How to Check a DMARC Record for a Domain

FindMyTeam April 12, 2026

A practical guide to checking a DMARC record, understanding what the policy tells you, and spotting the common mistakes that leave a domain exposed or misconfigured.

DMARC is one of those records people keep hearing about, even when they are not sure what it actually does.

The short version is that DMARC tells receiving mail systems how the domain wants spoofed or unauthenticated mail to be handled.

Where DMARC lives

DMARC is usually published as a TXT record under:

_dmarc.example.com

That is the first thing to remember. If you only check TXT records at the domain apex, you can miss DMARC entirely.

What a DMARC record usually starts with

Most DMARC checks start by looking for a TXT value beginning with:

v=DMARC1

If that is missing, the domain may not have DMARC in place.

The quick way to check DMARC

Use Domain Lookup, review the TXT section, and look specifically for the _dmarc hostname and policy value.

You usually want to know:

is DMARC present?
what is the policy?
are report addresses included?
does the policy look intentional or half-finished?

What the policy usually tells you

The policy field often looks like:

p=none
p=quarantine
p=reject

In plain terms:

none usually means monitoring
quarantine is more defensive
reject is the strongest instruction

That does not mean stronger is always better on day one. A badly aligned mail setup can hurt itself if the policy is tightened too quickly.

Common DMARC problems

1. No DMARC record at all

If the domain sends or represents business mail, that is usually a weak spot.

2. DMARC exists, but it is stuck on monitoring forever

Sometimes p=none is fine during rollout. Sometimes it is really just a sign that the domain never moved past the first step.

3. DMARC looks strict, but alignment is weak

This is where senders break things. The policy may look impressive while the underlying SPF or DKIM alignment is still messy.

4. The record is published at the wrong name

If _dmarc is missing and the value is parked at the wrong hostname, it does not count.

DMARC is not useful on its own

A DMARC check should usually sit beside:

SPF
DKIM
the actual sending pattern of the domain

That is why these guides belong together:

What a good DMARC check asks

Not just:

“Is there a DMARC record?”

But:

is it present?
is it published at the right name?
what does the policy actually say?
does it match the maturity of the mail setup?

That last part matters. A record can exist and still reflect a half-done rollout.

The short version

If you want to check DMARC properly, confirm:

_dmarc exists
the value starts with v=DMARC1
the policy is intentional
the rest of the mail-auth setup can support it

That turns a DMARC lookup from a box-tick into something operationally useful.

Continue reading

Stay in the same investigation track with these closely related guides.

How to Check a DKIM Record

Check the selector and DNS record that back the signing layer instead of treating DKIM like a vague status label.

Explore

What Is DMARC?

Understand alignment, policy, and reporting before you turn a DMARC record into an operational decision.

Explore

SPF vs DKIM vs DMARC

Separate the three major mail-auth layers so they stop sounding interchangeable.

Explore

Tools mentioned in this article

Run the same diagnostics to follow along with the guide.

IP Lookup & Threat Scanner

Inspect IP carriers, ASNs, and security posture in real time.

Explore

Domain Reputation Lookup

Verify WHOIS, DNS, SSL, and safety signals for any hostname.

Explore

Website Performance

Measure document timings, PageSpeed snapshots, and delivery overhead.

Explore