DMARC record validator
Validate your DMARC policy: check enforcement level, alignment settings, reporting addresses, and subdomain coverage.
Frequently asked
What's the difference between DMARC policies?
p=none: Monitor only — no enforcement, DMARC sends reports but doesn't block anything. p=quarantine: Suspicious mail goes to spam. p=reject: Unauthenticated mail is blocked entirely. Start with p=none to monitor, move to quarantine when you're confident, and reach p=reject for full protection.
Do I need both aggregate and forensic reports?
Aggregate reports (rua=) are essential — they tell you who is sending mail from your domain and whether it passes authentication. Forensic reports (ruf=) are helpful during debugging but can expose message content. Both require a receiving address, usually an external DMARC analysis service.
What does 'strict' vs 'relaxed' alignment mean?
Strict alignment requires the authenticating domain to match the From header domain exactly. Relaxed alignment accepts subdomains. For example: From: example.com with Authenticated: mail.example.com — passes relaxed, fails strict. Strict gives stronger protection but may break legitimate subdomain setups.
Should I set a DMARC policy for subdomains?
Without sp=, subdomains inherit the main domain's policy. If you have subdomains that send email (e.g., marketing.example.com), set sp= explicitly. If you have dormant subdomains that shouldn't send mail, set sp=reject to prevent abuse — attackers love sending from unmonitored subdomains.
Set up DMARC on DNScale
Built and operated in the EU. The same anycast network that powers this tool serves every DNScale-hosted zone.
Set up DMARC on DNScale