Free SPF, DKIM & DMARC Checker
Enter any domain below to instantly check its DMARC policy, SPF record, and DKIM alignment settings. Get an A+ to F graded breakdown across 8 categories with clear, actionable recommendations to improve your email security posture.
Want to check your primary and alternate brand domains together? Use the Security Grade for a full domain trust assessment across all security layers.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that protects your domain from spoofing, phishing and business email compromise. It builds on SPF and DKIM to give domain owners control over what happens when an email fails authentication.
Why You Need DMARC
- Prevent Phishing: Stop attackers from sending emails that appear to come from your domain.
- Improve Deliverability: Major providers like Google and Microsoft prioritise domains with strong DMARC policies.
- Regulatory Compliance: DMARC is increasingly required by regulations including PCI-DSS v4 and the UK NCSC.
- Brand Protection: Protect your brand reputation from domain spoofing attacks. DMARC stops spoofing of your exact domain, but attackers can also register lookalike domains. Scan for these with our Lookalike Domain Scanner.
UK MSP DMARC Audit: Q1 2026
We used this tool to audit the DMARC posture of 192 UK Managed Service Providers. Only 5% achieved an Excellent rating when brand domain protection was factored in. Read the full findings in our UK MSP DMARC Audit: Q1 2026, including regional breakdowns, monitoring tool correlations, and what the NCSC Mail Check retirement means for UK organisations.
Need Ongoing DMARC Monitoring?
This free tool is perfect for quick checks. But a one-off scan cannot tell you who is sending email as your domain right now. With ShieldMarc monitoring, you get parsed DMARC aggregate reports, sender visibility, alignment tracking, and alerts when something changes. Start a free trial.
Want a complete picture?
Our Security Grade scans DMARC, SPF, SSL/TLS, DNSSEC, registration, and expiry across your primary and alternate brand domains in one click.
How long does it take for a DMARC record to work?
DMARC records take effect as soon as they propagate through DNS, typically within minutes to a few hours. However, you will not start receiving aggregate reports until email receivers process messages sent from your domain, which usually takes 24 to 48 hours.
Should I start with p=none or p=reject?
For domains that actively send email, start with p=none and configure rua= reporting. Monitor your reports for 2 to 4 weeks to identify all legitimate sending sources, then move to p=quarantine and finally p=reject. For domains that do not send email (parked or defensive), go straight to p=reject.
Can DMARC break my email?
A DMARC policy of p=quarantine or p=reject will affect emails that fail authentication. This is why monitoring with p=none first is important: it lets you identify and fix legitimate senders (marketing platforms, CRMs, etc.) before enforcement. Emails sent directly from your mail provider (Google Workspace, Microsoft 365) are almost always aligned and will not be affected.
Do I need both SPF and DKIM for DMARC?
DMARC requires only one of SPF or DKIM to pass and align. However, best practice is to configure both. SPF validates the sending server, while DKIM validates the message content. Having both provides redundancy and improves deliverability.
What is a good DMARC grade?
Our checker grades domains from A+ to F. A or A+ means your domain has strong enforcement with p=reject, strict alignment, and active reporting. Use the Security Grade for a broader assessment that includes SSL, DNSSEC, MTA-STS, and more.
Why does my SPF grade the same with ~all and -all?
For DMARC purposes, both ~all (soft fail) and -all (hard fail) grade the same because DMARC enforcement handles rejection at the policy level. However, the Security Grade evaluates them differently: non-mail domains require strict -all to reach higher trust levels.