UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ToolsConfiguratorGet in Touch

DMARC checker & record generator

Look up and grade any domain’s DMARC policy — or build a correct v=DMARC1 record with the right policy, reporting and alignment. Free and instant.

DMARCp=rejectruaalign

Reads the TXT record at _dmarc.domain.

Email Security CheckerSPF CheckerDKIM CheckerDNS PropagationAll email & DNS tools

What DMARC does — and why it’s the keystone record

SPF and DKIM each authenticate part of a message, but neither tells a receiving server what to do when the checks fail, and neither is tied to the address your recipient actually sees. DMARC fixes both: it links authentication to the visible From domain (“alignment”), publishes a policy for failures, and asks receivers to send you reports. That’s why it’s the record that genuinely stops someone spoofing your exact domain — and the one most often missing.

strongerp=noneMonitor only — collect reportsp=quarantineFailing mail → spamp=rejectFailing mail blockedEscalate as your reports confirm legitimate senders pass.

The DMARC journey: start at p=none to monitor, then climb to p=reject.

The tags that matter

p= is the policy (none, quarantine or reject). rua= is where daily aggregate reports go — set this, or you’re flying blind. pct= rolls a policy out to a percentage of mail. sp= sets a separate policy for subdomains, and adkim/aspf control alignment strictness. The checker above grades each of these; the generator builds them for you.

The right way to roll out p=reject

Don’t jump straight to reject. Publish p=none with an rua address, let aggregate reports accumulate for a few weeks, and use them to find every legitimate sender — your mail platform, CRM, helpdesk, marketing and invoicing tools — and make each pass SPF or DKIM. Only then move to quarantine, and finally reject. Rushing it is the single most common way DMARC blocks real mail.

Why now

Since 2024, Google and Yahoo have required DMARC for bulk senders, with Microsoft following for Outlook.com in 2025. Combined with the relentless rise of business email compromise and invoice fraud, an enforced DMARC policy has moved from best practice to baseline. Pair this tool with the SPF checker and DKIM checker to get the full picture.

🛡️ DMARC done safely: Servnet maps your senders, monitors the reports and takes you to enforced p=reject without breaking legitimate mail. Talk to our team →

DMARC — common questions

What is a DMARC record?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a TXT record published at _dmarc.yourdomain.com. It tells receiving mail servers what to do when a message claiming to be from your domain fails SPF and DKIM alignment — deliver it (p=none), send it to spam (p=quarantine) or reject it (p=reject) — and where to send reports about it.

What does p=none, p=quarantine and p=reject mean?

p=none is monitor-only: failing mail is still delivered, but you receive reports. p=quarantine tells receivers to treat failing mail as suspicious (usually spam/junk). p=reject blocks it outright. The goal is to reach p=reject, but you start at p=none so you can see your legitimate senders in the reports before you enforce.

How do I read my DMARC reports?

The rua address receives daily aggregate XML reports listing every source sending as your domain and whether it passed SPF/DKIM. They’re hard to read raw, so most teams use a DMARC analytics service — or have a provider like Servnet monitor them — to spot legitimate senders that need fixing before tightening the policy.

What are adkim and aspf (alignment)?

Alignment controls how strictly the domain in the From header must match the domain SPF/DKIM authenticated. Relaxed (the default, r) allows subdomains to align with the parent; strict (s) requires an exact match. Most organisations leave alignment relaxed unless they have a specific reason to tighten it.

Will p=reject block my legitimate email?

It can, if a sending service (a CRM, invoicing tool or marketing platform) isn’t set up to pass SPF or DKIM for your domain. That’s exactly why you start at p=none and review the aggregate reports — so you can authorise every real sender before you move to quarantine and then reject.

Do I need DMARC if I already have SPF and DKIM?

Yes. SPF and DKIM authenticate the message, but only DMARC tells receivers what to do when they fail and ties the result to the visible From domain — which is what stops exact-domain spoofing. Without DMARC, your domain is still spoofable even with SPF and DKIM in place.

Is the generator safe to use?

Yes — the DMARC generator runs entirely in your browser. Nothing you type is sent anywhere. It produces a standard v=DMARC1 record you publish as a TXT record at _dmarc.yourdomain.com.