Free Tool

DMARC Record Checker

If your DMARC policy is set to p=none, anyone can send phishing emails that appear to come from your domain — and Gmail will deliver them. Check your policy, reporting config, and alignment in under 10 seconds.

Why DMARC Enforcement Matters More Than You Think

What DMARC actually protects you from

DMARC stops three threats: spoofing (emails faking your domain), phishing attacks on your customers, and reputation damage from unauthorized sending. Without it, anyone can send email that appears to come from yourcompany.com — and Gmail will accept it.

p=none, p=quarantine, p=reject — what you're actually risking at each level

p=none means you're watching but not acting — your domain can still be spoofed. p=quarantine sends failing emails to spam. p=reject is full enforcement: unauthorized emails are blocked at the gateway. Most brands with deliverability problems are stuck at p=none for months.

The daily reports you should be reading — but probably aren't

The rua tag instructs inbox providers to send you daily XML reports showing every IP that sent email claiming to be your domain. These reports reveal unauthorized sending from misconfigured services, shadow IT tools, and active phishing campaigns. Without rua configured, you're blind.

Alignment: the setting that determines if your DMARC policy actually fires

Alignment links your DKIM signature and SPF Return-Path back to the From header. If alignment fails, DMARC doesn't trigger — even if SPF and DKIM both pass individually. Strict alignment requires exact domain matches; relaxed allows subdomain matching. Most ESPs require relaxed.

Fix What You Found

DMARC Record Generator → SPF Record Checker → DKIM Record Checker → Deliverability Health Check →

Learn More

↗

SPF, DKIM, and DMARC Explained

The Authentication Trinity: plain-English breakdown of what DMARC alignment requires.

↗

Does DMARC Failure Guarantee the Spam Folder?

2.2M email study: DMARC-failing messages hit spam 30.75% of the time vs 16.7% for passing.

Why We Built This Tool

Phishing attacks that impersonate your domain don't require breaking into your systems — they just need you to have weak DMARC. InboxEagle monitors 2,000+ brands and sees that p=none is the most common setting by far. Brands often stay at p=none for months because they're afraid of breaking legitimate email. This tool shows you exactly what will happen if you enforce.

What Goes Wrong Without This

Without DMARC enforcement (p=reject), anyone can send emails that appear to come from your domain. If your policy is p=none or missing, phishing attackers will spoof your domain, and Gmail will deliver the emails. Your customers get phished, your brand gets damaged, and ISPs start filtering your legitimate mail too.

Who This Tool Is For

E-commerce & DTC Brands

Teams sending transactional and marketing emails who want to prevent phishing emails that impersonate their brand and damage customer trust.

Email Marketing Agencies

Agencies managing client domains who need visibility into unauthorized sending and daily aggregate reports to catch phishing attacks early.

B2B SaaS & Outbound Teams

SaaS companies and outbound teams who need airtight DMARC enforcement to prevent attackers from spoofing their domain in phishing campaigns.

Frequently Asked Questions

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a TXT record on your domain that tells ISPs how to handle emails that fail SPF or DKIM authentication. It also instructs inbox providers to send you daily reports on any email claiming to be from your domain.

What's the difference between p=none, p=quarantine, and p=reject?

p=none means DMARC is monitoring only — failing emails still get delivered. p=quarantine sends failing emails to spam. p=reject blocks failing emails at the gateway. Most brands start at p=none for safety, then gradually move to p=reject as they verify all their legitimate senders pass authentication.

Do I need both SPF and DKIM for DMARC to work?

DMARC requires at least one of them — either SPF or DKIM — to align with your From domain. Both is better because it covers more sending paths and makes DMARC enforcement more reliable. Without SPF or DKIM configured, DMARC can't protect your domain.

Do I need an InboxEagle account to use this tool?

No. This tool is completely free and requires no account or sign-up. InboxEagle provides it as a standalone resource for email marketers, developers, and agencies.

One Policy Change Can Block Phishing Attacks on Your Customers

InboxEagle monitors your DMARC record and sends you daily aggregate report summaries — no XML parsing required. You see exactly which services are failing authentication, get alerted when new unauthorized senders appear, and receive step-by-step guidance for moving from p=none to p=reject safely.

Start Free 14-Day Trial

No credit card required · Cancel anytime

Not ready yet? See how DMARC Monitoring works →