing rejection (Gmail November 2025, Outlook May 2025). The upcoming DMARCbis specification will supersede the official internet standard with stricter reporting rules.
Picture this in real life. Imagine a security manager. Here's the situation they're walking into: Evaluate organization's email security maturity by checking DMARC (Domain-based Message Authentication, Reporting and Conformance) enforcement level. Track progression from p=none (monitoring) → p=quarantine → p=reject (full enforcement). Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the DMARC Check tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the DMARC Check tool is built for you:
Will the emails I send actually reach the inbox, or are they going to spam?
Can someone else send phishing emails pretending to be my domain?
Have I set up the three rulebooks (SPF, DKIM, DMARC) that mailbox providers now require?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Small-business owners worried about deliverability, marketing managers onboarding a new email service, IT admins prepping for a security audit, and brand teams protecting against phishing. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and your real emails risk landing in the spam folder while scammers find it easier to impersonate your brand. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the free plan. The technical details: `GET /v1/security/dmarc`.
When would I actually use this?
If you're still on the fence about whether the DMARC Check tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a security manager, a email administrator, a security analyst, and a domain administrator — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Email Security Maturity Assessment
Imagine you're a security manager. Evaluate organization's email security maturity by checking DMARC (Domain-based Message Authentication, Reporting and Conformance) enforcement level. Track progression from p=none (monitoring) → p=quarantine → p=reject (full enforcement).
Why it matters: Benchmark email security posture and plan enforcement progression.
Story 2: DMARC Enforcement Preparation
Imagine you're an email administrator. Before moving from p=none to p=reject, verify SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) alignment is working correctly by checking alignment mode and reviewing aggregate report URIs.
Why it matters: Safely progress toward full DMARC (Domain-based Message Authentication, Reporting and Conformance) enforcement without blocking legitimate mail.
Story 3: Reporting Configuration Audit
Imagine you're a security analyst. Verify DMARC (Domain-based Message Authentication, Reporting and Conformance) aggregate (rua) and forensic (ruf) reports are configured and sent to monitored addresses. Check report interval settings.
Why it matters: Ensure visibility into email authentication failures across the organization.
Story 4: Subdomain Policy Review
Imagine you're a domain administrator. Check if subdomain policy (sp=) is set independently from the main domain policy. Subdomains without their own DMARC (Domain-based Message Authentication, Reporting and Conformance) record inherit the organizational domain policy.
Why it matters: Prevent subdomain spoofing by ensuring proper policy inheritance.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the DMARC Check tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
When setting up email on a brand-new domain.
After signing up for a new email-sending service (Mailchimp, SendGrid, HubSpot, etc.).
When a customer reports that your emails are landing in their spam folder.
Before a security audit, a SOC 2 review, or a major marketing campaign.
If you can see yourself in even one of those bullets, the DMARC Check tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the DMARC Check tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the DMARC Check tool to check google.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/security/dmarc?domain=google.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to check DMARC (Domain-based Message Authentication, Reporting and Conformance) policy for | google.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
dmarc.found | boolean | Whether a DMARC (Domain-based Message Authentication, Reporting and Conformance) record exists |
dmarc.record | string | Raw DMARC (Domain-based Message Authentication, Reporting and Conformance) record value |
dmarc.policy | string | Main policy: none, quarantine, or reject |
dmarc.subdomain_policy | string | Subdomain policy (sp= tag), defaults to main policy |
dmarc.percentage | number | Percentage of messages the policy applies to (pct= tag, default 100) |
dmarc.alignment.dkim | string | DKIM (DomainKeys Identified Mail) alignment mode: r (relaxed) or s (strict) |
dmarc.alignment.spf | string | SPF (Sender Policy Framework) alignment mode: r (relaxed) or s (strict) |
dmarc.reporting.aggregate_uris | array | Aggregate report destinations (rua= tag) |
dmarc.reporting.forensic_uris | array | Forensic report destinations (ruf= tag) |
dmarc.reporting.interval_seconds | number | Report interval in seconds (ri= tag, default 86400) |
dmarc.policy_description | string | Human-readable policy description |
score | number | Security score 0–100 |
grade | string | Letter grade A–F |
recommendations | array | Policy and configuration improvement recommendations |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
TXT record (text record) — A DNS entry that holds plain text. Used for things like proving you own a domain or listing who can send email as you.
SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.
DKIM (DomainKeys Identified Mail) — A digital signature added to every email you send. The receiving mail server checks the signature to make sure the message really came from you and was not changed in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.
RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.