DMARC record lookup

DMARC tells receivers what to do with mail that fails SPF or DKIM (`none`, `quarantine`, `reject`) and where to send aggregate reports. Stored as TXT at `_dmarc.<domain>`.

intermediate TXT (DMARC)

How to look it up

Four ways to query — pick by what's available on your machine.

digdig TXT _dmarc.example.com +short

dotdigdotdig dmarc example.com

Sample response

"v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100; aspf=r; adkim=r"

Format

Required fields: `v=DMARC1`, `p=`. Common: `rua=` (aggregate reports), `ruf=` (forensic reports), `pct=` (% of mail to enforce), `aspf=`/`adkim=` (alignment mode r=relaxed, s=strict).

Common pitfalls

Going straight from no-DMARC to `p=reject` is risky — legit mail with broken alignment gets rejected. Roll out via `p=none` → `p=quarantine` → `p=reject` over weeks.
Subdomains inherit policy unless `sp=` is set. `sp=quarantine` while `p=reject` is common during rollout.
Reports go to `rua=mailto:` addresses. Most domains receive 100s/day — set up parsing or a service (DMARC Analyzer, Valimail) before publishing `rua`.

Why it matters for security

security relevance DMARC at `p=reject` is the only DNS-level defense against domain spoofing in mail. Without DMARC, attackers can forge `from: ceo@yourcompany.com` even if SPF/DKIM exist.

Use cases

Phishing protection rollout
Compliance audits (NIST 800-53, PCI)
Email deliverability triage
Brand impersonation investigation

Look up DNS without flag soup

dotdig is a friendly DNS resolver — formatted output, custom resolver support, DNSSEC validation. Zero-config alternative to dig.

Open dotdig

Related DNS lookups

MX · NS · TXT · PTR