📊 DMARC · report analyzer & validator

Check Domain-based Message Authentication records — analyze XML reports

Domain name example.com

📊

Enter a domain, then click "Check DMARC"
DMARC tells receiving servers what to do with emails that fail authentication.

📤 Upload DMARC XML Report

📂

Drag & drop your DMARC aggregate report (XML) here

or click to browse

🔐 DMARC = Domain-based Message Authentication, Reporting & Conformance 📝 Format: v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com ⚡ Only 5.6% of domains enforce DMARC (p=reject)

📋 DMARC Policy Levels

Policy	Meaning	Action	BIMI Ready
`p=none`	Monitoring only	Take no action, send reports	❌ No
`p=quarantine`	Soft enforcement	Mark as spam	✅ Yes
`p=reject`	Hard enforcement	Reject email completely	✅ Yes

📈 Stat: Only 5.6% of domains use p=reject. The rest remain vulnerable to spoofing [citation:5].

🔄 DMARC Alignment

SPF Alignment: The domain in the Envelope From must match the Domain in the From header (or be an organizational domain if aspf=r is set).

DKIM Alignment: The domain in the d= tag of the DKIM signature must match the Domain in the From header (or be an organizational domain if adkim=r is set).

Both SPF and DKIM can pass, but if they don't align, DMARC fails.

🏷️ DMARC Tag Reference

Tag	Required	Description	Example
`v=`	✅ Yes	Version (must be DMARC1)	`v=DMARC1`
`p=`	✅ Yes	Policy (none/quarantine/reject)	`p=quarantine`
`rua=`	❌ No	Aggregate report URI	`rua=mailto:dmarc@example.com`
`ruf=`	❌ No	Forensic report URI	`ruf=mailto:forensic@example.com`
`sp=`	❌ No	Subdomain policy	`sp=reject`
`adkim=`	❌ No	DKIM alignment (r=relaxed/s=strict)	`adkim=s`
`aspf=`	❌ No	SPF alignment (r=relaxed/s=strict)	`aspf=r`
`pct=`	❌ No	Percentage to apply policy	`pct=25`
`fo=`	❌ No	Failure reporting options	`fo=1`
`rf=`	❌ No	Report format (afrf default)	`rf=afrf`
`ri=`	❌ No	Report interval (seconds)	`ri=86400`

📊 FO (Failure Reporting) Options

Value	Meaning
`0`	Generate report if SPF and DKIM both fail
`1`	Generate report if SPF or DKIM fails
`d`	Generate report if DKIM signature fails
`s`	Generate report if SPF fails

📊 DMARC Report Types

Report Type	Purpose	Frequency
Aggregate (RUA)	Summary of all emails, pass/fail statistics, sending sources	Daily
Forensic (RUF)	Individual failed emails with details	Per failure

🔍 What Aggregate Reports Tell You

✓ Total email volume from your domain
✓ Which IPs are sending email
✓ SPF/DKIM pass/fail rates
✓ DMARC alignment results
✓ Potential spoofing attempts
✓ Sending sources (legitimate vs. fraudulent)

⚠️ Forensic Reports Are Sensitive

Forensic reports contain the actual email content that failed authentication. This may include personal data. Use PGP encryption for RUF addresses to protect privacy [citation:9].

✅ DMARC Best Practices (2026)

📊 Start with p=none - Monitor for 2-4 weeks to identify all legitimate senders
🔍 Use pct= gradually - Start with 25%, increase slowly
📧 Set up RUA addresses - You can't fix what you can't measure
🔒 Move to p=quarantine - After identifying all sources
⚡ Finally p=reject - Full enforcement stops spoofing
📋 Set up SPF and DKIM first - DMARC depends on them
🎯 Aim for BIMI readiness - Display your logo in email clients [citation:5]

⚠️ Common DMARC Mistakes

❌ Missing RUA/RUF: Without reporting addresses, you won't receive data

❌ Multiple DMARC records: Only one DMARC TXT record allowed per domain

❌ Syntax errors: Extra spaces, missing semicolons break the record

❌ Going to p=reject too fast: Can block legitimate email

❌ Forgetting subdomains: Use sp= tag to set subdomain policy