Free SPF, DKIM & DMARC Checker
Enter any domain below to instantly check its DMARC policy, SPF record, and DKIM alignment settings. Get a scored breakdown across 8 categories with clear, actionable recommendations to improve your email security posture.
Want to check your primary and alternate brand domains together? Use the Security Grade for a full domain trust assessment across all security layers.
What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that protects your domain from spoofing, phishing and business email compromise. It builds on SPF and DKIM to give domain owners control over what happens when an email fails authentication.
Understanding DMARC Tags
| Tag | Purpose | Values |
|---|---|---|
| p= | Policy for the domain | none (monitor only), quarantine (mark as spam), reject (block delivery) |
| sp= | Policy for subdomains | Same values as p=. Defaults to the p= value if not set |
| pct= | Percentage of mail subject to policy | 1-100. Leave at 100 (the default). We do not recommend ramping pct as a rollout strategy |
| rua= | Where to send aggregate reports | mailto: address. Required for visibility into who is sending as your domain |
| ruf= | Where to send forensic reports | mailto: address. Contains message content, which raises GDPR concerns. Most providers do not send these |
| adkim= | DKIM alignment mode | r (relaxed, default) allows subdomain DKIM signing. s (strict) requires exact domain match |
| aspf= | SPF alignment mode | r (relaxed, default) allows subdomain Return-Paths. s (strict) requires exact domain match |
| fo= | Failure reporting options | 0 (default, report when both SPF and DKIM fail), 1 (report when either fails) |
Why You Need DMARC
- Prevent Phishing: Stop attackers from sending emails that appear to come from your domain.
- Improve Deliverability: Major providers like Google and Microsoft prioritise domains with strong DMARC policies.
- Regulatory Compliance: DMARC is increasingly required by regulations including PCI-DSS v4 and the UK NCSC.
- Brand Protection: Protect your brand reputation from domain spoofing attacks. DMARC stops spoofing of your exact domain, but attackers can also register lookalike domains. Scan for these with our Lookalike Domain Scanner.
UK MSP DMARC Audit: Q1 2026
We used this tool to audit the DMARC posture of 192 UK Managed Service Providers. Only 5% achieved an Excellent rating when brand domain protection was factored in. Read the full findings in our UK MSP DMARC Audit: Q1 2026, including regional breakdowns, monitoring tool correlations, and what the NCSC Mail Check retirement means for UK organisations.
Need Ongoing DMARC Monitoring?
This free tool is perfect for quick checks. But a one-off scan cannot tell you who is sending email as your domain right now. With ShieldMarc monitoring, you get parsed DMARC aggregate reports, sender visibility, alignment tracking, and alerts when something changes. Join the early access list to get onboarded before launch with up to 90 days free.
Want a complete picture?
Our Security Grade scans DMARC, SPF, SSL/TLS, DNSSEC, registration, and expiry across your primary and alternate brand domains in one click.
Frequently Asked Questions
How long does it take for a DMARC record to work?
DMARC records take effect as soon as they propagate through DNS, typically within minutes to a few hours. However, you will not start receiving aggregate reports until email receivers process messages sent from your domain, which usually takes 24 to 48 hours.
Should I start with p=none or p=reject?
For domains that actively send email, start with p=none and configure rua= reporting. Monitor your reports for 2 to 4 weeks to identify all legitimate sending sources, then move to p=quarantine and finally p=reject. For domains that do not send email (parked or defensive), go straight to p=reject.
Can DMARC break my email?
A DMARC policy of p=quarantine or p=reject will affect emails that fail authentication. This is why monitoring with p=none first is important: it lets you identify and fix legitimate senders (marketing platforms, CRMs, etc.) before enforcement. Emails sent directly from your mail provider (Google Workspace, Microsoft 365) are almost always aligned and will not be affected.
Do I need both SPF and DKIM for DMARC?
DMARC requires only one of SPF or DKIM to pass and align. However, best practice is to configure both. SPF validates the sending server, while DKIM validates the message content. Having both provides redundancy and improves deliverability.
What is a good DMARC score?
Our checker scores domains from 0 to 100. A score of 90+ (Excellent) means your domain has strong enforcement with p=reject, strict alignment, and active reporting. Use the Security Grade for a broader assessment that includes SSL, DNSSEC, MTA-STS, and more.
Why does my SPF score the same with ~all and -all?
For DMARC scoring purposes, both ~all (soft fail) and -all (hard fail) receive the same points because DMARC enforcement handles rejection at the policy level. However, the Security Grade evaluates them differently: non-mail domains require strict -all to reach higher trust levels.