Published: April 2026 · 8 min read
Enter your domain at korpo.pro and get an instant DMARC check plus 5 other authentication records — free.
Check Your Domain →DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It tells email receivers what to do when an email fails authentication checks — quarantine it, reject it, or do nothing.
Without DMARC, anyone can send emails that appear to come from your domain. With DMARC, you can:
Since 2024, both Gmail and Yahoo require DMARC for bulk senders. If you send more than 5,000 emails per day and don't have DMARC, your emails go straight to spam.
Use our free tool to check your DMARC record in seconds:
curl https://korpo.pro/api/v1/check/yourdomain.com
Or check from the command line:
dig TXT _dmarc.yourdomain.com
A valid DMARC record looks like:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100; adkim=s; aspf=s
DMARC works by aligning two other authentication mechanisms:
SPF specifies which IP addresses are allowed to send email from your domain. It's a DNS TXT record on your root domain.
DKIM adds a cryptographic signature to your emails. The public key is published in DNS.
DMARC tells receivers: "If SPF or DKIM fails, here's what to do." You set a policy of none (monitor only), quarantine (send to spam), or reject (block entirely).
This is the most common problem. Over 60% of domains don't have DMARC configured. Without it, email providers make their own decisions about your emails.
p=noneA p=none policy means "monitor but don't take action." It's fine for initial rollout, but you should escalate to p=quarantine then p=reject within 30-60 days.
Without rua=mailto:user@domain.com, you don't get aggregate reports about email authentication failures. You're flying blind.
The DMARC record must be at _dmarc.yourdomain.com, not _dmarc.sub.yourdomain.com (unless you're setting subdomain policy separately).
Even if SPF and DKIM both pass, DMARC can fail if the domains don't align. The "return-path" domain (SPF) and "d=" tag (DKIM) must match the "From" domain.
Add a TXT record to your DNS:
Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100
Within 24-48 hours, you'll start receiving DMARC aggregate reports at the email address in your rua tag. These XML reports show:
After 2-4 weeks with p=none and all legitimate sources identified:
p=quarantine; pct=25 (quarantine 25% of failures)pct=50, then pct=100p=reject; pct=100Our free API checks DMARC, SPF, DKIM, MTA-STS, TLS-RPT, and BIMI — all in one call. Get your deliverability score in seconds.
Check Your Domain Free →DMARC reports come as XML files attached to emails. They're hard to read manually. You can:
parsedmarc can visualize reportsEmail providers (Gmail, Outlook, Yahoo) will make their own decisions about emails that fail SPF or DKIM. Your emails may go to spam or be silently dropped.
Yes, if you set p=reject too early. Always start with p=none to monitor, then gradually escalate.
Yes. You can set a separate sp (subdomain policy) tag, or DMARC inherits the root domain policy by default.
p=quarantine and p=reject?quarantine sends failing emails to spam. reject blocks them entirely. For most businesses, reject is the end goal once you've verified all legitimate senders.
Use our free API:
curl https://korpo.pro/api/v1/check/anydomain.com
Or visit korpo.pro and enter the domain.
Free instant check for DMARC, SPF, DKIM, MTA-STS, TLS-RPT, and BIMI.
Check Your Domain →