DMARC Checker (2026): How to Set Up DMARC Policy and Fix DMARC Fail
A clear DMARC guide: publish the right record, choose p=none/quarantine/reject, and fix common DMARC fail causes.
Tags
How to use DMARC Checker
DMARC is the modern standard for domain protection and email deliverability. In 2026, many receivers increasingly distrust domains that do not publish DMARC at all, especially if they send at volume. DMARC also reduces spoofing by telling receiving mail servers what to do when messages fail authentication.
Quick Answer
Publish a DMARC record at _dmarc.yourdomain.com as a TXT record. Start with p=none to collect reports, then move to p=quarantine or p=reject once SPF and DKIM are aligned. Validate the record and confirm alignment, not just pass/fail.
What DMARC Checks
DMARC uses SPF and DKIM results and then applies alignment rules. Alignment means the domain in the visible From header must match (or be a subdomain of, depending on settings) the SPF-authenticated domain and/or the DKIM signing domain. A message can pass DMARC if either SPF aligns or DKIM aligns.
How to Set Up a DMARC Record
Create a TXT record at _dmarc.yourdomain.com. A minimal starting record looks like:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com;
Then verify it is visible with DNS Lookup and, if needed, confirm global visibility with DNS Propagation Checker.
Choosing the Right Policy (p=none vs quarantine vs reject)
p=none is monitoring only. It does not block spoofing, but it helps you find legitimate senders you forgot about. p=quarantine tells receivers to treat failures suspiciously (often spam folder). p=reject is the strongest and blocks failing messages.
- Start with p=none for visibility and troubleshooting.
- Move to quarantine when you are confident most mail is aligned.
- Move to reject when your domain is stable and you want strong spoofing protection.
Common DMARC Fail Causes
1) SPF passes but does not align. This happens when the return-path domain is a provider domain, not your domain. SPF can pass but DMARC can fail if alignment is strict.
2) DKIM is missing or not aligned. DKIM may pass but sign with a different domain, or the sender may not be signing at all.
3) You have multiple sending services. One platform is aligned, another is not. DMARC reveals the weakest sender.
4) Incorrect DMARC syntax. Missing semicolons, invalid tags, or multiple DMARC records can cause receivers to ignore the policy.
Recommended Next Steps
DMARC is most effective when paired with correct SPF and DKIM. Before you enforce quarantine/reject, validate that your main mail streams are aligned and that you are not breaking forwarders you rely on. If you are doing DNS changes now, verify propagation and test again after caches refresh.
- DNS Lookup for DMARC TXT validation.
- DNS Propagation Checker for newly published records.
FAQ
Q: Where do I publish DMARC?
A: As a TXT record at _dmarc.yourdomain.com.
Q: Can I have more than one DMARC record?
A: No. Only one DMARC record should exist for a domain. Multiple records can cause undefined behavior or ignored policies.
Q: What is DMARC alignment?
A: It is the rule that the authenticated domain (SPF and/or DKIM) must match the visible From domain for DMARC to pass.
Q: Should I start with p=reject?
A: Usually no. Start with p=none, fix alignment issues, then gradually move to quarantine and reject.
Q: Why does DMARC fail when SPF passes?
A: Because SPF pass does not always mean alignment. DMARC cares about alignment, not only SPF success.
Q: Do I need DMARC if I do not send emails?
A: Yes, it can still protect your domain from spoofing. A reject policy is often safe if you truly do not send mail.