Free DMARC Record Checker
DMARC, SPF and DKIM are the three DNS records that protect your domain from email spoofing and phishing. When misconfigured, attackers can send emails that appear to come from your domain — targeting your customers or employees. Use masoSec to check your email security instantly.
→ Check Your DMARC/SPF/DKIM FreeWhat do SPF, DKIM and DMARC check?
| Record | What it does | Risk if missing |
|---|---|---|
| SPF | Lists servers authorized to send email for your domain | Anyone can send email from your domain |
| DKIM | Cryptographic signature on outgoing email | Emails can be tampered in transit |
| DMARC | Policy for what happens when SPF/DKIM fail | Spoofed emails reach inboxes unchallenged |
What a good DMARC check looks like
example.com — Email Security
PASS SPF record found — v=spf1 include:_spf.google.com ~all
PASS DKIM configured for google._domainkey
PASS DMARC policy: reject — spoofed emails are blocked
PASS MX records valid — mail delivery configured correctly
Common DMARC failures and what they mean
FAIL No DMARC record found
Your domain has no DMARC policy. Attackers can spoof your email address with no restrictions. This is the most critical email security gap. Fix: add a _dmarc TXT record to your DNS.
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
WARNING DMARC policy is "none"
You have a DMARC record but with p=none, meaning no action is taken on spoofed emails — only reports are generated. This is the first step, but you should move to quarantine or reject once you've analyzed your email flows.
FAIL No SPF record
Without SPF, receiving mail servers have no way to verify that email from your domain was sent by an authorized server.
v=spf1 include:_spf.google.com ~all
WARNING SPF uses +all
Using +all instead of ~all or -all means all servers are authorized to send email for your domain — effectively defeating SPF entirely.
How to fix DMARC step by step
- Add SPF — Add a TXT record for your domain listing your authorized mail servers
- Enable DKIM — Configure DKIM in your email provider (Google Workspace, Microsoft 365, etc.) and add the public key to DNS
- Add DMARC with p=none — Start in monitoring mode, receive reports to your email
- Analyze reports for 2-4 weeks — Check what sources are sending email for your domain
- Move to p=quarantine — Failed emails go to spam
- Move to p=reject — Failed emails are blocked entirely
Monitor your email security automatically
masoSec checks your DMARC, SPF, DKIM and MX records automatically on a schedule and alerts you if anything breaks or degrades. Never miss a configuration drift.
→ Start Free Email Security MonitoringFrequently asked questions
How do I check my DMARC record?
Run a DNS lookup for _dmarc.yourdomain.com TXT record, or use masoSec's free email security scanner which checks DMARC, SPF, DKIM and MX records in one scan.
Does DMARC reject affect legitimate email?
If SPF and DKIM are correctly configured for all your sending sources (email provider, marketing tools, etc.), DMARC reject only blocks spoofed emails from unauthorized sources.
What is a DMARC aggregate report?
Reports (rua) sent to your email showing which servers sent email for your domain, how much passed/failed SPF and DKIM. Essential for transitioning from none to reject.