Skip to main content
Log in
CaptainDNS

Email Diagnostics

Tools to verify and validate your email authentication setup.

SPF
DKIM
DMARC
DMARCbis
BIMI
MTA-STS
TLS-RPT
DANE / TLSA

Deliverability

Email deliverability auditMail header analyzerEmail testerIP Blacklist CheckerDomain Blacklist CheckerSPF FlattenerDKIM Selector FinderSMTP/MX Tester

Secure & Monitor

Record generators, policy hosting and continuous monitoring.

Network & Web

Network tools, web page analysis and certificates.

IP Tools

My IP address

Detect your IPv4/IPv6 addresses and their geolocation.

Reverse lookup

Resolve a PTR record and validate DNS consistency.

IP WhoIs

Identify the owner of an IP range and its contacts.

IPv4 netmask

Calculate network, broadcast and usable hosts for any IPv4 block.

IPv6 subnet calculator

Calculate IPv6 subnets, address ranges and reverse DNS entries.

Certificates & BIMI

BIMI logo lookup

Inspect a BIMI logo URL - format, metadata and live rendering - before rollout.

BIMI SVG converter

Convert any SVG to BIMI-compliant Tiny-PS format in seconds.

CSR parser

Inspect a CSR, extract subject details, fingerprints and requested SANs.

VMC inspector

Inspect a Verified Mark Certificate - issuer, validity and SAN coverage - before you publish BIMI.

Web

Page size checker

Check if your page exceeds Google's 2 MB crawl limit.

Phishing URL Checker

Check if a URL is flagged as phishing or malware by 4 threat intelligence sources.

Redirect Checker

Analyze HTTP redirect chains

Domain Redirect

Redirect your domains with automatic HTTPS and 301/302 redirects.

Developer Tools

Text utilities and tools for everyday dev work.

Text

Transform and measure your content in seconds.

Text case converter

Convert any block of text to upper or lower case instantly.

Slug generator

Transform any sentence into an SEO-friendly slug in seconds.

Word & character counter

Measure the length of any text, with instant word and character counts.

Password generator

Generate strong random passwords and memorable passphrases instantly.

Developer

Encoding, hashing, regex and formatting for everyday dev work.

Base64 encoder / decoder

Encode or decode any content in Base64 without leaving the browser.

Hash Generator

Compute MD5, SHA-1, SHA-256 and SHA-512 hashes of any text.

URL encoder / decoder

Encode or decode text using percent-encoding (RFC 3986) right in your browser.

Regex Tester

Test a regular expression against text and visualize matches.

JSON / YAML Formatter

Format, validate and convert JSON and YAML in one click.

DMARC Validator

Validate DMARC syntax before publishing - fix errors in seconds

How do you fix DMARC syntax errors? Paste your DMARC record below and validate its syntax instantly. A DMARC syntax error means your policy is silently ignored by Gmail, Outlook, and all receiving servers.

Instant validation

Paste your DMARC record. Get the complete diagnostic in under a second, without waiting for DNS propagation.

All tags analyzed

v, p, sp, rua, ruf, adkim, aspf, pct, fo, ri, rf: every tag is extracted, validated and displayed with its interpretation.

Report URIs verified

rua and ruf destinations are checked: valid mailto/https format, correct syntax, no forbidden characters.

Clear error messages

Duplicate tag, missing policy, out-of-range percentage: each issue is identified with a clear explanation.

RFC 7489 compliant

The validator applies official DMARC specification rules. Your record will be interpreted correctly everywhere.

Why validate DMARC syntax before publishing?

A malformed DMARC record is silently ignored by all receiving servers. Gmail, Outlook, Yahoo: none will alert you. Your emails remain unprotected against spoofing and phishing.

The DMARC syntax validator analyzes your record before DNS publication. You detect errors immediately, without waiting 24-48h of propagation to discover an issue.

Common errors detected:

  • Missing v= tag → Record not recognized as DMARC
  • Missing p= policy → No handling instructions for servers
  • Invalid rua/ruf URI → Reports never received
  • Duplicate tags → Unpredictable behavior, often ignored

How to validate your DMARC record in 3 steps

Step 1: Copy the DMARC record

Prepare your complete DMARC record. Typical example:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@captaindns.com; adkim=r; aspf=r; pct=100

If modifying an existing record, retrieve the current value from your DNS:

dig TXT _dmarc.captaindns.com +short

Step 2: Paste and validate

Paste the record in the field above. The tool analyzes:

  • Presence of mandatory tags (v, p)
  • Validity of each tag and value
  • Report URI format (rua, ruf)
  • RFC 7489 specification compliance

Step 3: Fix and publish

The diagnostic lists each tag with its status:

  • Valid → Tag correct, ready for publication
  • Error → Fix required before publication
  • ⚠️ Warning → Functional but improvement recommended

Fix errors, validate again, then publish to your DNS.

What is a DMARC record?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record published at _dmarc.yourdomain.com. It tells receiving servers:

  1. What policy to apply to emails failing SPF and DKIM
  2. Where to send reports on authentication results
  3. How to align SPF/DKIM domains with the From address

DMARC record structure:

v=DMARC1; p=reject; rua=mailto:reports@captaindns.com; ruf=mailto:forensics@captaindns.com; adkim=s; aspf=s; pct=100
TagValueMeaning
vDMARC1Protocol version (required)
prejectPolicy: reject unauthenticated emails
ruamailto:...Aggregate report destination
rufmailto:...Forensic report destination
adkimsStrict DKIM alignment
aspfsStrict SPF alignment
pct100Apply to 100% of messages

DMARC tags validated in detail

Required tags

TagAccepted valuesDescription
vDMARC1Identifies the record as DMARC. Only valid value.
pnone, quarantine, rejectPolicy for non-aligned messages from the main domain.

Optional tags

TagAccepted valuesDescription
spnone, quarantine, rejectPolicy for subdomains (inherits from p if absent).
ruamailto: or https: URIAggregate report destinations (daily XML).
rufmailto: or https: URIForensic report destinations (per message).
adkimr (relaxed), s (strict)DKIM alignment mode. Default: relaxed.
aspfr (relaxed), s (strict)SPF alignment mode. Default: relaxed.
pct1-100Percentage of messages subject to policy. Default: 100.
fo0, 1, d, sForensic report generation options.
riSecondsDesired interval between aggregate reports. Default: 86400.
rfafrf, iodefForensic report format.

Common syntax errors

Error 1: Record without v=DMARC1

Symptom: Validator shows "not_dmarc_record"

Cause: Record doesn't start with v=DMARC1

Fix:

- p=reject; rua=mailto:reports@captaindns.com
+ v=DMARC1; p=reject; rua=mailto:reports@captaindns.com

Error 2: Missing p= policy

Symptom: "missing_policy" or "empty_policy"

Cause: The p= tag is missing or empty

Fix:

- v=DMARC1; rua=mailto:reports@captaindns.com
+ v=DMARC1; p=none; rua=mailto:reports@captaindns.com

Error 3: Invalid rua/ruf URI

Symptom: "invalid_rua_uri" or "invalid_ruf_uri"

Cause: URI doesn't follow mailto: or https: format

Fix examples:

- rua=reports@captaindns.com          # Missing mailto:
+ rua=mailto:reports@captaindns.com

- ruf="mailto:forensics@captaindns.com"  # Quotes not allowed
+ ruf=mailto:forensics@captaindns.com

- rua=mailto: reports@captaindns.com  # Space not allowed
+ rua=mailto:reports@captaindns.com

Error 4: Duplicate tag

Symptom: "duplicate_tag"

Cause: A tag appears multiple times

Fix:

- v=DMARC1; p=none; p=reject; rua=mailto:reports@captaindns.com
+ v=DMARC1; p=reject; rua=mailto:reports@captaindns.com

Error 5: pct out of range

Symptom: "invalid_pct_value"

Cause: pct value is not between 1 and 100

Fix:

- v=DMARC1; p=reject; pct=0      # 0 is invalid
+ v=DMARC1; p=reject; pct=10     # Minimum is 1

- v=DMARC1; p=reject; pct=150    # >100 is invalid
+ v=DMARC1; p=reject; pct=100

DMARC deployment best practices

1. Start with p=none

Don't jump straight to p=reject. Start by observing:

v=DMARC1; p=none; rua=mailto:dmarc@captaindns.com

This policy doesn't block anything but generates reports. Analyze them for 2-4 weeks.

2. Configure rua from the start

Aggregate reports are essential for:

  • Identifying legitimate sources failing authentication
  • Detecting spoofing attempts
  • Validating progression toward p=quarantine then p=reject

3. Progress toward p=reject

Once SPF and DKIM are aligned on all legitimate sources:

  1. p=none → Observe (2-4 weeks)
  2. p=quarantine; pct=10 → Test on 10% of traffic
  3. p=quarantine; pct=50 → Gradually increase
  4. p=quarantine; pct=100 → Full quarantine
  5. p=reject → Maximum protection

4. Manage subdomains with sp=

By default, subdomains inherit the p policy. If you send emails from subdomains (marketing.captaindns.com), remember to:

  • Configure SPF/DKIM on each subdomain
  • Use sp= if the policy should differ

FAQ - Frequently asked questions

Q: Which DMARC tags are mandatory?

A: Two tags are required: v=DMARC1 (version) and p= (policy). Without these tags, the record is invalid and ignored by receiving servers. All other tags are optional.

Q: What does "missing policy" error mean?

A: The record doesn't contain the p= tag that defines the policy. Add one of three possible values:

  • p=none → No action, reports only
  • p=quarantine → Mark as spam
  • p=reject → Reject the message

Q: How do I fix a rua/ruf URI error?

A: URIs must follow the exact format mailto:address@domain.com or https://endpoint. Common errors:

  • Forgetting mailto: before the address
  • Quotes around the URI
  • Spaces in the address
  • Invalid email address

Q: What's the difference between rua and ruf?

A:

  • rua (aggregate reports): daily reports in XML format, statistical summary
  • ruf (forensic reports): per-message report on failures

Start with rua only. ruf reports generate significant traffic and may contain sensitive data.

Q: What does "pct out of range" mean?

A: The pct tag defines the percentage of messages subject to the p policy. Accepted values: 1 to 100. If you omit pct, the policy applies to 100% of messages (default behavior).

Q: Why validate before DNS publication?

A: A syntax error makes the record invalid. Receiving servers silently ignore it: you get no alert, but your emails have no DMARC protection. Always validate before any DNS modification.

Q: Does the validator check DNS publication?

A: No, this tool only validates the syntax of the record. To verify that the record is correctly published and propagated in DNS, use the DMARC Inspector after publication.

Prepare for DMARCbis

DMARCbis is the upcoming IETF Proposed Standard that replaces RFC 7489. It introduces new tags (np, t, psd), removes deprecated tags (pct, rf, ri), and replaces the Public Suffix List with a DNS tree walk algorithm. Check your domain's readiness with the DMARCbis Checker or generate a compliant record with the DMARCbis Migration Tool.

Complementary tools

ToolPurpose
DMARC InspectorVerify publication and resolve DMARC record from DNS
DMARC GeneratorCreate a spec-compliant DMARC record
SPF InspectorValidate your domain's SPF record
DKIM InspectorVerify DKIM public key and signature
Email TesterTest complete authentication by sending a real email
DMARC MonitoringAutomated, ongoing DMARC monitoring for your domains

Useful resources