Mimecast Logo
Schedule a Demo
Start Free Trial

    DMARC Check

    DMARC Free Trial
    DMARC record check
    DMARC Free Trial
    DMARC Record Checker

    Use the DMARC record checker tool to validate
    your DMARC records

    In order to implement DMARC you need a valid DMARC record. At Mimecast we provide a free and easy to use DMARC Record Checker to display your DMARC record, test it and verify that it is valid. To perform a DMARC record check you will only need to provide your domain name. The DMARC Record Check will then parse your DMARC record and display the DMARC record along with additional information.

    Use the DMARC Record Checker to test and lookup your DMARC record. The DMARC Record Checker will also verify and test if you are using external domains.


    Using the DMARC record checker

    When a domain is submitted, the DMARC record checker will lookup the DMARC record from the DNS. The DMARC record checker gives an error message if no record is available or if it’s not valid. If a record is found, the DMARC record checker will display the DMARC policy (monitor, quarantine or reject). Read more about the DMARC Policies. Please check the tags that are used within the table below . After performing a DMARC Record check, any problems will be displayed in the result. Use the DMARC Record Checker to test and lookup your DMARC record. The DMARC Record Checker will also verify and test if you are using external domains.


    Protected by reCAPTCHA. Google Privacy Policy and Terms of Service apply.

    Your results

    Full DMARC record

    Declared tags

    Tag Value Description

    Defaulted tags

    Tag Value Description
    Tag Value Description
    v DMARC protocol version.
    p Apply this policy to email that fails the DMARC check. This policy be set to 'none', 'quarantine', or 'reject'. 'none' is used to collect the DMARC report and gain insight into the current emailflows and their status.
    rua A list of URIs for ISPs to send XML feedback to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form 'mailto:test@example.com'.
    ruf A list of URIs for ISPs to send forensic reports to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form 'mailto:test@example.org'.
    pct The percentage tag instructs ISPs to only apply the DMARC policy to a percentage of failing email's. 'pct = 50' will tell receivers to only apply the 'p = ' policy 50% of the time against email's that fail the DMARC check. NOTE: this will not work for the 'none' policy, but only for 'quarantine' or 'reject' policies.
    fo 0 Forensic options. Allowed values: '0' to generate reports if both DKIM and SPF fail, '1' to generate reports if either DKIM or SPF fails to produce a DMARC pass result, 'd' to generate report if DKIM has failed or 's' if SPF failed.
    rf afrf The reporting format for forensic reports. This can be either 'afrf' or 'iodef'.
    adkim r Specifies the 'Alignment Mode' for DKIM signatures, this can be either 'r' (Relaxed) or 's' (Strict). In Relaxed mode also authenticated DKIM signing domains (d=) that share a Organizational Domain with an emails From domain will pass the DMARC check. In Strict mode an exact match is required.
    aspf r Specifies the 'Alignment Mode' for SPF, this can be either 'r' (Relaxed) or 's' (Strict). In Relaxed mode also authenticated SPF domains that share a Organizational Domain with an emails From domain will pass the DMARC check. In Strict mode an exact match is required.
    sp p=value This policy should be applied to email from a sub-domain of this domain that fail the DMARC check. Using this tag domain owners can publish a 'wildcard' policy for all subdomains.
    ri 86400 The reporting interval for how often you'd like to receive aggregate XML reports. This is a preference and ISPs could (and most likely will) send the report on different intervals (normally this will be daily).

    Would you like your results emailed to you?

    Congratulations!

    Your form has been submitted.

    About DMARC Analyzer

    Mimecast DMARC Analyzer

    Mimecast DMARC Analyzer is a user-friendly and expert guide to help organizations implement DMARC test procedures and reject policies as fast as possible. Offered as a SaaS-based solution, DMARC analyzer empowers organizations to manage complex DMARC test deployment projects more easily and delivers 360° visibility and governance across all email channels.

    With DMARC analyzer, organizations can:

    • Deploy DMARC with greater speed and less complexity – without the need for professional services.
    • Authenticate email messages more easily and improve on deliverability.
    • Use self-service email intelligence tools to implement DMARC check policies on the gateway.
    • Receive alerts, reports and charts to help monitor enforcement and ongoing performance.
    FAQs

    More Information about DMARC

    Originally the email authentication techniques DKIM and SPF helped to protect domains from malicious attacks. However cyber criminals can bypass these security measures. DMARC creates a link between SPF & DKIM in order to fully secure the domain and email channel. When a domain owner publishes a DMARC record into their DNS record, they will gain insight in who is sending email on behalf of their domain. This information can be used to get detailed information about the email channel. With this information a domain owner can get control over the email sent from the domain of the organization. An enforced DMARC record can be published to protect the domains against abuse in phishing or spoofing attacks. Please read more about DMARC.

    What is DMARC?

    DMARC – or Domain-based Message Authentication, Reporting and Conformance – is a protocol for email authentication, policy and reporting. Designed to help prevent email impersonation, DMARC allows senders to let recipients know that messages are protected by Sender Policy Framework and DomainKeys Identified Message (DKIM) protocols and provides instructions for how to handle messages that don't pass either of these authentication methods.

    What is a DMARC check?

    DMARC enables receiving mail servers to check for alignment between the domain names in the "header from" and the "envelope from" information in an email using SPF authentication, and between the "header from" domain name and the "d= domain name" in the DKIM signature. If a message fails both SPF and DKIM authentication and alignment, a receiving mail server can perform a DMARC check of the sender's DMARC policy to determine whether the email message should be accepted, blocked or quarantined.

    What is a DMARC record?

    A DMARC record is a DNS TXT record that is published in a domain's DNS database. A DMARC record tells receiving mail servers how to process messages that don't authenticate with SPF and/or DKIM. A DMARC policy may require that unauthenticated messages be quarantined, blocked or allowed to be sent on to the intended recipient. A DMARC record also reports information back to the domain owner about which messages authenticate, which don't and why.

    What is a DMARC record check?

    In order to implement DMARC, organizations need a valid DMARC record. A DMARC record check is a tool that displays an organization's DMARC record while testing and verifying it to determine whether it's valid. Mimecast offers a free DMARC record check service that will test and parse a DMARC record and display it along with additional information.

    What does DMARC compliant mean?

    By authenticating email channels with DKIM and or SPF an organization can pass the DMARC check and become DMARC complaint. To become DMARC compliant, DKIM and or SPF must be set up aligned. Note that only DKIM or SPF must be set to be DMARC compliant. Read more about DMARC Compliant means.

    Why DMARC reports are important?

    The SPF, DKIM, and DMARC alignment status is included within DMARC Aggregate reports. These Aggregate (RUA) reports are providing information on messages that are sent on behalf of a specific domain. These reports are needed in order to be able to gain insights into email channels that are sending email on behalf of a domain. With this information DMARC deployment specialists are able to determine which sending sources are legitimate and which are (possibly) malicious.

    What is a DMARC test?

    When an email server receives an incoming message, it can perform a DMARC test to determine whether the message passes SPF and/or DKIM authentication by evaluating whether the message aligns with what is known about the sender. If a message fails a DMARC test, receiving mail servers can check the sender's DMARC policy to see whether the message should be delivered to the inbox, spam folder or should be blocked.

    Combat domain spoofing and protect your brands reputation!

    Gain full visibility into all email senders using your domain to identify legitimate vs. fraudulent senders and block delivery of all unauthenticated mail.

    Get a Quote
    Glossary

    DMARC terms

    A DMARC record check performed with the DMARC Record Checker will test and declare the following tags.

    Tag Explanation
    V DMARC protocol version.
    p Apply this policy to email that fails the DMARC check. This policy be set to 'none', 'quarantine', or 'reject'. 'none' is used to collect the DMARC report and gain insight into the current email flows and their status.
    rua A list of URIs for ISPs to send XML feedback to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form 'mailto:test@example.com'.
    ruf A list of URIs for ISPs to send forensic reports to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form 'mailto:test@example.org'.
    rf The reporting format for forensic reports. This can be either “afrf” or “iodef”.
    pct The percentage tag instructs ISPs to only apply the DMARC policy to a percentage of failing email’s. “pct=50” will tell receivers to only apply the “p=” policy 50% of the time against emails that fail the DMARC check. NOTE: this will not work for the “none” policy, but only for “quarantine” or “reject” policies.
    adkim Specifies the “Alignment Mode” for DKIM signatures and can be either “r” (Relaxed) or “s” (Strict). In Relaxed mode, authenticated DKIM signing domains (d=) that share an Organizational Domain with an emails ‘From’ domain will pass the DMARC check. In Strict mode an exact match is required.
    aspf Specifies the “Alignment Mode” for SPF and can be either “r” (Relaxed) or “s” (Strict). In Relaxed mode, authenticated SPF domains that share an Organizational Domain with an emails ‘From’ domain will pass the DMARC check. In Strict mode an exact match is required.
    sp This policy should be applied to email from a sub-domain of this domain that fails the DMARC check. Using this tag, domain owners can publish a “wildcard” policy for all subdomains.
    fo Forensic options. Allowed values: “0” to generate reports if both DKIM and SPF fail, “1” to generate reports if either DKIM or SPF fails to produce a DMARC pass result, “d” to generate report if DKIM has failed or “s” if SPF failed.
    ri The reporting interval for how often you would like to receive aggregate XML reports. This is a preference and ISPs could (and most likely will) send the report at different intervals (normally this will be daily).

    Related DMARC Analyzer Resources

    03resource_.jpg
    Brand Protection

    Boohoo Group Marks Up Security With Mimecast

    Case Study
    30resource_.jpg
    Brand Protection

    Quotient Sciences Accelerates Data Protection with Mimecast

    Case Study
    38resource_.jpg
    Brand Protection

    Brand Exploit Protect integrates with Mimecast’s email and web security services to further strengthen your defenses  

    Video
    Back to Top