Why inspect your DMARC record?
A misconfigured DMARC record in DNS can:
- Be ignored by receiving servers (Gmail, Outlook, Yahoo)
- Block your legitimate emails if the policy is too strict too early
- Leave your domain vulnerable to spoofing and phishing if the policy is absent
The DMARC inspector (DMARC record checker, DMARC lookup) queries DNS in real time to display exactly what receiving servers see. You detect publication errors before they impact your deliverability.
Common use cases:
- After publication → Verify the record is correctly propagated
- Deliverability issues → Diagnose a failing DMARC configuration
- Security audit → Validate domain spoofing protection
How to use the DMARC inspector in 3 steps
Step 1: Enter the domain to analyze
Enter the domain exactly as it appears in your email addresses:
captaindns.com(main domain)marketing.captaindns.com(subdomain if you send from a subdomain)
The tool automatically queries _dmarc.domain and retrieves the published TXT record.
Step 2: Analyze the results
The inspector displays:
| Element | Description |
|---|---|
| Policy (p=) | none, quarantine or reject - handling of unauthenticated emails |
| Subdomain policy (sp=) | Specific policy for subdomains if different |
| DKIM alignment (adkim=) | strict (s) or relaxed (r) - DKIM/From domain match |
| SPF alignment (aspf=) | strict (s) or relaxed (r) - SPF/From domain match |
| Percentage (pct=) | Share of traffic subject to the policy |
| Aggregate reports (rua=) | Daily XML report destinations |
| Forensic reports (ruf=) | Per-message report destinations |
Step 3: Fix the alerts
Results are classified by severity:
- ❌ Error → Blocking issue, record is ignored
- ⚠️ Warning → Functional but improvement recommended
- ✅ Valid → Correct configuration
Fix errors in your DNS, wait for propagation, then run the inspection again.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a protocol that:
- Links SPF and DKIM to the domain visible in the From address
- Defines a policy for handling unauthenticated emails
- Generates reports to track your email authentication
The DMARC record is published as a TXT record at _dmarc.yourdomain.com.
Example DMARC record:
v=DMARC1; p=quarantine; rua=mailto:dmarc@captaindns.com; adkim=r; aspf=r; pct=100
This record indicates:
- Quarantine (spam) unauthenticated emails
- Send reports to dmarc@captaindns.com
- Use relaxed alignment for DKIM and SPF
- Apply policy to 100% of messages
What the DMARC inspector verifies
DNS resolution
| Check | Error if... |
|---|---|
| TXT record exists | No TXT at _dmarc.domain |
| DMARC record present | TXT exists but doesn't start with v=DMARC1 |
| Unique record | Multiple DMARC records (conflict) |
| No CNAME | _dmarc points to a CNAME (RFC prohibited) |
Required tags
| Tag | Check |
|---|---|
| v= | Must be DMARC1 in first position |
| p= | Must be none, quarantine or reject |
Policy and alignment
| Tag | Accepted values | Check |
|---|---|---|
| p | none, quarantine, reject | Consistent policy with maturity level |
| sp | none, quarantine, reject | If present, valid subdomain policy |
| adkim | r (relaxed), s (strict) | Valid DKIM alignment mode |
| aspf | r (relaxed), s (strict) | Valid SPF alignment mode |
| pct | 1-100 | Percentage within bounds |
Report destinations
| Tag | Check |
|---|---|
| rua | Valid mailto: format, external domain authorized |
| ruf | Valid mailto: format, external domain authorized |
External authorization: If rua or ruf points to a different domain (e.g., rua=mailto:reports@otherdomain.com), the destination domain must publish _report._dmarc.yourdomain.com to authorize reception.
Common diagnostics and solutions
DMARC_NOT_FOUND - Record missing
Cause: No TXT record exists at _dmarc.yourdomain.com
Solution:
- Create a TXT record at
_dmarc.yourdomain.com - Minimal content:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com - Publish and wait for DNS propagation
DMARC_MULTIPLE_RECORDS - Multiple records
Cause: More than one DMARC TXT record exists at _dmarc.yourdomain.com
Solution:
- Identify all DMARC records in your DNS
- Keep only the one you want to apply
- Delete the duplicates
MISSING_POLICY - p= tag missing
Cause: The record contains v=DMARC1 but no p= tag
Solution: Add a policy: v=DMARC1; p=none; ...
INVALID_RUA_URI - Invalid report URI
Cause: The rua tag contains a malformed address
Fix examples:
- rua=reports@captaindns.com # Missing mailto:
+ rua=mailto:reports@captaindns.com
- rua=mailto: reports@captaindns.com # Space not allowed
+ rua=mailto:reports@captaindns.com
EXTERNAL_REPORT_ADDRESS - External authorization required
Cause: The rua or ruf address uses a different domain than the DMARC domain
Solution: The destination domain (otherdomain.com) must publish:
_report._dmarc.yourdomain.com TXT "v=DMARC1"
This record authorizes report reception for yourdomain.com.
Progressing toward a strict DMARC policy
Phase 1: Observation (p=none)
v=DMARC1; p=none; rua=mailto:dmarc@captaindns.com
- No impact on deliverability
- Collect reports for 2-4 weeks
- Identify all legitimate sending sources
- Configure SPF and DKIM for each source
Phase 2: Progressive quarantine
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@captaindns.com
- Start with 10% of traffic
- Monitor reports for false positives
- Gradually increase: 10% → 25% → 50% → 100%
Phase 3: Reject (maximum protection)
v=DMARC1; p=reject; rua=mailto:dmarc@captaindns.com
- Unauthenticated emails are rejected
- Complete spoofing protection
- Maintain report monitoring
FAQ - Frequently asked questions
Q: What's the difference between DMARC Inspector and syntax validator?
A: The DMARC Inspector queries DNS to verify the published record on your domain. The syntax validator analyzes a record you paste before publishing it. Recommended workflow: validator → publication → inspector.
Q: What does "DMARC record not found" mean?
A: No TXT record exists at _dmarc.yourdomain.com. Create a TXT record with at minimum:
v=DMARC1; p=none; rua=mailto:reports@yourdomain.com
Q: Why does the inspector detect multiple DMARC records?
A: RFC 7489 specification requires one DMARC record per domain. Multiple records create a conflict: receiving servers ignore all records. Delete duplicates immediately.
Q: What does "external rua address requires authorization" mean?
A: If your rua address points to a different domain (e.g., reports@otherdomain.com), that domain must publish an authorization record:
_report._dmarc.yourdomain.com TXT "v=DMARC1"
Q: Which DMARC policy should I choose?
A: Recommended progression:
- p=none → Observe without impact (2-4 weeks minimum)
- p=quarantine → Mark as spam (increase pct gradually)
- p=reject → Reject unauthenticated emails
Never jump straight to p=reject without report analysis.
Q: How long to see DMARC changes?
A: DNS propagation depends on the TTL (Time To Live) of the record:
- TTL 3600 (1h) → 1-4 hours
- TTL 86400 (24h) → 24-48 hours
Reduce TTL before modification to speed up future propagation.
Q: Does the inspector also check SPF and DKIM?
A: No, the DMARC inspector focuses on the _dmarc record. For complete email authentication verification:
- SPF Inspector → SPF record
- DKIM Inspector → DKIM public key
- Email Tester → Complete real-world test
Complementary tools
| Tool | Purpose |
|---|---|
| DMARC Syntax Validator | Validate syntax BEFORE DNS publication |
| DMARC Generator | Create a spec-compliant DMARC record |
| SPF Inspector | Verify the domain's SPF record |
| DKIM Inspector | Verify DKIM public key |
| Email Tester | Test complete authentication with a real email |
| DNS Propagation | Check worldwide record propagation |
Useful resources
- RFC 7489 - Domain-based Message Authentication, Reporting and Conformance (DMARC) (official specification)
- Google - Set up DMARC (Gmail/Workspace guide)
- Microsoft - DMARC in Microsoft 365 (Outlook/M365 guide)
- dmarc.org - Overview (DMARC consortium documentation)
- DMARC Aggregate Report Format (rua report format)