Skip to content
Pricing RU Sign In
RU

What is DMARC

By · Updated
Key idea:

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy telling mail servers what to do with messages that fail SPF or DKIM. Published as a _dmarc.example.com TXT record. Layered over SPF+DKIM: at least one must align with the From domain. Without DMARC the domain remains vulnerable to spoofing.

Below: details, example, related terms, FAQ.

Try it now — free →

Details

  • Syntax: v=DMARC1; p=none|quarantine|reject; rua=mailto:...; pct=100
  • Three strictness levels: p=none (monitor) → p=quarantine (spam folder) → p=reject (hard-fail)
  • rua= aggregate reports, ruf= forensic reports for specific fails
  • adkim=s/r, aspf=s/r — strict vs relaxed alignment. Default is relaxed
  • Gmail and Yahoo since February 2024 require DMARC for bulk senders (>5000/day)

Example

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com

Related Terms

Related guides

Public KeyDKIM key in DNS TXT record
Key LengthRSA-1024, 2048, or Ed25519
Quick TestDomain + selector = result
ValidationSyntax and parameters of DKIM TXT

Why teams trust us

DKIM
signature check
SPF
SPF + DMARC audit
DNS
TXT record check
Free
no limits

How it works

1

Enter domain and selector

2

Fetch DKIM TXT record

3

Validate public key

What is DKIM?

DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign email with a key stored in DNS. This allows recipients to verify that the email was genuinely sent from the specified domain.

Selector-based Check

Specify domain and DKIM selector — get the public key and its parameters.

Key Analysis

RSA/Ed25519 key length, hash algorithm, flags, and validity period.

Recommendations

If key < 2048 bits — we issue a warning and key rotation instructions.

Instant Result

Direct DNS query in seconds — no waiting for TTL.

Who uses this

Email marketers

pre-send verification

Sysadmins

mail server setup

Security

phishing protection audit

Developers

email deliverability debug

Common Mistakes

Using 1024-bit key1024 bits is considered weak. Gmail and Outlook require at least 2048 bits.
Not rotating keysSame key for years — risk of compromise. Rotate keys every 6–12 months.
Wrong selectorEach ESP uses its own selector. Ensure the correct key is in DNS for each.
Not checking after ESP changeWhen changing email service, always verify the new provider's DKIM.

Best Practices

Use 2048-bit keysThis is the current recommended minimum. Ed25519 is a more modern alternative.
Set up DMARC with DKIMWithout DMARC, even correct DKIM signing doesn't protect from Display-From spoofing.
Check after migrationWhen changing DNS provider, DKIM records are often lost. Check immediately after.
Document all selectorsKeep a list of all DKIM selectors — useful during rotation and auditing.

Get more with a free account

DKIM check history and DNS monitoring for domain record changes.

Sign up free

Related tools

Email CheckDNS LookupDNSBL CheckSSL Check

Learn more

How-to

Glossary

Frequently Asked Questions

Do I need DMARC if I have SPF and DKIM?

Yes. SPF/DKIM only authenticate. DMARC tells the receiver what to do if they fail — without DMARC the receiver decides (often accepts).

Where to start?

Always with p=none and rua=mailto:. Monitor for 2 weeks, then quarantine pct=25, then 100, then reject.

Is there a cost?

DMARC is free. Report aggregators like dmarcian offer a free tier for small domains.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation