What does alignment mean in DMARC?

Alignment means the domain that SPF or DKIM authenticated must match the domain in the visible From header. Relaxed allows the organizational domain to match. Strict requires an exact match. Relaxed is the default and almost always what you want.

DMARC Record Checker

Check your domain's DMARC policy, see what it actually does, and generate a valid record.

Generate a DMARC record

Build a valid DMARC TXT record. Start with a monitoring policy, review aggregate reports for a few weeks, then tighten.

Where should DMARC aggregate reports be sent? An email address that will receive daily aggregate reports. Many people use [email protected] or their admin email.

Policy Start with none while you review reports, then tighten to quarantine and eventually reject.

Advanced options

Subdomain policy Override the policy for subdomains. Leave on "inherit" unless you need different treatment.

Coverage (pct) Percentage of messages the policy applies to. Useful for gradual rollout. Leave blank for the default 100%.

Forensic report address (ruf) Optional — receives per-message failure reports. Most receivers no longer send these.

SPF alignment (aspf)

DKIM alignment (adkim)

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS policy that tells receiving mail servers what to do with messages that fail SPF or DKIM authentication, and where to send reports about your domain's email traffic.

DMARC builds on top of SPF and DKIM — it doesn't authenticate messages itself. Instead, it lets you say "messages claiming to be from my domain must pass SPF and/or DKIM with matching domain alignment; if they don't, do X, and email me reports about it."

What this checker tests

Whether a DMARC record exists at _dmarc.<yourdomain>
Whether the syntax is valid (required v and p tags, no invalid values)
Whether multiple DMARC records exist (a common misconfiguration)
What enforcement policy is in effect (none, quarantine, reject)
Whether aggregate report addresses (rua) are configured
SPF and DKIM alignment modes
Coverage percentage (pct) and any partial-rollout implications

DMARC policies explained

p=none — monitor mode

The receiving server takes no action based on DMARC, but still sends you reports. Start here when first deploying DMARC: you'll see which servers are sending mail "as" your domain — including legitimate ones you may have forgotten about — without risking real mail being lost.

p=quarantine — route to spam

Messages that fail DMARC are delivered to spam/junk. Use this after a few weeks of monitoring once you're confident your legitimate senders all pass.

p=reject — block outright

The strictest setting — failing messages are rejected at the SMTP level. Use this only when you're certain your DMARC is correctly authorizing every legitimate sender. This is required by Gmail and Yahoo for bulk senders as of 2024.

The reporting tags (rua and ruf)

rua sets the email address(es) that receive aggregate reports — daily XML summaries of how many messages from your domain passed or failed DMARC, broken down by sending IP. Without rua, you're flying blind. Many people use a dedicated mailbox like [email protected] or a third-party service like Postmark DMARC, Valimail, or dmarcian.

ruf sets addresses for forensic (per-failure) reports. These contain individual failing messages with PII, so most major mailbox providers (Gmail, Microsoft) no longer send them. You can usually skip this.

Frequently Asked Questions

Where do I publish my DMARC record?

DMARC is a TXT record published at _dmarc.yourdomain.com. In most DNS panels you enter the host as _dmarc (the bare label) and the panel appends your root domain automatically.

Do I need SPF and DKIM before I add DMARC?

You should have at least one of them passing first. DMARC requires either SPF or DKIM to pass with domain alignment for a message to pass DMARC. If neither is set up, every message will fail DMARC — so start with p=none to avoid losing real mail.

What does "alignment" mean?

Alignment means the domain that SPF or DKIM authenticated must match the domain in the visible From: header. Relaxed alignment allows the organizational domain to match (so mail.example.com aligns with example.com). Strict alignment requires an exact match. Relaxed is the default and almost always what you want.

How long should I stay at p=none?

Review aggregate reports for at least 2–4 weeks. Make sure all your legitimate sending sources (your mail provider, marketing tools, transactional services, automated systems) are passing DMARC with the right alignment, then move to p=quarantine with pct=25 or so for gradual rollout, then ramp up.

What if my domain has no email?

If your domain never sends email, publish a strict DMARC record: v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;. This makes it harder for spammers to spoof your domain in phishing attacks.

Can I have more than one DMARC record?

No. RFC 7489 explicitly requires exactly one DMARC record per domain. If multiple v=DMARC1 records exist at _dmarc.<domain>, receivers treat the domain as having no DMARC policy at all. Merge them into a single record.

Want the full picture? Run a complete Domain Check →