Back to The Rejected Folder
| 9 min read

Free DMARC checker: test your domain's email authentication

Check your domain's DMARC, SPF, DKIM, and BIMI records in seconds. Our free DMARC checker provides a complete email authentication audit with actionable recommendations.

DT
Marc, Owner
Free DMARC checker: test your domain's email authentication

Your domain’s email authentication is either protecting you or exposing you. No in-between.

A properly configured DMARC record stops attackers from spoofing your domain. A missing or broken one? Open invitation for phishing attacks, damaged reputation, and emails landing in spam.

Most people have no idea what state their email authentication is in. They set it up once (maybe), never looked at it again, and assume everything is fine.

It’s usually not fine.

That’s why we built a free DMARC checker that shows you the complete picture in seconds.

What our DMARC checker analyzes

When you enter a domain, we perform DNS lookups and analyze four records.

DMARC record

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy layer that ties everything together. Our checker verifies whether you have a DMARC record at all, whether the record is properly formatted, and what policy level you’re at: p=none (monitoring), p=quarantine (spam folder), or p=reject (block). We also check your reporting configuration for rua and ruf tags, look for a separate sp= subdomain policy, and flag any pct percentage set below 100%.

A missing DMARC record is a red flag. But so is a record stuck at p=none for years. Both leave your domain vulnerable.

SPF record

SPF (Sender Policy Framework) defines which servers are authorized to send email for your domain. We check for the existence of an SPF TXT record and validate its syntax (it should start with v=spf1). We count your include, a, mx, and ip4 mechanisms and calculate your total DNS lookup count against the 10-lookup limit. We also note whether you end with -all (hard fail), ~all (soft fail), or ?all (neutral).

The 10-lookup limit is where most SPF records break. Each include: triggers additional lookups. Add too many email services, and your entire SPF record becomes invalid. Our SPF generator shows you the lookup count in real-time.

DKIM record

DKIM (DomainKeys Identified Mail) adds cryptographic signatures to your emails. Our checker looks for common selectors like default, google, selector1, and selector2. For each one found, we verify that a public key exists and check whether it’s 1024-bit or 2048-bit.

DKIM is trickier to check without knowing your specific selectors. If you use Microsoft 365, your selectors are selector1 and selector2. For Google Workspace, it’s usually google. We check the most common ones automatically.

BIMI record

BIMI (Brand Indicators for Message Identification) displays your logo next to authenticated emails. We verify whether a BIMI TXT record exists at default._bimi, whether it includes a valid SVG logo URL, and whether a Verified Mark Certificate is present.

BIMI is optional but increasingly useful for brand visibility. It only works if your DMARC policy is at p=quarantine or p=reject.

The health score

After analyzing all four records, we calculate an overall health score from 0 to 100.

The score considers whether all necessary records exist, whether the records are properly formatted, how strong your DMARC policy is, and whether you’re following current best practices.

A score above 80 means your email authentication is solid. Below 50 means you have work to do. Below 20 means your domain is essentially unprotected.

How to use the DMARC checker

Using our checker takes about 10 seconds:

  1. Go to dmarctrust.com/domains
  2. Enter your domain name (e.g., example.com)
  3. Click Check domain
  4. Review your results

That’s it. No signup required. No email address needed. Just instant results.

The results page shows your overall health score with a visual indicator, your full DMARC record with parsed tags, your SPF record with mechanism breakdown and lookup count, DKIM status for detected selectors, your BIMI record if present, and specific recommendations for improvement.

You can check any domain, not just your own. This is useful for verifying a vendor’s email security before trusting their emails, checking competitors’ authentication setup, auditing domains before acquisition, or investigating phishing attempts that claim to be from a specific domain.

What the results mean

Let’s break down what each finding tells you.

“No DMARC record found”

This is the worst result. Without DMARC, anyone can send email pretending to be from your domain. Receiving servers have no way to know which emails are legitimate.

Create a DMARC record using our free DMARC generator. Start with p=none to monitor before enforcing.

“DMARC policy is p=none”

You have a DMARC record, but it’s in monitoring mode. This means receiving servers check authentication but don’t take action on failures. Spoofed emails still get delivered.

This is fine as a starting point. It’s not fine as a permanent state.

After monitoring for 2-4 weeks and fixing any legitimate senders that fail, move to p=quarantine and eventually p=reject. Our enforcement playbook guides you through this process.

“SPF record has too many DNS lookups”

SPF is limited to 10 DNS lookups. Each include: mechanism triggers additional lookups. If you exceed 10, the entire SPF check fails with a PermError.

This is common when you use multiple email services: Microsoft 365 (2-3 lookups), Google Workspace (1-2 lookups), SendGrid (1 lookup), Mailchimp (1 lookup), etc. They add up fast.

Audit your SPF record and remove services you no longer use. Consider SPF flattening for complex setups, though this requires maintenance.

“SPF uses ~all instead of -all”

The ~all qualifier is a “soft fail” that tells receivers to accept but mark suspicious emails. The -all qualifier is a “hard fail” that tells receivers to reject unauthorized senders.

Most modern guides recommend -all for better protection. However, if you’re not 100% sure all your senders are listed, ~all is safer while you audit.

“No DKIM record found”

We couldn’t find a DKIM public key for common selectors. This might mean DKIM isn’t configured, you’re using a non-standard selector we didn’t check, or the record exists but has a typo.

Check your email provider’s documentation for the correct DKIM selector, then verify it’s published in DNS.

“BIMI record found but no VMC”

You have a BIMI record with a logo, but no Verified Mark Certificate. Some email clients (like Gmail) require a VMC to display your logo. Others (like Apple Mail) will show it without certification.

If brand visibility in Gmail is important, consider obtaining a VMC. We offer BIMI certificate services through our Sectigo partnership.

Common issues we detect

Over thousands of domain checks, the same problems come up.

Multiple DMARC records

Some domains have two _dmarc TXT records, usually from different configuration attempts. This is invalid. Receiving servers may ignore both or behave unpredictably.

The rule: one domain, one DMARC record. Always edit the existing record rather than adding a new one.

Multiple SPF records

Same problem, same cause. You can only have one SPF record (starting with v=spf1) per domain.

If you need to add a new sender, edit your existing SPF record to include them. Don’t create a second record.

Syntax errors

Missing semicolons, wrong tag names, invalid values. DMARC and SPF records are picky about formatting. A single typo can invalidate the entire record.

Example errors:

  • p=rejected (should be p=reject)
  • v=DMARC1 p=none (missing semicolon after DMARC1)
  • [email protected] (missing mailto: prefix)

Our checker catches these and tells you exactly what’s wrong.

Reporting addresses that don’t exist

Your DMARC record says to send reports to [email protected], but that mailbox doesn’t exist or is full. Reports bounce, and you have no visibility into authentication.

Even worse: the mailbox exists, but nobody reads it. XML reports pile up, unprocessed.

Use a DMARC monitoring service like DMARCTrust that automatically processes reports and shows you actionable data.

After the check: what’s next?

Checking your domain is step one. Here’s what comes after.

If you’re missing DMARC

Use our free DMARC generator to create a record. Start with this configuration:

v=DMARC1; p=none; rua=mailto:[email protected];

The p=none policy means monitoring only. The rua tag tells receivers where to send reports.

Add this as a TXT record at _dmarc.yourdomain.com in your DNS.

If you’re stuck at p=none

You need visibility before you can enforce. This is where monitoring becomes necessary.

Sign up for DMARCTrust, add your domain, and get a unique reporting address. Update your DMARC record to use that address. Within 24-48 hours, you’ll start seeing reports.

Review the reports to identify all legitimate services sending as your domain, which ones pass SPF and DKIM, and which ones need configuration fixes.

Once everything legitimate passes, you can safely move to p=quarantine and then p=reject.

If your SPF is broken

Audit your SPF record. List every include: mechanism and verify you still use that service. Remove anything obsolete.

If you’re over 10 lookups even after cleanup, you have a few options. You can use ip4: mechanisms for static IPs (they don’t count toward the lookup limit), consolidate email services where possible, or use SPF flattening tools with caution since they require maintenance.

If DKIM isn’t working

Check your email provider’s documentation for the correct selector name, whether you need to publish CNAME or TXT records, and whether you need to enable DKIM signing in their admin panel.

Common selectors by provider:

  • Microsoft 365: selector1, selector2 (see our M365 setup guide)
  • Google Workspace: google
  • SendGrid: s1, s2
  • Mailchimp: k1

Why ongoing monitoring matters

A single DMARC check shows you the current state. It doesn’t tell you who’s sending email as your domain, whether those senders pass or fail authentication, if someone is spoofing your domain, or when configuration changes break things.

That’s what DMARC monitoring provides. Reports from Gmail, Microsoft, Yahoo, and other receivers flow into DMARCTrust, where we parse them, identify senders, calculate pass rates, and alert you to problems.

Checking gives you point-in-time verification. Monitoring gives you ongoing visibility. Together, they give you complete control over your email authentication.

Check your domain now

Go to dmarctrust.com/domains and enter your domain. In seconds, you’ll see your DMARC, SPF, DKIM, and BIMI status with specific recommendations.

If you don’t have a DMARC record yet, our free generator creates one in 30 seconds.

But checking is just the start. A point-in-time check tells you the current state. It doesn’t tell you who’s sending email as your domain, whether they’re passing authentication, or if someone is spoofing you right now. For that, you need monitoring.

Sign up for DMARCTrust, add your domain, and get your unique reporting address. Update your DMARC record to send reports to us. Within 48 hours, you’ll have complete visibility into every email sent as your domain.

The checker shows you where you are. DMARCTrust shows you everything that’s happening.

Read Next

View all posts
Free DMARC generator: create your record in 30 seconds
tools ·

Free DMARC generator: create your record in 30 seconds

Generate a valid DMARC record for your domain without touching DNS syntax. Our free DMARC generator creates properly formatted records with the right policy for your needs.

DT
DMARCTrust
9 min read
DMARC compliance tools in 2026: what you actually need
dmarc ·

DMARC compliance tools in 2026: what you actually need

DMARC compliance is mandatory, but most companies approach it wrong. Here's what tools you actually need, who needs what, and what happens when you skip proper monitoring.

DT
DMARCTrust
11 min read