Tools
DMARC Checker
Check whether a domain has a DMARC record and review the policy being published.
DMARC is published as a TXT record at _dmarc.yourdomain. This checker looks that record up, shows the policy being published and parses the common tags.
Education Host runs your lookup for this request only. It is not stored in a database by this tool, although normal server and security logs may record requests like any other website.
What is DMARC?
DMARC is an email authentication policy for a domain. It tells receiving mail servers what to do with messages that fail SPF or DKIM checks — deliver, quarantine or reject — and where to send reports about them.
It exists to make domain spoofing harder: without DMARC, anyone can put your domain in an email's From address and receivers have no instruction from you about it.
DMARC in brief
- Published as a TXT record at _dmarc.<domain>
- Builds on SPF and DKIM — at least one must pass and align
- Tells receivers how to treat failing mail (p= tag)
- Can send aggregate reports to the domain owner (rua= tag)
DMARC policy levels
Monitoring
Failing mail is delivered normally while reports give you visibility. A sensible starting point — but it does not protect the domain by itself.
Quarantine
Receivers are asked to treat failing messages with suspicion, typically placing them in spam or junk folders.
Reject
Receivers are asked to reject failing messages outright — the strongest protection, appropriate once SPF and DKIM are aligned for every legitimate sender.
DMARC only works with SPF and DKIM
DMARC does not authenticate mail by itself — it checks that a message passes SPF or DKIM and that the domain used in those checks aligns with the From address.
That is why tightening a policy needs care: every legitimate sending service (your mail platform, newsletters, ticketing systems, printers and copiers) must pass and align before quarantine or reject is safe. SPF records live in ordinary TXT records, which you can check with the Education Host DNS checker.
When is this tool useful?
Checking a domain's email authentication
Confirm whether a domain publishes DMARC at all, and what policy it asks receivers to apply.
Investigating spoofing or phishing
When someone forges your domain, the published policy determines what receivers do with the fakes.
Planning a move to quarantine or reject
Review the current record, reporting addresses and tags before tightening the policy.
After changing email providers
Confirm the record still reflects how the domain actually sends mail following a migration.
Setting up DMARC reporting
Check that a rua= address is present so aggregate reports actually reach someone.
Related tools
Part of a growing set of free Education Host checks — with more on the way.
IP Address Checker
See the public IP address your browser is using to reach this website.
Check your IP addressDNS Checker
Check DNS records for a domain, from A and MX to TXT, CAA and PTR.
Check DNS recordsBlacklist Checker
Check whether an IP address appears on common DNS-based email blacklists.
Check blacklist statusIP Lookup
Look up technical details for an IP address, including classification and reverse DNS.
Look up an IP addressWhois Lookup
Look up public domain registration information where available.
Run a Whois lookupSSL Certificate Checker
Check SSL certificate issuer, expiry date and common HTTPS details for a domain.
Check SSL certificateDMARC checker — frequently asked questions
Answers to common questions about DMARC records, policies and email authentication.
- What is DMARC?
- DMARC is an email authentication policy that tells receiving mail servers what to do with messages that fail SPF or DKIM checks for your domain, and where to send reports. It is published as a TXT record at _dmarc.<domain>.
- How do I check a DMARC record?
- Enter a domain in the checker above — it looks up the TXT record at _dmarc.<domain> and shows the policy and tags being published. Any DNS TXT lookup on that host shows the same record.
- What does p=none mean?
- p=none is a monitoring policy. Receivers deliver failing mail normally but can send reports about it — useful for visibility while SPF and DKIM are being set up, though it does not protect the domain by itself.
- What does p=quarantine mean?
- p=quarantine asks receivers to treat failing messages with suspicion, typically placing them in spam or junk folders rather than the inbox.
- What does p=reject mean?
- p=reject asks receivers to reject failing messages outright. It is the strongest protection against spoofing, and is appropriate once SPF and DKIM pass and align for every legitimate sender.
- Do I need SPF and DKIM for DMARC?
- Yes. DMARC works by checking that mail passes and aligns with SPF or DKIM — without at least one of them set up correctly, legitimate mail will fail DMARC.
- Why is my DMARC record missing?
- Either no record has been published, or it sits at the wrong host or contains a typo — it must be a TXT record at _dmarc.<domain> starting with v=DMARC1. Recent DNS changes can also take time to propagate.
- Does Education Host store DMARC checks?
- This tool runs your check for the current request and does not store it in a database. Normal server and security logs may record requests like any other website.
