DMARC tools

DMARC analyzer

See whether your domain is ready for DMARC enforcement by checking DMARC alongside SPF and DKIM.

Enter a valid domain name only, without http:// or https://.

About

The DMARC Analyzer performs a deep review of your published DMARC record, validating syntax, policy strength, reporting setup, and tag configuration.

It is ideal when you need a structured audit of an existing record rather than a quick pass/fail check, such as before tightening policy or during a compliance review.

Detailed analysis

Goes beyond presence checks to evaluate policy, alignment tags, and reporting completeness.

Issue detection

Surfaces configuration problems that could weaken protection or cause deliverability issues.

Full tag inventory

Lists every tag with its value and meaning so you can verify advanced settings like sp, adkim, and fo.

Pre-enforcement audit

Confirm your record is ready before moving from p=none to quarantine or reject.

How to use this tool

Submit your domain

Enter the sending domain you want analyzed, the root domain, not a mail-server hostname.

Fetch the live record

The analyzer retrieves the current DMARC TXT record from public DNS at _dmarc.yourdomain.com.

Run validation checks

Syntax, policy values, alignment modes, reporting URIs, and deprecated tags are evaluated.

Review the report

Read the status banner, record checks, tag table, and any issues to decide your next steps.

Understanding the results

The status banner summarizes overall health. Record checks break down individual requirements with pass/fail indicators.

Correctly set up

Record is present, syntactically valid, and has no actionable issues. Ready for ongoing monitoring or policy tightening.

Valid with issues

The record parses correctly but has warnings, weak policy, missing rua, or configuration gaps to address.

Missing or broken

No record found, or the published value has errors that prevent receivers from applying your policy.

Record checks: No

Individual checks marked with a red X indicate specific gaps, for example missing RUA or p=none enforcement.

Important result fields

DMARC status banner

High-level summary, correctly set up, needs review, or not found.

Detected record

The exact TXT string found in DNS. Copy it to compare against your intended configuration.

Valid DMARC record

Yes/No, whether the record passes syntax and required-tag validation.

DMARC policy

The p= value: none, quarantine, or reject.

Tags found

Complete list of tags with values and RFC descriptions.

Best practices & recommendations

Analyze before policy changes

Run the analyzer before switching from p=none to quarantine or reject to confirm reporting and alignment are correct.

Compare against your generator output

If you used the DMARC Generator, verify the live DNS record matches what you intended to publish.

Address every red check

Treat failed record checks as action items, especially missing RUA and weak policy during active sending.

Re-analyze after fixes

After updating DNS, wait for propagation and run the analyzer again to confirm issues are resolved.

Frequently asked questions

Both look up your live DMARC record. The Analyzer focuses on a structured audit with status messaging and tag inventory; the Checker adds summary cards for policy, reporting, and issue counts.

The record exists but has invalid syntax, unsupported tag values, or missing recommended settings like aggregate reporting addresses.

Start with relaxed (r) to avoid breaking forwarded mail. Move to strict (s) only after aggregate reports confirm all legitimate sources align.

sp sets DMARC policy for subdomains. If omitted, subdomains inherit the root p= policy.

p=none means no enforcement, mail is not blocked. It is correct during monitoring but should be upgraded once you have report visibility.

Yes. SPF and DKIM authenticate individual messages. DMARC tells receivers what to do when authentication fails and provides reporting.

Enter the organizational domain. DMARC is published at _dmarc on the root domain and applies to the domain and its subdomains per policy.

Run this check once, or have it watched 24/7.

SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.

Start monitoring free All free tools